ITL Monitor: Compositional Runtime Analysis with Interval Temporal Logic by Smallwood, David
ITL Monitor: Compositional Runtime Analysis
with Interval Temporal Logic
David Smallwood
This thesis is submitted in partial fulfilment of the
requirements for the degree of Doctor of Philosophy,
awarded by De Montfort University.
May 2019
To Mary Hunt
Abstract
Runtime verification has gained significant interest in recent years. It is a process in which
the execution trace of a program is analysed while it is running. A popular language for
specifying temporal requirements for runtime verification is Linear Temporal Logic (LTL),
which is excellent for expressing properties such as safety and liveness.
Another formalism that is used is Interval Temporal Logic (ITL). This logic has constructs
for specifying the behaviour of programs that can be decomposed into subintervals of activity
[Mos83]. Traditionally, only a restricted subset of ITL has been used for runtime verification
due to the limitations imposed by making the subset executable. In this thesis an alternative
restriction of ITL was considered as the basis for constructing a library of runtime verification
monitors (ITL-Monitor).
The thesis introduces a new first-occurrence operator (B) into ITL and explores its properties.
This operator is the basis of the translation from runtime monitors to their corresponding ITL
formulae. ITL-Monitor is then introduced formally, and the algebraic properties of its operators
are analysed. An implementation of ITL-Monitor is given, based upon the construction of a
Domain Specific Language using Scala. The architecture of the underlying system comprises
a network of concurrent actors built on top of Akka - an industrial-strength distributed actor
framework.
A number of example systems are constructed to evaluate ITL-Monitor’s performance against
alternative verification tools. ITL-Monitor is also subjected to a simulation that generates
a very large quantity of state data. The monitors were observed to deliver consistent
performance across execution traces of up to a million states, and to verify subintervals of up
to 300 states against ITL formulae with evaluation complexity of O(n3).

Declaration
I declare that the work in this thesis is original work undertaken by me between October 2010
and May 2019 for the degree of Doctor of Philosophy at the Software Technology Research
Laboratory (STRL), De Montfort University, United Kingdom.

Acknowledgements
I would like to thank my original and long-standing supervisor Antonio Cau with whom I have
had many discussions throughout these past years on runtime verification, Interval Temporal
Logic, CCS, Tempura, Isabelle/HOL, and many other topics; and whose advice and guidance
has been most gratefully appreciated. I would also like to thank Antonio for checking all of the
mathematical proofs, and subsequently for encoding ITL into Isabelle/HOL thus enabling the
mechanical proof checking of all of the laws developed within this thesis. I am also grateful to
Antonio for reading and commenting upon several drafts of the thesis. I would like to thank
my first supervisor, Helge Janicke, and members of the Faculty of Computing, Engineering
and Media who have motivated and inspired me over the years including Hussein Zedan,
Francois Siewe, Susan Bramer, Pam Watt, and Peter Messer. I would also like to record my
gratitude to the University for supporting me with this postgraduate work. Finally, thank
you to my friends and family who have accompanied me along the journey.

Mathematical laws and the software
library
Mathematical laws
Throughout this thesis reference is made to laws in ITL. These are referenced by name and
number such as FstFixFst (C .261). The number refers to the law’s position in Appendix C.
The name of each law follows the style used by Moszkowsi in (http://antonio-cau.co.uk/
ITL/itl-theorems/itl-theorems-home.pdf).
All of the ITL laws have been proved mechanically using Isabelle/HOL [oCM18]. The Isabelle
encoding for ITL was constructed by Antonio Cau as was the translation of Moszkowski’s and
Cau’s earlier work into Isabelle. Cau also translated the LATEX proofs that were constructed
by the author of this thesis as part of the current work.
The complete document is available from the ITL homepage [CM16]. The work undertaken
as part of this thesis is contained in Chapters 6 and 7. To access the document1
• Navigate to http://antonio-cau.co.uk/ITL/index.html
• Under Section 3 ‘Tools’, select the link to the ITL library for Isabelle/HOL http:
//antonio-cau.co.uk/ITL/itlhomepagesu13.html#x17-220003.3
• Within the ‘Deep embedding’ section is a download (Version 1.9 (16/03/2019)) which
is a zipped unix archive file
Software library
The Scala libraries developed as part of this thesis are distributed using an sbt archive. The
libarary is currently available from the author, and will appear in the tools section of the ITL
homepage [CM16].
1URL correct as of May 2019

Glossary of key terms
Acronyms
API Application Program Interface.
DSL Domain Specific Language 2.4.1.
ITL Interval Temporal Logic [CM16].
JVM Java Virtual Machine.
LTL Linear Temporal Logic [Pnu77].
RV Runtime Verification.
Terms
Actor A process, typically running in its own
thread, that reacts to received messages
by (possibly) updating internal state and
sending messages to other actors.
Akka A framework and API for managing actors
in JVM-based systems. [Akk17]
Compositionality The ability to reason about
a system by combining analyses of its
constituent parts.
Chop ( ; ) The name of the sequential
composition operator in ITL. It is used to
split an interval non-deterministically into
two subintervals, each of which satisfies its
respective formula, connected by a shared
state, e.g. f ; g .
Chopstar (∗) The name of the repetition
operator in ITL. It is used to specify a
non-deterministic number of sequentially
composed intervals, each satisfying the
given formula, e.g. f ∗.
First occurrence (B) The key ITL operator
defined within this thesis. The purpose of
B f is to define an interval that satisfies f
and has no strict prefix that satisfies f .
Interval A finite sequence of states – a
subsequence of a trace.
ITL Monitor (ITL-Monitor) The name given
to the monitor algebra developed in this
thesis. It is also used to refer to its Scala
implementation.
Monitor A software device for analysing the
trace of a program to determine if it satisfies
a given specification.
Runtime verification The use of monitors to
determine whether or not a program is
behaving according to its specification while
it is running.
Scala A contemporary programming language
combining object-oriented and functional
programming paradigms [Sca17].
Strict initial interval or strict prefix – either
an empty interval or a prefix that does not
include the final state.
(Execution) trace – a finite sequence of
program states generated by a running
program.

Contents
1 Introduction 1
1.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.2 Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.3 Outline of thesis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2 Runtime verification 7
2.1 Temporal logic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.1.1 Linear temporal logic . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.1.2 LTL with finite paths . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
2.1.3 Interval temporal logic . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
2.1.3.1 Derived operators . . . . . . . . . . . . . . . . . . . . . . . . 19
2.1.3.2 State formulae . . . . . . . . . . . . . . . . . . . . . . . . . . 23
2.2 Intervals and runtime verification . . . . . . . . . . . . . . . . . . . . . . . . . 23
2.3 Direct execution of specifications . . . . . . . . . . . . . . . . . . . . . . . . . 24
2.3.1 MetateM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
2.3.2 Tempura . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
2.4 Architectures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
2.4.1 Domain specific languages . . . . . . . . . . . . . . . . . . . . . . . . . 33
2.4.2 Aspect oriented approaches . . . . . . . . . . . . . . . . . . . . . . . . 34
2.4.3 Rule-based approaches . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
2.4.4 TraceContract . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
2.4.5 AnaTempura . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
2.5 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
3 Development of the first occurrence operator 43
3.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
3.2 Timing analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
3.3 Determining fusion points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
3.3.1 Introducing first occurrence . . . . . . . . . . . . . . . . . . . . . . . . 50
3.3.2 Non-determinism . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
3.4 Managing termination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
3.5 Properties of interval length . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
3.5.1 Interval length . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
3.5.2 Laws with fixed-length formulae . . . . . . . . . . . . . . . . . . . . . 55
3.5.3 Fixed-length formulae and negation . . . . . . . . . . . . . . . . . . . 56
3.6 Strict initial intervals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
3.7 Formalisation of the first occurrence operator . . . . . . . . . . . . . . . . . . 58
3.8 Algebraic properties of the first occurrence operator . . . . . . . . . . . . . . 59
3.8.1 First with simple formulae . . . . . . . . . . . . . . . . . . . . . . . . . 60
3.8.2 First with conjunction and disjunction . . . . . . . . . . . . . . . . . . 61
3.8.3 First with prefix intervals . . . . . . . . . . . . . . . . . . . . . . . . . 62
3.8.4 Distribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
3.8.4.1 Through conjunction and disjunction . . . . . . . . . . . . . 63
3.8.4.2 Through chop . . . . . . . . . . . . . . . . . . . . . . . . . . 63
3.8.5 First occurrence with iteration . . . . . . . . . . . . . . . . . . . . . . 65
3.8.6 First and halt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
3.9 The last occurrence operator . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
3.9.1 Last and until . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
3.10 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
4 ITL Monitor 71
4.1 Monitor syntax and translation to ITL . . . . . . . . . . . . . . . . . . . . . . 71
4.2 Importable assumptions and exportable commitments . . . . . . . . . . . . . 79
4.2.1 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
4.2.2 Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
4.3 Selection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
4.4 Algebraic properties of monitors . . . . . . . . . . . . . . . . . . . . . . . . . 83
4.4.1 First occurrence fixpoint law . . . . . . . . . . . . . . . . . . . . . . . 83
4.4.2 Equivalence of monitors . . . . . . . . . . . . . . . . . . . . . . . . . . 83
4.4.3 Annihilator and identity laws . . . . . . . . . . . . . . . . . . . . . . . 84
4.4.4 Idempotence laws . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
4.4.5 Commutativity laws . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
4.4.6 Associativity laws . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
4.4.7 Absorption laws . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
4.4.8 Distributivity laws . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
4.4.9 Algebraic structures . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
4.5 Example specification - scoring tennis . . . . . . . . . . . . . . . . . . . . . . 89
4.5.1 Running the verification . . . . . . . . . . . . . . . . . . . . . . . . . . 94
4.5.2 Adjusting the granularity of the analysis . . . . . . . . . . . . . . . . . 95
4.6 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
5 ITL Monitor implementation 97
5.1 Application programming interface . . . . . . . . . . . . . . . . . . . . . . . . 98
5.1.1 ITL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
5.1.1.1 Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
5.1.1.2 Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
5.1.1.3 Intervals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
5.1.1.4 Expressions and formulae . . . . . . . . . . . . . . . . . . . . 102
5.1.1.5 Derived operators . . . . . . . . . . . . . . . . . . . . . . . . 103
5.1.2 Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
5.2 Concrete monitors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
5.2.1 Actor initialisation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
5.2.2 Runtime monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
5.3 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
6 Examples and evaluation 121
6.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
6.2 Latch example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
6.2.1 Description in ITL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
6.2.2 Properties expressed in Tempura . . . . . . . . . . . . . . . . . . . . . 124
6.2.3 Properties expressed in LTL . . . . . . . . . . . . . . . . . . . . . . . . 125
6.2.4 State machine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
6.2.5 Simulation and runtime verification . . . . . . . . . . . . . . . . . . . 125
6.2.5.1 ITL monitoring . . . . . . . . . . . . . . . . . . . . . . . . . 127
6.2.5.2 AnaTempura monitoring . . . . . . . . . . . . . . . . . . . . 128
6.2.5.3 TraceContract monitoring . . . . . . . . . . . . . . . . . . . . 130
6.2.5.4 State machine with TraceContract . . . . . . . . . . . . . . . 131
6.2.5.5 Execution timings . . . . . . . . . . . . . . . . . . . . . . . . 132
6.2.5.6 Reporting and recovery . . . . . . . . . . . . . . . . . . . . . 136
6.3 Checkout system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
6.3.1 Modelling the terminal class . . . . . . . . . . . . . . . . . . . . . . . . 142
6.3.2 Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
6.3.3 Timing data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
6.3.4 Running with TraceContract . . . . . . . . . . . . . . . . . . . . . . . 153
6.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
7 Conclusion and future work 159
7.1 Comparison with related work . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
7.2 Limitation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
7.3 Future work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
7.4 Potential impact . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
Bibliography 163
Appendices 171
A API listings 173
A.1 ITL API . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
A.2 Monitor API . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
B Practical examples 201
B.1 Tennis example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
B.2 Latch example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
B.2.1 Latch example - derived formula . . . . . . . . . . . . . . . . . . . . . 211
B.3 Checkout example - experiments . . . . . . . . . . . . . . . . . . . . . . . . . 212
B.3.1 Experiment 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
B.3.2 Experiment 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
B.3.3 Experiment 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
C List of laws 217
C.1 First order ITL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
C.1.1 ITL definitions, derived constructs, axioms and rules . . . . . . . . . . 217
C.1.1.1 Semantic exists . . . . . . . . . . . . . . . . . . . . . . . . . . 217
C.1.1.2 Frequently-used non-temporal derived constructs . . . . . . . 218
C.1.1.3 Frequently-used temporal derived constructs . . . . . . . . . 218
C.1.1.4 Frequently-used concrete derived constructs . . . . . . . . . . 220
C.1.1.5 Frequently-used derived constructs relating to expressions . . 221
C.1.1.6 Propositional axioms and rules for ITL . . . . . . . . . . . . 223
C.1.1.7 First order axioms and rules for ITL . . . . . . . . . . . . . . 225
C.1.2 Time reversal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
C.1.2.1 Time reversal definitions and laws . . . . . . . . . . . . . . . 225
C.1.3 Definitions and laws related to exportable commitments . . . . . . . . 228
C.1.4 Always-followed-by . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
C.1.5 Commonly used ITL laws . . . . . . . . . . . . . . . . . . . . . . . . . 230
C.1.5.1 Box, Diamond, Now . . . . . . . . . . . . . . . . . . . . . . . 230
C.1.5.2 State, skip, true, false, empty, more with chop . . . . . . . . 230
C.1.5.3 Implication and equivalence through chop . . . . . . . . . . . 232
C.1.5.4 Initial intervals . . . . . . . . . . . . . . . . . . . . . . . . . . 233
C.1.5.5 Induction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
C.1.5.6 Chop and negation . . . . . . . . . . . . . . . . . . . . . . . . 236
C.1.5.7 Strong and weak next . . . . . . . . . . . . . . . . . . . . . . 237
C.1.5.8 Existential quantifcation through chop . . . . . . . . . . . . 238
C.1.5.9 Chop with empty and more . . . . . . . . . . . . . . . . . . . 238
C.1.6 Fixed length intervals . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
C.1.6.1 Properties of interval length . . . . . . . . . . . . . . . . . . 239
C.1.7 Further laws with initial intervals . . . . . . . . . . . . . . . . . . . . . 241
C.1.8 Strict initial intervals . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
C.1.8.1 Duality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
C.1.8.2 Distribution through conjunction and disjunction . . . . . . 246
C.1.8.3 Useful implications . . . . . . . . . . . . . . . . . . . . . . . 247
C.1.8.4 Relating strict and non-strict initial intervals . . . . . . . . . 248
C.1.8.5 Strict final intervals . . . . . . . . . . . . . . . . . . . . . . . 249
C.1.9 First occurrence operator . . . . . . . . . . . . . . . . . . . . . . . . . 250
C.1.9.1 First with conjunction and disjunction . . . . . . . . . . . . . 250
C.1.9.2 First with true, false, empty, more . . . . . . . . . . . . . . . 251
C.1.9.3 First with initial intervals . . . . . . . . . . . . . . . . . . . . 252
C.1.9.4 First with state formulae . . . . . . . . . . . . . . . . . . . . 253
C.1.9.5 First and unique length . . . . . . . . . . . . . . . . . . . . . 254
C.1.9.6 First with chop distribution through conjunction . . . . . . . 255
C.1.9.7 Further useful theorems . . . . . . . . . . . . . . . . . . . . . 255
C.1.9.8 First with len and skip . . . . . . . . . . . . . . . . . . . . . 258
C.1.9.9 First occurrence with iteration . . . . . . . . . . . . . . . . . 258
C.1.9.10 Dual of first . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
C.1.9.11 Reflection of the first occurrence operator . . . . . . . . . . . 259
C.2 ITL Monitor definitions, combinators and laws . . . . . . . . . . . . . . . . . 260
C.2.1 ITL Monitor definitions . . . . . . . . . . . . . . . . . . . . . . . . . . 260
C.2.2 ITL Monitor derived definitions . . . . . . . . . . . . . . . . . . . . . . 261
C.2.3 ITL Monitor laws . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
C.2.4 ITL Monitor alternative definitions . . . . . . . . . . . . . . . . . . . . 264
C.2.5 ITL Monitor equivalence . . . . . . . . . . . . . . . . . . . . . . . . . . 265
C.2.6 Efficient implementation of FAIL . . . . . . . . . . . . . . . . . . . . . 266
C.2.7 ITL Monitor annihilator and identity laws . . . . . . . . . . . . . . . . 266
C.2.8 ITL Monitor idempotence laws . . . . . . . . . . . . . . . . . . . . . . 268
C.2.9 ITL Monitor commutativity laws . . . . . . . . . . . . . . . . . . . . . 269
C.2.10 ITL Monitor associativity laws . . . . . . . . . . . . . . . . . . . . . . 270
C.2.11 ITL Monitor absorption laws . . . . . . . . . . . . . . . . . . . . . . . 270
C.2.12 ITL Monitor distributivity laws . . . . . . . . . . . . . . . . . . . . . . 271

Chapter 1
Introduction
1.1 Motivation
Program verification is a key activity in the software development lifecycle. Traditional
software testing which includes many established approaches including functional and
structural testing, equivalence partitioning, prime path analysis, etc. comprises an established
body of knowledge within the industry, e.g., [AO08].
One approach that is particularly suitable for the analysis of critical systems is model checking.
A formal specification of the required temporal properties is constructed, usually in a Linear
Temporal Logic (LTL). This, and an abstract model of the system, are translated into
(typically) Bu¨chi automata – finite state automata that can accept infinite paths. The
method tests every path through the automaton to ensure that it passes through at least
one accepting state infinitely often. Such analysis is typically undertaken before a system is
deployed because it verifies all possible execution traces that the system could generate.
By contrast, runtime verification is a lightweight approach that analyses a single execution
trace generated by a program while it is running. It is particularly useful in situations when
it is infeasible to conduct model checking, or when it is necessary to provide extra assurance
that a specific program run does not violate its temporal requirements. Faults are discovered
as they arise which leads to action being taken such as noting the fault; reacting and adapting
the system’s behaviour; or halting its execution.
Like model checking, runtime verification specifications are written in a formal language, and
LTL is very widely used. Temporal properties such as ‘whenever p occurs then q must follow’
(liveness), or ‘p and q must never hold at the same time’ (safety) can be checked. However,
runtime verification checks finite traces, and the interpretation of liveness over finite traces is
2 Chapter 1: Introduction
different from its interpretation over infinte traces.1
Another temporal logic that has been used for runtime verification is Interval Temporal Logic
(ITL) [Mos83]. ITL has constructs that are similar to those found in computer programs such
as sequence, parallel composition, iteration, and variable assignment [MM84]. In [Mos86] an
executable subset of ITL, called Tempura, was defined along with an outline algorithm for an
interpreter. This provides an environment in which ITL formulae can be checked by executing
them. Tempura has been applied to runtime verification using AnaTempura [Cau07], a tool
that runs the program under test with Tempura concurrently executing the specification.
The requirement for Tempura to be executable places a restriction on its design such that it
requires the user to specify the values of program variables completely, and to state explicitly
when program termination occurs.
The motivation for the work in this thesis was to investigate whether ITL could be used
for runtime verification but without the executability constraints required by Tempura. It
was immediately apparant that ITL could not be used without restriction because its non-
deterministic chop (sequential composition) operator would lead to exponential performance
growth as the number of chops increased. The approach was to specify a deterministic
partitioning of the execution trace into a sequence of subintervals, each of which could be
verified with an arbitrary ITL formula.
It soon became clear that the restriction necessary to specify the deterministic subintervals
was not a restriction on chop but a restriction on its first operand. States are input to a
runtime verification monitor sequentially and the subinterval ends as soon as the left-hand
formula is satisfied. At this point the next subinterval begins and monitoring continues with
the right-hand formula. This motivated the need to find an operator that restricted a formula
in such a way that if an interval satisfied it, then no strict prefix did. This led to the definition
of the new, derived, first-occurrence operator in ITL. As the underpinning ITL construct for
the runtime monitors, it was necessary to explore the mathematical properties of the first
occurrence operator in depth. This has added to the body of knowledge about ITL. Antonio
Cau has encoded ITL in Isabelle2 and documented a large number of ITL laws along with their
mechanical proofs [CMS19]. These laws are drawn predominantly from work by Moszkowski
and Cau. However, Chapters 6 and 7 of the document contain all of the laws developed as
part of this thesis, along with their mechanical proofs.
A further motivation was to consider how such a language could be mapped directly into code
thus enabling such restricted ITL formulae to be synonomous with the monitors that verify
them. This eliminates the need for any specification preprocessing common to many existing
runtime verification systems. Recent research in runtime verification has proposed that using
1The difference is discussed later on page 15.
2A generic proof assistant [oCM18].
1.3 Contributions 3
Domain Specific Languages (DSLs) to support monitor construction is a very promising
approach [BH11, FHR13] and that Scala is a suitable development language [AHKY15].
The research was undertaken firstly by constructing a mathematical model of the monitors,
and exploring its properties. Then a software tool, written as a Scala DSL, was implemented
and evaluated by constructing a number of case studies.
1.2 Contributions
The contributions of the thesis are listed below:
• The introduction of the operators 2s , 3s , and especially, first-occurrence (B) into ITL
(see Chapter 3). These operators have been thoroughly investigated and, in particular,
the properties of B in relation to itself and other ITL operators including chop and
chopstar.
The theory includes the important law ` B(B f ; g) ≡ B f ; B g which states that
the sequential composition of first occurrences is itself a first occurrence. This is a
significant result which has an important corollary ` BB f ≡ B f which states that
a first occurrence of f is itself a first occurrence.
A comprehensive set of related theorems and fully worked proofs has been developed.
These are presented in full in Chapter 6 of [CMS19].
• The construction of ITL-Monitor - a language whose operators combine B-restricted
ITL formulae while preserving their first-occurrence properties. The operators satisfy a
range of algebraic laws which have been discovered and categorised. All the theorems
and their associated proofs have been fully worked out and are presented in full in
Chapter 7 of [CMS19].
• Two Domain Specific Libraries written in Scala for implementing ITL expressions and
formulae and ITL-Monitors: ITL.scala and Monitor.scala. The latter provides an
API for constructing runtime monitors that verify the ITL formulae they represent.
• A demonstration that it is feasible to use ITL-Monitor to perform runtime verification
on systems generating large numbers of states (an execution trace of c. a million states
has been verified successfully). An execution trace that was partitioned into relatively
short individual subintervals (around 300 states or fewer) was able to verify each of
these subintervals against a formula with up to O(n3) evaluation complexity in less
than a tenth of a second.
4 Chapter 1: Introduction
1.3 Outline of thesis
Chapter 2 introduces the field of runtime verification. The syntax and semantics of two
temporal logics are given. The first, Linear Temporal Logic (LTL), is used extensively in
both model checking and runtime verification. The second, Interval Temporal Logic (ITL),
is an extension of linear-time temporal logic and is the underlying logic used in this thesis.
The semantics of LTL is defined over infinite paths and then extended to finite paths. The
motivation for this is that runtime verification analyses an evolving execution trace which
comprises a set of prefix-closed, finite intervals. The chapter discusses finite intervals in
the context of runtime verification and argues for a partitioning of the execution trace into a
sequence of finite intervals – a topic which is developed in the subsequent chapter. Traditional
and contemporary approaches to runtime verification are discussed with particular emphasis
on two software tools that will be used for comparison with the tool developed as part of this
thesis.
Chapter 3 discusses two key distinguishing operators in ITL, chop ( ; ) and chopstar (∗),
used for sequencing and repeating ITL formulae. Chop is a nondeterministic operator which
requires that for some formula f ; g a satisfying interval can be divided into a prefix and
a suffix over which f and g hold respectively. The subintervals must share one chop (or
fusion) point but this need not be determined uniquely. Chopstar can introduce multiple
nondeterministic fusion points and the task of locating a set of such points in order to satisfy
a formula has exponential complexity. This can be mitigated by defining a deterministic chop
operator to specify a unique partitioning of the execution trace [BB08]. This thesis performs
this task by defining a new first-occurrence operator B. This operator is independent of chop
although combining it with chop to determine fusion points is its primary roˆle. The concept
of first-occurrence provides the basis for constructing runtime monitors. Consequently this
operator can be combined with arbitrary ITL formulae and the chapter explores in depth the
algebraic properties of B and how it combines with other ITL operators.
Chapter 4 introduces ITL-Monitor, the compositional runtime verification language which is
the subject of this thesis. ITL-Monitor is described in two ways. Firstly, ITL-Monitor is a
language for constructing ITL formulae that preserve first-occurrence properties. A syntax is
defined for a core language, and a translation function into ITL formulae is given. An informal
discussion of the behaviour of the core operators is given in terms of ITL, and then a set of
derived operators is introduced along with a justification for each. The algebraic properties of
monitors are explored and a number of algebraic structures are presented. An ITL-Monitor also
represents an executable, runtime monitor and the chapter describes the roˆles of the various
operators in this context. The application of Moszkowski’s importable assumptions and
exportable commitments [Mos96a, Mos98] to maintaining invariant properties over sequences
of subintervals is presented. The chapter concludes with a demonstration of how the ITL-
1.3 Outline of thesis 5
Monitor operators can be combined to construct a runtime verification monitor for a small
application.
Chapter 5 describes the implementation of ITL-Monitor as an API in Scala. Two basic data
structures are introduced: one for representing ITL formulae, and the other for representing
ITL-Monitor expressions. Details of their representation in Scala are provided with particular
emphasis on how specific language features such as pattern matching, existential types, and
infix method notation, have been exploited. Efficiency considerations are described in respect
of the implementations of both libraries. Finally, the translation of monitors into a network
of Akka [Akk17, Wya13] actors is given and the operation of this system is illustrated using
two example monitors and a step-by-step animation.
Chapter 6 introduces two example systems. The first (latch) example provides a comparative
analysis of ITL-Monitor with two other runtime verifcation tools: TraceContract and
AnaTempura. Requirements specifications are presented using each of the tools’ individual
notations and these are compared with each other. The example is coded in Scala
and executed multiple times with different combinations of the tools providing a runtime
verification. The results and timing data are presented and analysed. The capability of each
tool to provide feedback when the verification fails is also discussed. The second (checkout)
example is used to generate a large quantity of state data to enable the performance of ITL-
Monitor to be measured under stress. In particular, the lengths of subintervals that could be
monitored effectively by formulae with O(n3) and O(n4) complexities are investigated. It is
demonstrated that the system’s performance scales linearly as the execution trace length is
increased and this is shown for up to c. 1m states partitioned into 12000 subintervals.
Finally, Chapter 7 summarises the thesis and discusses future research potential.
6 Chapter 1: Introduction
Chapter 2
Runtime verification
Runtime verification is a method in which a computer program1 is monitored while it is
executing to determine whether or not it satisfies or violates certain correctness criteria.
These are often safety properties expressed using a formal language such as, for example,
temporal logic. Runtime verification also describes, more widely, a discipline of computer
science whose “distinguishing research effort lies in synthesizing monitors from high level
specifications” [Leu12].
An executing program generates a sequence of states which is analysed for the purpose of
runtime verification.
Definition 2.1 Program state The state of the program at a given point in time is the
mapping of its variables to their current values.
A program’s behaviour may be understood in terms of how it modifies state. When an
instruction causes a change to one or more of the state variables, then a new state is
generated. In this way the program’s execution trace can be represented as a sequence of
states, 〈s0, s1, . . . 〉.
Definition 2.2 Execution trace An execution trace is a finite sequence of program states
generated by a running program.
While all of the variables which comprise the state are significant to the program’s operation,
only a subset of these may be relevant to the specification. Let a state containing only these
monitored variables be denoted by σi . As the program is executed, an execution trace, σ, is
generated: 〈σ0, σ1, . . . 〉.
1The term program is used here to represent any unit of code whose behaviour is being verified. It could,
for example, be a single subroutine, or a collection of concurrent processes, or any executable components that
make up a system under scrutiny.
8 Chapter 2: Runtime verification
Definition 2.3 Runtime verification A method by which an executing program is checked
continuously for adherence to, or violation of, specified correctness properties.
Runtime verification can be compared both to traditional software testing techniques and to
model checking. However, there is a stronger relationship with the latter, due to the primacy
of a formal specification, typically written in temporal logic. In contrast, traditional software
testing techniques (e.g. see [AO08]) do not require formal methods, although formal methods
and testing have been combined in, e.g., [BBC+02, Hie02].
An important distinction between model checking and runtime verification is that the former
performs an analysis on all possible runs of a program, whereas the latter only analyses
one specific run at a time. For this reason runtime verification is considered to be a
lightweight verification method. Runtime verification may be employed in conjunction with
other verification techniques, sometimes as an important extra check, in order to maintain
confidence in a particular program run.
Major developments in runtime verification appear in the International Conference on
Runtime Verification which began as a workshop series in 2001 and became an annual
international conference in 2010. Areas of particular interest include formal specification
languages, temporal logics, runtime verification methods, and tool support.
Section 2.1 introduces Linear Temporal Logic (LTL) and Interval Temporal Logic (ITL), both
of which are used to specify temporal behaviour for runtime verification, the latter being the
logic used primarily in this thesis. Section 2.2 discusses intervals in the context of runtime
verification. Section 2.3 considers two languages, MetateM, based on LTL, and Tempura, a
deterministic subset of ITL, which are used to animate specifications.2 Section 2.4 describes
the principal architectures for runtime verification and discusses two runtime verification tools
that are used for comparison with the current work.
2.1 Temporal logic
Temporal logic is relevant to both model checking and runtime verification. An exposition
of temporal logics and how they are used in runtime verification is presented in [Fis11],
and a discussion of the classification of temporal logics appears in [Eme90] (Chapter 16).
This section covers Linear Temporal Logic (LTL), the primary temporal logic used in model
checking and many runtime verification systems; and Interval Temporal Logic (ITL), which
is the basis for the work in this thesis.
2Animation can be used to explore the behaviour of a specification interactively before it is included within
a runtime verification.
2.1 Temporal logic 9
2.1.1 Linear temporal logic
Linear Temporal Logic (LTL) [Pnu77, MP92] was first introduced in the context of program
verification, as a language for expressing the temporal relationships between variables in a
computer program.
Formulae in LTL are constructed from a finite set of propositional variables, P , which are
normally written as lower-case alphanumeric symbols (possibly including underscores), e.g.,
p, q2, is on; the Boolean constants true and false; the propositional connectives ¬ , ∧, ∨,
⇒, ⇔; and the temporal connectives ©, 3, 2, U , W. Parentheses can be used to resolve
ambiguity when combining operators.
The set of well-formed LTL formulae is defined inductively:
• Any propositional variable p ∈ P is an LTL formula
• Either of the constants true and false is an LTL formula
• If ϕ and ψ are LTL formulae, then so are: ¬ ϕ, ϕ ∧ ψ, ϕ ∨ ψ, ϕ ⇒ ψ, ϕ ⇔ ψ, ϕ U ψ,
ϕW ψ, 3ϕ, 2ϕ, ©ϕ, (ϕ)
The semantics of LTL is defined over infinite paths pi = 〈pi0, pi1, pi2, . . . 〉 in which each pii is a
state characterised by the set of propositions that are true at the i th moment in time. The
model of time is discrete and each state pii has a successor, or next state, pii+1. The initial
state has index 0.
The semantics is defined using an interpretation function |= which maps a path pi, an index
i ≥ 0, and a well-formed formula ϕ, to a value in the set of Boolean values B = {>,⊥}. If a
formula ϕ holds at index i then ((pi, i) |= ϕ) = >, abbreviated to (pi, i) |= ϕ; and if ϕ does
not hold at index i then ((pi, i) |= ϕ) = ⊥, abbreviated to (pi, i) 6|= ϕ. The semantics of LTL
formulae is given in Figure 2.1:
10 Chapter 2: Runtime verification
Constant
(pi, i) |= true
Propositions
(pi, i) |= p iff p ∈ pii
Propositional operators
(pi, i) |= ¬ ϕ iff (pi, i) 6|= ϕ
(pi, i) |= ϕ1 ∧ ϕ2 iff (pi, i) |= ϕ1 and (pi, i) |= ϕ2
Temporal operators
(pi, i) |= ©ϕ iff (pi, i + 1) |= ϕ
(pi, i) |= ϕ1 U ϕ2 iff there exists j ≥ i such that (pi, j ) |= ϕ2 and
for all i ≤ k < j , (pi, k) |= ϕ1
Figure 2.1: LTL semantics
The next formula, ©ϕ, holds in state i if ϕ holds in state i + 1. The existence of a next state
is guaranteed because the semantics is defined over infinite paths. The until formula, ϕ1U ϕ2,
holds in state i if ϕ2 holds in some future state j ≥ i , and ϕ1 holds throughout all the states
k where i ≤ k < j . Importantly, ϕ2 is guaranteed to be satisfied at some future state and
for this reason U is referred to as the strong until operator. The semantics allows ϕ1 to hold
in the same state that ϕ2 holds but does not require it. Furthermore, it is possible for ϕ2 to
hold ‘immediately’ in which case ϕ1 holds vacuously over an empty interval. Below is a list
of derived operators:
false =̂ ¬ true
ϕ1 ∨ ϕ2 =̂ ¬ (¬ ϕ1 ∧ ¬ ϕ2)
ϕ1 ⇒ ϕ2 =̂ ¬ ϕ1 ∨ ϕ2
ϕ1 ⇔ ϕ2 =̂ (ϕ1 ⇒ ϕ2) ∧ (ϕ2 ⇒ ϕ1)
3ϕ =̂ true U ϕ
2ϕ =̂ ¬ 3¬ ϕ
ϕ1W ϕ2 =̂ (ϕ1 U ϕ2) ∨ (2ϕ1)
The main derived temporal operators are further described below.
Eventually 3ϕ
Eventually ϕ will hold.
(pi, i) |= 3ϕ iff there exists j ≥ i such that (pi, j ) |= ϕ
Always 2ϕ
ϕ will always hold from this point.
(pi, i) |= 2ϕ iff for all j ≥ i , (pi, j ) |= ϕ
2.1 Temporal logic 11
Weak until ϕ1W ϕ2
ϕ1 must hold either until ϕ2 holds, or forevermore if ϕ2 never holds in the future.
(pi, i) |= ϕ1W ϕ2 iff either (pi, i) |= ϕ1 U ϕ2 or (pi, i) |= 2ϕ1
Note that ` ϕW false⇔ 2ϕ.
A significant application area for LTL is model checking in which a model of a system is
constructed that represents the set of infinite paths (sequences of states) that collectively
encode all possible runs of the system. The goal of model checking is to establish that every
one of these paths satisfies a given correctness property. The number of such paths increases
combinatorially as the number of reachable states increases. Model checking, M |= ϕ, and
validity, ` ϕ, in LTL are in the complexity class PSPACE [Fis11].
In contrast to model checking, runtime verification focuses on checking a single path – an
execution trace. Consequently, as noted by [ZZC05], the issue of combinatorial complexity
does not arise in this case. Runtime verification is not a substitute for model checking, but
can be used as a complementary tool, or when model checking may be infeasible.
To introduce the comparison between model checking and runtime verification, an outline of
the model checking process is presented below. It uses LTL with infinte path semantics. This
is followed by a discussion of LTL with finite (truncated) paths which arise within the context
of runtime verification.
Let Σω represent the set of all possible, potentially infinite execution paths of a program S .
Then model checking requires that ∀pi ∈ Σω. (pi, 0) |= ϕ. If, for some path pi, (pi, 0) |= ϕ then
pi is a model of S that satisfies ϕ.
Model checking uses finite state automata to represent all (possibly infinite) paths of the
program under test, and the temporal state transitions that satisfy the required temporal
formula. To encode infinite paths it is necessary to use a class of automata called ω-automata
which can accept infinite words. An infinite word is accepted if the word describes at least
one run through the automaton that passes through at least one accepting state infinitely
often. Bu¨chi automata are a class of such ω-automata that are used in model checking.
A Bu¨chi automaton, BA, is defined as BA = 〈A,S , δ, I ,F 〉 where A is an alphabet; S is a
finite set of states; δ : S × A× S is a transition relation; I ∈ S , is a set of initial states; and
F ∈ S , is a set of final states. Each letter is interpreted as a set of propositions: thus A is the
powerset of a given set of propositions. A word represents an execution sequence of states in
which each state is a set of propositions that hold in that state.
LTL can express a range of temporal properties, many of which are classified in [MP87], and
a selection of which is presented in Figure 2.2 for illustration.
12 Chapter 2: Runtime verification
Classification Typical formula
Invariance (Safety) 2ϕ (or 2¬ ϕ)
Guarantee (Liveness) 3ϕ
Persistence (Stability) 32ϕ
Recurrence (Progress) 23ϕ
Obligation (Correlation) 3ϕ1 ⇒ 3ϕ2
Response ϕ1 ⇒ 3ϕ2
Precedence ¬ ϕ1 U ϕ2
Figure 2.2: Some patterns of LTL temporal properties [MP87]
For example, suppose the alphabet is given by A = P{a, b}, then the LTL formula a ∧ ©32b
can be translated into the following Bu¨chi automaton. (N.B., the shorthand notation a is
used within the transition relation δ to represent any set of propositions containing a.)
A = P{a, b}
S = {s1, s2, s3}
δ = {(s1, a, s2), (s2, true, s2), (s2, b, s3), (s3, b, s3)}
I = {s1}
F = {s3}
The automata-based approach to model checking proceeds as follows. The system under
test, S , is modelled as a Bu¨chi automaton, BAS . This represents all of the possible paths
that could be generated by S . The temporal property that every run of S must satisfy is
expressed as an LTL formula ϕ and its negation is translated into a Bu¨chi automaton, BA¬ ϕ.
It is necessary to establish that the set of paths accepted by BAS is a subset of the set of
paths accepted by BAϕ. This condition can be established by checking that the intersection
of the set of paths accepted by BAS and the set of paths by BA¬ ϕ is empty. If every state in
BAS is made to be accepting, then ∀pi ∈ Σω. (pi, 0) |= ϕ can be established by determining
that the automaton BAS × BA¬ ϕ is empty. The accepting states of BAS × BA¬ ϕ will be
precisely those containing the acceptance states of BA¬ ϕ and thus represent precisely those
runs of S that satisfy ¬ ϕ: i.e. ‘bad states’. If the set of such paths is empty then the model
checking succeeds.
Once constructed, the automaton BAS×BA¬ ϕ can be reduced using the following set of rules
which are quoted from [Fis11] (page 34): “(i) remove transitions that contain contradictions
(e.g. a ∧ ¬ a); (ii) remove nodes that have no transitions emanating from them; (iii) remove
terminal, non-accepting sets of nodes.” These steps are applied repeatedly until none applies.
If the resulting graph is empty then the temporal property was satisfied. To complete this
discussion, a small example of the technique is provided below.
Example 2.1.1 Consider a program in which an agent can request to enter a particular state.
2.1 Temporal logic 13
Following the request, the agent may enter the state or may have to wait before entering.
An agent that has entered must subsequently leave and the process repeats. Using letters to
represent the propositions (r = requested, w = waiting, e = entered, l = left), the behaviour
is captured in the Bu¨chi automaton shown in Figure 2.3.
m1 m2 m3
m4
r w
e
l
e
ABAS = P{r ,w , e, l}
SBAS = {m1,m2,m3,m4}
δBAS = {(m1, r ,m2), (m2,w ,m3), (m2, e,m4), (m3, e,m4), (m4, l ,m1)}
IBAS = {m1}
FBAS = {m1,m2,m3,m4}
Figure 2.3: The Bu¨chi automaton BAS .
It is required that this process satisfies the temporal property that whenever a request to
enter is made then entry is guaranteed at some point thereafter. The temporal property
can be expressed in LTL: ϕ = 2(r ⇒ ©3e). The negation of this formula is given by:
¬ ϕ = 3(r ∧ ©2¬ e).3 The Bu¨chi automaton for ¬ ϕ is shown in Figure 2.4.
p1 p2
r :e
ABA¬ ϕ = P{r ,w , e, l}
SBA¬ ϕ = {p1, p2}
δBA¬ ϕ = {(p1, true, p1), (p1, r , p2), (p2,¬ e, p2)}
IBA¬ ϕ = {p1}
FBA¬ ϕ = {p2}
Figure 2.4: The Bu¨chi automaton BA¬ ϕ.
Figure 2.5 shows the combined Bu¨chi automaton BAS×BA¬ ϕ. Unreachable states have been
3Negation can be moved inside next: ¬ ©ϕ ⇔ ©¬ ϕ. 3 and 2 are duals: ¬ 2ϕ ⇔ 3¬ ϕ, and
¬3ϕ⇔2¬ ϕ
14 Chapter 2: Runtime verification
removed. Notice that state m3p2 has no transitions emanating from it and therefore it is a
candidate for removal. Consequently, its removal makes m2p2 the next candidate for removal.
The resulting graph is a terminal non-accepting set of nodes which can all be deleted to leave
an empty graph. Thus the model checking succeeds. 
m2p2
m3p1
m3p2
m2p1
m4p1
m1p1
r
r
w
e
w
e
l
Figure 2.5: The Bu¨chi automaton BAS × BA¬ ϕ with nodes marked for removal.
The process can be automated using a model checker such as spin [Spi17, Hol04].
2.1.2 LTL with finite paths
With infinite paths semantics ©ϕ is always defined. However, for a finite path the meaning
of ©ϕ in the final state needs to be defined. Also, the meaning of ϕ1 U ϕ2 needs to be defined
for a finite interval. A weak next operator ©w is introduced in which ©w ϕ holds in the final
state and has the same meaning as ©ϕ in all the preceding states4. The semantics of these
operators appears in Figure 2.6. Note how the definition of ϕ1 U ϕ2 requires that ϕ2 must
hold in the final state, if not before.
(pi, i) |= ©ϕ iff
{
(pi, i + 1) |= ϕ if i + 1 < n
⊥ otherwise
(pi, i) |= ©w ϕ iff
{
(pi, i + 1) |= ϕ if i + 1 < n
> otherwise
(pi, i) |= ϕ1 U ϕ2 iff (pi, i) |= ϕ2 or ((pi, i) |= ϕ1 and (pi, i) |= ©(ϕ1 U ϕ2))
where n is the length of the path.
Figure 2.6: LTL finite semantics (overrides temporal operators in Figure 2.1)
4This presentation uses the symbol © for strong next and ©w for weak next. Other symbols commonly
used for these operators are X and X¯ .
2.1 Temporal logic 15
Runtime verification analyses an execution path each time that a new state, pii , is generated.
Thus a sequence of prefix paths is produced pi0 = 〈pi0〉, pi1 = 〈pi0, pi1〉, . . . . Suppose that pi
represents the (possibly infinite) execution path for a run of program S . Then each pik , 0 ≤ k ,
is a finite prefix of pi, and each prefix path pik+1 represents a ‘better’ approximation of pi than
its predecessor pik . These finite, prefix paths are produced by executing programs as each
new state is generated, and the set of paths {pi0, pi1, . . . pik} is a prefix-closed set. Such finite
prefixes constitute truncated paths.
Consider the evolving path as a program executes. Certain properties may be established
globally on the basis of evidence provided by a finite, partial prefix. For example, the safety
property, 2(¬ b), is violated as soon as an instance of b is detected. In this case the prefix
path has provided sufficient evidence to establish that the condition is violated – it may not
subsequently be judged to have been satisfied. Conversely, the liveness property, f ⇒ 3g , can
be established if f has been observed and then, later, g holds. The prefix path (up to g) has
provided sufficient evidence to establish that the condition is satisfied. By contrast, consider
a liveness property such as 2(f ⇒ 3g). No finite prefix can determine the correctness of this
claim.
Liveness in the context of finite path semantics is interpreted slightly differently from liveness
in the context of infinite path semantics. Consider the LTL formula 3ϕ. The infinite LTL
semantics (Figure 2.1) requires that ϕ holds at some point in the future. However, in the case
of a finite semantics (Figure 2.6), ϕ must hold at some point up to the final state. Liveness
properties over infinite paths can be established by model checking. However, in the context
of runtime verification, a liveness property can only be checked for a specific program run by
observing ϕ before the end of the execution trace is reached.
Analysis of truncated paths has the potential to produce misleading judgements. For example,
the formula 3ϕ may be false over paths pi
0, pi1 . . . pik , but true over pik+1. An analysis of a
truncated path can only provide a judgement on the basis of the information available up to
a certain point in time. [EFH+03, BLS07, LS09, BLS11] have proposed using three- and four-
valued temporal logics to deal with the potentially misleading nature of premature judgements
over truncated paths.
[LS09] introduces LTL3, a three-valued logic, in which the satisfaction function returns one of
{>,⊥, ?} where ? represents ‘inconclusive’. Consider a finite word w , and its concatentation
with an infinite word u, written w · u, and using the relation |=3 to represent satisfaction in
LTL3, then w |=3 ϕ is defined as > if for all u, w · u |=3 ϕ; ⊥ if for all u, w · u 6|=3 ϕ; and ?
if neither > nor ⊥ can be established based on w . For example, if ¬ p holds throughout w
then w |=3 2¬ p = ? because p may hold in a future state. Conversely, if p holds at some
point within w , then w |=3 3p = >, and w |=3 2¬ p = ⊥.
In [BLS07] the authors develop a refinement of LTL3 called RV -LTL in which a four-valued
16 Chapter 2: Runtime verification
logic, B4, is introduced: B4 = {⊥,⊥p ,>p ,>}. The values represent false, presumably false,
presumably true, and true respectively. The syntax of RV -LTL formulae is given inductively
by:
ϕ ::= true | p | ¬ ϕ | ϕ ∨ ϕ | ϕ U ϕ | ©ϕ | ©w ϕ (where p ∈ P)
The semantics of RV -LTL is derived from LTL3 and the following definition is taken from
[BLS07]:
Let pi ∈ Σ∗ denote a finite path of length n = |pi|. The truth value of an RV -LTL
formula ϕ wrt pi at position i < n, denoted by (pi, i) |=RV ϕ, is an element of B4
and is defined as follows:
(pi, i) |=RV ϕ =

> if (pi, i) |=3 ϕ′ = >
⊥ if (pi, i) |=3 ϕ′ = ⊥
>p if (pi, i) |=3 ϕ′ = ? and (pi, i) |= ϕ = >
⊥p if (pi, i) |=3 ϕ′ = ? and (pi, i) |= ϕ = ⊥
where ϕ′ is obtained from ϕ by replacing each ©w operator with ©.
[BLS07] argue that logics for runtime verification should not evaluate to > or ⊥ prematurely,
but should evaluate to > or ⊥ as soon as possible. These properties are referred to as
impartiality and anticipation respectively.
ITL-Monitor, the runtime verification language which is the subject of this thesis, delivers
three judgements: done, fail, and more. These correspond to the LTL3 verdicts >, ⊥,
and ?, respectively. In future work it would be possible to explore the efficacy of using a
greater number of potential judgements. For example, one could consider RV -LTL’s >p and
⊥p , or, relatedly, the five-valued judgements used by RuleR [BHRG09]: {TRUE, STILL TRUE,
STILL FALSE, FALSE, UNKNOWN} in which STILL TRUE relates to a (safety) property not yet
falsified; STILL FALSE relates to a (liveness) property not yet satisfied; and UNKNOWN relates
to a condition that does not fit the other criteria such as a combination of STILL TRUE and
STILL FALSE.
2.1.3 Interval temporal logic
Interval Temporal Logic (ITL) [Mos82, Mos83, CZCM96, CM16, CMS19] provides an
alternative formalism for specifying runtime system behaviour. Propositional and first-order
variants of ITL have been developed for finite and infinite path semantics. In this thesis
first order, finite ITL is used. The significance of using a finite path temporal logic for
2.1 Temporal logic 17
runtime verification was discussed in Section 2.1.2. In first order ITL validity is not decidable.
However, it is possible to check if a given model satisfies a first order ITL formula, and this
is exactly the requirement for runtime verification. This same argument is made by [BRH07]
in respect of another runtime verification logic, Eagle, discussed later in Section 2.4.3.
ITL [CM16, CMS19] is defined over finite intervals (non-empty sequences of states), σ =
σ0, σ1, . . . , σ|σ|, in which each state is the union of the mapping from the set of integer variables
IntVar to Z, and the mapping from propositional variables PropVar to the Boolean values
Bool = {tt,ff}. IntVar ∪ BoolVar is the set of alphanumeric identifiers, which may contain
underscores and subscripts, beginning with an uppercase letter.
The syntax of ITL expressions, e, and ITL formulae, f is presented below. The definitions
are taken from [CM16]:
Integer Expressions ie ::= z | A | ig(ie1, . . . , ien) | ©A | fin A
Boolean Expressions be ::= b | Q | bg(be1, . . . , ben) | ©Q | fin Q
Formulae f ::= true | h(e1, . . . , en) | ¬ f | f1 ∧ f2 | ∀ v • f |
skip | f1 ; f2 | f ∗
where z denotes an integer value
A denotes an integer variable (can change within an interval)
b denotes a Boolean value
Q denotes a propositional variable
ig denotes an integer function symbol (e.g + and ×)
bg denotes a Boolean function symbol (e.g ∧ and ∨)
v denotes a Boolean or integer variable
ei denotes a Boolean or integer expression
h denotes a predicate symbol. (e.g. ≤ and =)
Temporal formulae are interpreted over a finite interval. Formulae can be composed
sequentially using the chop operator, (e.g. f ; g), and iteratively using the chopstar operator,
(e.g. f ∗). In the semantics that follows:
E [[. . .]](σ) is the semantic function: Expressions × Σ+ → Z.
F [[. . .]](σ) is the semantic function: Formulae × Σ+ → Bool .
σ = 〈σ0, σ1 . . . 〉 is an interval.
σi(A) represents the value associated with the state variable A in state σi .
σ ∼v σ′ means that the intervals σ and σ′ are identical with the possible exception of their
mappings for the variable v .
18 Chapter 2: Runtime verification
The semantics is given inductively over the structure of ITL expressions and formulae. This
is also taken from [CM16]:
E [[z ]](σ) = z
E [[A]](σ) = σ0(A)
E [[ig(ie1, . . . , ien)]](σ) = ig(E [[ie1]](σ), . . . , E [[ien ]](σ))
E [[©A]](σ) =
{
σ1(A) if |σ| > 0
any x s.t. x ∈ Z otherwise
E [[fin A]](σ) = σ|σ|(A)
E [[b]](σ) = b
E [[Q ]](σ) = σ0(Q)
E [[bg(be1, . . . , ben)]](σ) = bg(E [[be1]](σ), . . . , E [[ben ]](σ))
E [[©Q ]](σ) =
{
σ1(Q) if |σ| > 0
any x s.t. x ∈ Bool otherwise
E [[fin Q ]](σ) = σ|σ|(Q)
F [[true]](σ) = tt
F [[h(e1, . . . , en)]](σ) = tt iff h(E [[e1]](σ), . . . , E [[en ]](σ))
F [[¬ f ]](σ) = tt iff not(F [[f ]](σ) = tt)
F [[f1 ∧ f2]](σ) = tt iff F [[f1]](σ) = tt and F [[f2]](σ) = tt
F [[skip]](σ) = tt iff |σ| = 1
F [[∀ v • f ]](σ) = tt iff for allσ′ s.t. σ ∼v σ′,F [[f ]](σ′) = tt
F [[f1 ; f2]](σ) = tt iff (exists k , s.t. F [[f1]](σ0 . . σk ) = tt and F [[f2]](σk . . σ|σ|) = tt)
F [[f ∗]](σ) = tt iff (exists l0, . . . , ln s.t. l0 = 0 and ln = |σ| and
for all 0 ≤ i < n, li ≤ li+1 and F [[f ]](σli . . σli+1) = tt)
The length of an interval σ, denoted |σ|, is equal to the number of states minus one. Thus
a one-state interval is defined to have a length of zero.5 The meaning of a state variable is
given by its value in the first state of the interval (σ0). The temporal formula skip represents
an interval of unit length (i.e. two states). The formula f1 ; f2 holds over an interval if the
interval can be split into two subintervals: a prefix over which f1 holds and a suffix over which
f2 holds. The prefix and suffix intervals thus obtained must share one common state which is
simultaneously the final state of the prefix and the initial state of the suffix. The formula f ∗
holds over an interval if it is possible to split the interval into a series of subintervals each of
which satisfies f : i.e. f ; f ; . . . ; f .6 These fundamental temporal formulae are illustrated
in Figure 2.7.
5This interpretation of a single state representing an empty interval has always been part of ITL.
6Note that ; is associative.
2.1 Temporal logic 19
empty
skip
f g
f ; g
f f f
f ∗
Figure 2.7: ITL operators empty, skip, chop, and chopstar
If F [[f ]](σ) = tt then the formula f is satisfied by interval σ. This is written σ |= f . If the
formula f is satisfied by all possible intervals then the formula is valid, written |= f .
2.1.3.1 Derived operators
The following operators are derived:7
false =̂ ¬ true FalseDef (C .2)
f1 ∨ f2 =̂ ¬ (¬ f1 ∧ ¬ f2) OrDef (C .3)
f1 ⊃ f2 =̂ ¬ f1 ∨ f2 ImpDef (C .4)
f1 ≡ f2 =̂ (f1 ⊃ f2) ∧ (f2 ⊃ f1) EqvDef (C .5)
∃ v • f =̂ ¬ ∀ v • ¬ f ExistsDef (C .6)
Figure 2.8 presents a table of operator precedences and associativity.
7The laws are listed in Appendix C and the associated number indicates the law’s position in that list.
20 Chapter 2: Runtime verification
Precedence Operator Example
1 ∗ f ∗ ∗ ≡ (f ∗)∗
2 ¬ ¬ ¬ x ≡ ¬ (¬ x )
2 © ¬ ©x ≡ ¬ (©x )
3 ; f0 ; f1 ; f2 ≡ (f0 ; f1) ; f2
4 ∧ f0 ∧ f1 ; f2 ∧ f3 ≡ (f0 ∧ (f1 ; f2)) ∧ f3
5 ∨ f0 ∨ f1 ∨ f2 ∧ f3 ≡ (f0 ∨ f1) ∨ (f2 ∧ f3)
6 ⊃ f0 ⊃ f1 ⊃ f2 ≡ f0 ⊃ (f1 ⊃ f2)
7 ≡ (f0 ≡ f1 ≡ f2) ≡ (f0 ≡ (f1 ≡ f2))
All derived prefix operators are R − L with precedence 2.
Thus, ¬ 2i ¬ 3f ; g ∧ h ≡ (¬ (2i (¬ (3f ))) ; g) ∧ h
Figure 2.8: ITL Operator Precedence and Associativity Table
©f =̂ skip ; f StrongNextDef (C .7)
more =̂ © true MoreDef (C .8)
empty =̂ ¬ more EmptyDef (C .9)
3f =̂ true ; f DiamondDef
(C .10)
2f =̂ ¬ 3¬ f BoxDef (C .11)
©w f =̂ ¬ ©¬ f WeakNextDef (C .12)
3i f =̂ f ; true DiDef
(C .13)
2i f =̂ ¬ 3i ¬ f BiDef (C .14)
3a f =̂ true ; f ; true DaDef
(C .15)
2a f =̂ ¬ 3a ¬ f BaDef (C .16)
3m f =̂ ¬ 2m ¬ f DmDef (C .71)
2m f =̂ 2(more ⊃ f ) BmDef (C .70)
Compared to LTL, the number of standard, derived operators in ITL is significantly greater.
For example, the operators 2 and 3, defined over finite suffix intervals, have counterparts,
2i and 3i , defined over finite initial (prefix) intervals. 2i f specifies that f holds over all prefix
intervals including the empty initial interval (i.e. the first state), and over the interval itself.
The formula 3i f means that f holds for at least one initial interval.
These operators can be combined. For example, 22i f , which is equivalent to 2i 2f , means
that f holds over all subintervals. This case has its own derived operator, 2a f . In a similar
way, 3a f represents at least one subinterval and is equivalent to 33i f or 3i 3f .
2.1 Temporal logic 21
Whereas 2 and 3 include the empty suffix (i.e. the last state), there is a variation on each
of these which covers all suffixes except the last state. These are 2m and 3m – the ‘m’ is
intended to read “mostly”.8 The similarities and differences between various ‘box’ operators
are illustrated in Figure 2.9.
f
f
f
f
i f f
a f fm
f
f
f
f
f
f
f
f
f
f
f
f
f
f
f f
(The empty disk, ◦, indicates that f does not necessarily hold at this empty interval)
Figure 2.9: ITL operators 2i , 2, 2a , 2m
Because intervals are finite, it is possible to specify an empty interval (i.e., in ITL an interval
with a single state) and a non-empty interval (at least two states). This is achieved using the
formulae empty and more respectively. For example, the formula 2(more ⊃ f ) specifies that
all non-empty suffixes satisfy f : i.e. f is not required to hold in the final state.
In Section 2.1.2 it was observed that a finite path semantics in LTL required a weak version
of the next operator. Likewise, ITL has both strong next ©9 and weak next ©w operators.
Weak next is the dual of strong next, i.e. ©w f ≡ ¬ ©¬ f . The laws of ITL can be used to
show that ¬ ©¬ f is equivalent to empty ∨ (skip ; f ), which captures the semantics of weak
next more directly.
Further temporal operators can be derived which simulate imperative programming language
constructs such as if. . . then. . . else and while. . . do etc. These are useful within the context of
Tempura – an executable subset of ITL – which is discussed in Section 2.3.2.
if f0 then f1 else f2 =̂ (f0 ∧ f1) ∨ (¬ f0 ∧ f2) IfThenElseDef (C .17)
if f0 then f1 =̂ if f0 then f1 else empty IfThenDef
(C .18)
fin f =̂ 2(empty ⊃ f ) FinDef (C .19)
halt f =̂ 2(empty ≡ f ) HaltDef (C .20)
keep f =̂ 2a (skip ⊃ f ) KeepDef (C .21)
f 0 =̂ empty IterZeroDef (C .23)
f n+1 =̂ f ; f n , [n ≥ 0] IterDef (C .24)
8
2m and 3m are discussed in [Mos96a].
9Note that the © operator is overloaded in ITL and is defined for expressions and formulae.
22 Chapter 2: Runtime verification
for n do f =̂ f n ForDef (C .25)
while f0 do f1 =̂ (f0 ∧ f1)∗ ∧ fin(¬ f0) WhileDef (C .26)
repeat f0 until f1 =̂ f0 ; while(¬ f1) do f0 RepeatDef (C .27)
The formula fin f 10 holds when f is true in the final state of the interval. f may hold for any
suffix interval but it must hold in the final suffix interval. This formula contrasts with halt f
which requires that f holds in the final state and that no other suffix interval satisfies f . Thus
halt f uniquely determines an interval. For example, the formula halt(X = Y ) holds over an
interval in which X = Y only in the final state. A discussion relating halt to the work of this
thesis is presented in Section 3.8.6.
keep f requires that f holds over every two-state interval. Thus, for example, to specify that
X must increase by one in each subsequent state: keep(©X = X + 1).
Finally, there are standard, derived operators related to expressions:
A := e =̂ (©A) = e AssignDef (C .28)
A ≈ e =̂ 2(A = e) TemporalEqualityDef (C .29)
A← e =̂ fin A = e TemporalAssignDef (C .30)
A gets e =̂ keep(A← e) GetsDef (C .31)
stable A =̂ A gets A StableDef (C .32)
padded A =̂ (stable A ; skip) ∨ empty PaddedDef (C .33)
A<∼ e =̂ (A← e) ∧ padded A PaddedTemporalAssignDef (C .34)
len(n) =̂ skipn LenDef (C .35)
The assignment operators define values in next, all, and final states respectively; and gets
and stable provide convenient shorthand notations. For example, stable A means that A’s
value does not change throughout the interval. The operator padded specifies stability up
to but not including the final state. This is useful when used with the chop operator to
specify stability up to but not including the shared state: for example, padded A ; stable¬ A.
Padded temporal assignment A <∼ e specifies that A remains unchanged throughout the
interval until, possibly, the final state, at which time it gets the value e. The formula len(n)
specifies that the length of the interval is n. Working with fixed-length intervals is a key
aspect of the work in this thesis and properties of interval length are explored in more detail
in Section 3.5.
10fin is also an overloaded operator in ITL, defined for expressions and formulae.
2.2 Intervals and runtime verification 23
2.1.3.2 State formulae
Conventionally in ITL, the variable w is used to denote a state (non-temporal) formula. Such
formulae do not include skip, ; , or ∗, or any operators derived from them. As such, a formula
w is equivalent to init f where init f =̂ (f ∧ empty) ; true. It is used to express a property
that must hold in a single state and, specifically, the first state of an interval. For example,
the following equivalences capture properties that hold for state formulae:
` 2i w ≡ w StateEqvBi (C .93) [MOS]
` 3i w ≡ w DiState(C .112) [MOS]
2.2 Intervals and runtime verification
Runtime verification of program behaviour requires checking that certain propositions occur
in some temporal order. For example, in LTL a pattern describing such sequencing of events
uses nested until operators [MP95]:
qm U qm−1 . . . q1 U q0
The until operator is not associative and, in the absence of parentheses, is understood to
associate to the right. This formula specifies a chain of intervals starting with a qm interval.
11
q1 U q0 specifies that a finite q1 interval holds at every position until q0 holds. Note that q0
may hold immediately in which case the q1 interval contains no states.
Consider the requirement that q1 must hold at the current position, and p must hold anywhere
between the current position and the next position at which q0 holds. This specifies a temporal
ordering of these three propositions that is not captured by the LTL formula q1U pU q0 which
neither guarantees p nor q1. For example, if q0 holds at the current state then the formula is
satisfied. The formula needs to be strengthened:
q1 ∧ (¬ q0 U (p ∧ (¬ q0 U q0)))
This specifies the endpoints of a finite interval within which p must hold. Note that the
formula is satisfied if q1, p, and q0 hold in the current position. It is also possible for p to
hold either at the same state as q1 (at the beginning) or at the same state as q0 (at the end).
11A q interval is an interval in which q holds at every position.
24 Chapter 2: Runtime verification
The requirement can be expressed more straightforwardly in ITL:12
q1 ∧ halt(q0) ∧ 3p
The difference is that the semantics of LTL is defined with reference to a single point whereas
ITL semantics interprets formulae with reference to two points – the start and end of an
interval. In the ITL formula, q1 must hold in the first state; halt(q0) requires that the final
state (and no other) satisfies q0; and 3p requires p to hold at some point within the interval
(defined by halt(q0)) including at the beginning or at the end. The formula is also satisfied
by an empty (one state) interval in which all three propositions hold.
The approach to runtime monitoring advocated in this thesis requires partitioning the
execution trace into a sequence of finite intervals and specifiying temporal formulae that
the individual subintervals must satisfy. The interval semantics of ITL directly supports this
approach to specification.
[Wol81] provides an example of a property that is not expressible in LTL, namely that “a
property p has to be true in every even state of a sequence”. For example, the formula
p ∧ 2(p ⇒ ¬ p) ∧ 2(¬ p ⇒ p) does not express this property because it requires p not to
hold in every odd state which is not what the specification says. [Wol81] proves more generally
that for i = km where i ≥ 0, and k ≥ 2, it is not possible in LTL to express the property “p
is true in every state i”. In ITL, which has the Kleene star operator, these examples can be
written: (p ∧ len(i))∗.
2.3 Direct execution of specifications
Runtime verification entails the dynamic analysis of an executing program against a formal
specification. Direct execution of the specification represents a special case in which the
program and the specification are the same. In this section two examples are described:
MetateM and Tempura.
Both of these tools operate according to rules which define how to transition from one state
in the execution trace to the next. In the case of MetateM there may be a choice of rules to
apply at each step, admitting the possibility of future backtracking. In the case of Tempura,
each step transition is uniquely determined. The following subsections provide a brief overview
of each system.
12The propositions should be written with capital letters in ITL, but have been left in lower case here to aid
comparison.
2.3 Direct execution of specifications 25
2.3.1 MetateM
MetateM [Fis06] transforms an LTL formula into separated normal form (SNF). This
representation of a formula comprises a set of transition rules in which the current (and
future) states are defined as a progression from the previous state.
Separated Normal Form
An LTL formula is translated into the following form: 2
n∧
i
Ri where each Ri is
one of the following rules (lj , lk , and l represent literals):
start ⇒
r∨
k=1
lk (an initial rule)
m∧
j=1
lj ⇒ ©
r∨
k=1
lk (a step rule)
m∧
j=1
lj ⇒ 3l (a sometime rule)
[Fis11] (Chapter 4) shows how an arbitrary LTL formula can be translated into SNF. Each
rule maps a formula relating to the ‘current’ state to a formula about the current and future
states. Thus, each rule defines how the execution may progress from one state to the next.
The rules whose antecedants are true are ‘triggered’ and values are produced to make the
consequents true. (Rules whose antecedants are false are vacuously satisfied). Where the
antecedants provide a selection of alternatives (
r∨
k=1
) then one of these may be selected at
random. The sometime rule also involves a potential choice: to satisfy 3l immediately or to
postpone. Meta rules in MetateM govern how these choices are made in order to optimse
for efficiency. If a selected alternative leads to a future inconsistency, then backtracking is
used to return to the last decision and select an alternative. If the backtracking returns to
the initial state then the formula is deemed to be inconsistent because no model can be found
to satisfy it.
Executing an LTL formula provides an alternative way to understand a specification. Its
behaviour can be analysed using step by step animation and this can help to establish that
the specification itself is fit for purpose. MetateM was inspired by Tempura, a tool that
performs a similar analysis for ITL, and which is discussed below.
2.3.2 Tempura
Tempura [Mos86] is a tool for executing temporal logic specifications written using a subset
of ITL. It can be used both for specifying required behaviour and also for validating the
specification by animation. Tempura is also the basis of the AnaTempura runtime verification
system which is described in Section 2.4.5.
26 Chapter 2: Runtime verification
Tempura statements correspond to certain ITL formulae that enable deterministic progression
from one state to the next. Consequently, Tempura does not contain statements that require
backtracking. This decision was taken deliberately to facilitate the “efficiency and simplicity
of the interpreter” [Mos86]. Thus, the following compound statements are available: f1 ∧ f2
and f1 ⊃ f2, but neither ¬ f nor f1 ∨ f2 are allowed. Furthermore, all variables need to
be completely specified by the user in each state and termination conditions must also be
provided.
Similar to MetateM, each Tempura statement is separated into a conjunction of the form
(current state) ∧ ©w (future states). The weak next operator is necessary because the
interpreter may be in the final state, in which case the conjunction simply reduces to current
state. [Mos86] (Chapter 8) discusses a possible implementation of Tempura and shows how
each Tempura statement can be translated into the ‘current and future states’ formulation.
The following sequence of examples highlights the restrictions imposed by the deterministic
requirements in Tempura. It also serves to illustrate the operation of the interpreter.
Consider the tempura statement: ©I = I + 1 (I ’s value increases by one in the next state).
This statement can not be executed because I ’s value is not determined in the initial state,
and a termination condition has not been provided. Figure 2.10 shows the translation of
©I = I + 1 into Tempura13 and the corresponding failure when an attempt is made to run
the program.
/* run */ define non_exec1() =
{
exists I:
{
next I = I + 1
}
}.
The Tempura program representing the ITL formula ©I = I + 1 generates the following
output when run:
***Tempura error: state #0 (pass #2) is not completely defined.
Evaluating: (next(I) = (I + ...))
Undefined variables:
Exists level 3: { I }
Exists level 2: { }
Global level 1: { }
Fail
Figure 2.10: A non-executable Tempura program
13The existential quantification is used to declare the variable I .
2.3 Direct execution of specifications 27
To address the problem of incompletely defined variables, one could provide an initial value
for I and write: (I = 0) ∧ (©I = I +1). Thus Tempura would be able to determine the value
of I in the next state. The updated program is shown in Figure 2.11. However, this is still
insufficient information for Tempura to be able to execute the specification. The issue is that
the specification would be true of any interval in which the first two states contained I = 0
and I = 1 respectively. Tempura needs to be able to determine the length of the interval
over which to generate the required states. In the example, specifying an interval length of
one (i.e. two states) is sufficient to enable the execution of the specification. This is shown
in Figure 2.12.
/* run */ define non_exec1() =
{
exists I:
{
I = 0 and next I = I + 1
}
}.
The Tempura program representing the ITL formula I = 0 ∧ ©I = I + 1 generates the
following output when run:
run non_exec2().
***Tempura error: the interval length is undefined.
Evaluating: run non_exec2(?)
Fail
Figure 2.11: A second, non-executable Tempura program
28 Chapter 2: Runtime verification
/* run */ define can_exec1() =
{
exists I:
{
len 1 and I=0 and next I = I + 1
}
}.
The Tempura program representing the ITL formula len 1 ∧ I = 0 ∧ ©I = I + 1 generates
the following output when run:
run can_exec1().
Done! Computation length: 1. Total Passes: 2.
Total reductions: 18 (18 successful). Maximum reduction depth: 7.
Time elapsed: 0.000020
Figure 2.12: An executable Tempura program
A final enhancement can be achieved by interacting with the user so that the initial value of I
can be input. It is possible to print out the values of I in all states so that the animation can
be inspected visually. In Figure 2.13 the addition of input and output statements to achieve
this purpose is demonstrated.
2.3 Direct execution of specifications 29
/* run */ define can_exec2() =
{
exists I:
{
len 1 and
input(I) and
next I = I + 1 and
always output(I)
}
}.
The Tempura program representing the ITL formula len 1 ∧ ©I = I +1 generates the following
output when run with an initial value of 2 input for I .
run can_exec2().
State 0: % I=?
2.
State 0: I=2
State 1: I=3
Done! Computation length: 1. Total Passes: 2.
Total reductions: 27 (27 successful). Maximum reduction depth: 7.
Time elapsed: 3.439013
Figure 2.13: An executable Tempura program with I/O
The final example in this short discussion will demonstrate how contradictory behaviour can
be identified and reported by Tempura. The running example will be adapted by introducing
a constraint on the final value of I : len 1 ∧ ©I = I + 1 ∧ fin(I = 2). This restricts the initial
value of I to be 1. Tempura cannot run the specification “backwards” in time to deduce this.
However, if the value in the first state is not equal to 1 then a contradiction in the second
state will be apparent. Figure 2.14 illustrates this behaviour.
30 Chapter 2: Runtime verification
/* run */ define can_exec3() =
{
exists I:
{
len 1 and
input(I) and
next I = I + 1 and
always output(I) and
fin (I = 2)
}
}.
The Tempura program representing the ITL formula len 1 ∧ ©I = I + 1 ∧ fin I = 2 generates
the following output when run with a value of 2 input for I .
run can_exec3().
State 0: % I=?
2.
State 0: I=2
State 1: I=3
***Tempura error: attempt to overwrite variable.
Evaluating: (I = 2)
The variable has currently the value 3.
Fail
However, when run with a value of 1 input for I no contradiction occurs.
run can_exec3().
State 0: % I=?
1.
State 0: I=1
State 1: I=2
Done! Computation length: 1. Total Passes: 2.
Total reductions: 31 (31 successful). Maximum reduction depth: 7.
Time elapsed: 3.429490
Figure 2.14: An executable Tempura program with I/O and a final constraint
2.4 Architectures 31
2.4 Architectures
Correctness properties are specified using a verification logic: for example, an LTL formula
ϕ. To enable a program to be checked against ϕ the formula must be transformed into an
executable monitor that can be run alongside the program.
Definition 2.4 Monitor A monitor is a process that analyses an execution trace and tries
to determine whether or not it satisfies a specification.
A runtime monitor continuously analyses an evolving execution trace of a running program.
The process of adapting a program so that it emits significant event and/or state data to a
monitor as these events occur is called instrumentation.
Definition 2.5 Instrumentation The adaptation of a computer program to insert code that
captures and transmits to a runtime monitor any event relevent to the runtime verification.
[RH16] observe that the two most common instrumentation techniques are capturing method
calls and using variable updates. The first approach is used in a range of Java-based runtime
verification systems in which events can be triggered upon entering or leaving specified
methods. A popular technique uses AspectJ [Asp17], an extension to Java that enables
‘aspects’ of a system – such as those required for instrumentation – to be separated from the
main program logic. The nature of such aspects is that they are interwoven with the main
program and the insertion of specialised code to deal with these is performed automatically.
AspectJ is a language in which certain events within a program execution such as method
calls, so-called ‘pointcuts’, can be specified together with code to be run at each of these
pointcuts. This method is used by JavaMOP [JMLR12]
The second approach requires assertion points to be placed directly into the program at
the points when a change is made to any of the monitored state variables. This is the
method used by AnaTempura [CZCM96, ZZC05] (see Section 2.4.5) in which the assertions
comprise formatted print statement which transmits event data to the standard output
channel which, in turn, is read by the monitor. The use of bespoke assertion points is also
required by TraceContract [Hav19, BH11] and ITL-Monitor, the subject of this thesis.
Both TraceContract and ITL-Monitor are constructed as DSLs within Scala (cf. 2.4.1)
and, as such, become part of the host program under test via an API. An example program
and specification are presented in Section 6.2 which form the subject of a comparative analysis
of each of these runtime verification tools.
Figure 2.15 provides a high-level view of the relationship between a program and a monitor.
The figure shows three relationships:
32 Chapter 2: Runtime verification
Program Specification '
MonitorInstrumented
program
Each generated state: σk
Verdict: hσ0 : : : σki j= ' ?
instrumentation derivation
hσ0 : : : σki
The program to be verified is instrumented so that it can generate states when
significant events occur. A monitor is derived from the specification ϕ. Each new
state σk is passed to the monitor which maintains the trace history 〈σ0 . . . σk 〉, and,
upon receipt of each new state, checks 〈σ0 . . . σk 〉 |= ϕ, and returns a verdict.
Figure 2.15: Runtime verification
1. Between the program and the instrumented program. The program is adapted to
include code that emits significant events (states) to the monitor when they occur.
(see Definition 2.5)
2. Between the instrumented program and the monitor. Significant events that create a
new state for analysis are sent to the monitor which, in turn, delivers a verdict.
3. Between the specification and the monitor. This can be achieved using automatic
translation (compilation) from a specification language into a programming language.
Alternatively, the specification and the monitor may coincide either by using a
specification language that is directly executable, or by using an API in the executable
language that encodes the specification.
The following arrangements of programs and monitors describe standard architectural
patterns [Leu12].14
Outline monitoring: the monitor is separate from the program under test. This architecture
is based upon a loose coupling between the components and relies upon data being
communicated using a channel. AnaTempura (2.4.5) is an example of such an outline
monitor system. It is possible using such an arrangement that an outline monitor can
use a separate processor and not affect the running performance of the program itself.
14These are not mutually exclusive: ITL-Monitor is both inline and online.
2.4 Architectures 33
Inline monitoring: the monitor is part of the program itself and shares its computational
resources. This facilitates efficient cooperation between the program and the monitor.
Although this can increase the potential coupling between the components, mitigation
can be achieved by design. For example, ITL-Monitor is implemented using an actor
model in which messages are passed between autonomous processes which maintain
their own encapsulated state.
Oﬄine monitoring: the analysis takes place after the program has run. This requires that
a log of the program run is constructed while the program executes, and is stored
for subsequent analysis. This can be achieved by any runtime verification system
since it is possible to ‘execute’ a log file by traversal. There are verification systems
that are designed to be run oﬄine. One specific example is LogScope [BHRG09]
which used oﬄine monitoring because the specific application for which it was designed
(NASA’s Mars Science Laboratory, a planetary rover) was unable to provide runtime
data in a reliable order. Another (unpublished) example is ITL-Tracer [Jan10], a Java
monitor for analysing completed program traces with respect to an ITL specification.
Oﬄine monitoring provides a post hoc analysis of a program’s behaviour and can utilise
algorithms that take considerably more time than would be acceptable for an interactive
diagnosis.
Online monitoring: the analysis takes place while the program is running. [LS09] points
out that making the monitor part of the system itself allows the monitor to analyse
faults and modify subsequent behaviour. In particular, online monitoring facilitates
runtime reflection in which fault detection, identification and recovery can take place.
ITL-Monitor has been implemented as a monitoring process that runs concurrently with
the program, and which can raise user-defined exceptions when the verification fails.
This mechanism can be used by the main program to react at runtime, for example by
defining recovery behaviour within catch clauses.
2.4.1 Domain specific languages
Current research in runtime verification is increasingly considering the use of Domain
Specific Languages (DSLs, see Pattern 21 in [BL13]) for monitor construction. Indeed,
DSLs, particularly in Scala [OSV16, Sca17], have been the subject of active research in
recent years including, e.g. [Hav11, Hav13, Hav14, YAH+16]. Bjo¨rner and Havelund argue
in [BH14] that specification, verification and programming may be converging with such
contemporary programming language developments. A classification of DSLs with Scala is
given in [AHKY15].
DSLs can be categorised into external and internal, and the latter can be implemented using
34 Chapter 2: Runtime verification
either a deep embedding or a shallow embedding. External DSLs are separate languages
whose syntax is not constrained by any host programming language. A specification written
using an external DSL can either be compiled using a bespoke compiler into code that can be
executed by the host language, or it may be parsed into an internal data structure and then
interpreted within a progam. For example, in the host language Scala, the Scala combinator
parser library could be used.15 JavaMOP [JMLR12] and RuleR [BHRG09] are examples
of runtime verification systems developed as external DSLs. Both of these languages have
compilers that translate specifications into AspectJ aspects (see Section 2.4.2) which are used
to instrument Java programs for monitoring.
Internal DSLs extend the host language itself and thus benefit from total integration with its
constructs. A deeply embedded DSL comprises a language, represented as an abstract syntax
tree, which is interpreted from within the program. Within this thesis, the ITL library
for use with ITL-Monitor, namely ITL.scala, is a deeply embedded DSL. ITL expressions
and formulae are instances of abstract syntax trees which can be transformed to perform
certain optimisations, and interpreted for evaluation. A shallow embedded DSL uses the host
language’s features predominantly for its representation. This is facilitated by programming
languages whose features support this approach. Such features include partial functions,
generic types, pattern matching, and higher order functions.
TraceContract [BH11] is another internal DSL written in Scala for runtime verification.
It supports specification using state machines and temporal logic. TraceContract is in
current use and is actively maintained [Hav19]. In Chapter 6 TraceContract is selected
as one of the contemporary runtime verification tools used for comparison with ITL-Monitor.
2.4.2 Aspect oriented approaches
Aspect-oriented programming (AOP) is designed specifically to enable the separation of
concerns facilitated by using a compiler to interweave ‘cross-cutting’ monitoring code into
an application. This approach facilitates monitoring by triggering verification activities at
certain programmer-defined pointcuts specified using AspectJ (cf. page 31), for example, and
a runtime monitoring system has to integrate with the AspectJ API. The syntax does provide
significant flexibility for capturing classes of events. For example, a join point may be attached
to the execution of an instance method associated with any object of a specific type. Events
may be triggered, for example, before, after, or around such method invocations. Such
instrumentation separates the concerns of the monitor code and the system under scrutiny.
Monitoring-oriented programming (MOP) [CR07, CR03] is a framework supporting the
development and analysis of software systems that permits a variety of formal languages to be
15This is maintained as a community project at [Sca].
2.4 Architectures 35
used in the specification of monitors for runtime verification. Eschewing the idea that a single
formalism is appropriate, MOP supports a variety of user-defined plug-ins to enable particular
properties to be expressed using a formalism that is best suited for the task. These plug-ins
are monitor synthesizers that translate formulae into runtime monitors. An implementation
of MOP for the Java language, JavaMOP [JMLR12, Jav17], has been developed in which
monitoring code is woven into the program using AspectJ. The architecture permits user-
defined Java code to be included (‘user-defined actions’) for execution when monitors report
either success or failure. Thus, code can be inserted to perform dynamic recovery when
specific errors are caught.
JavaMOP is a parametric monitoring framework. This means that formulae may contain
parameters that become bound to actual object instances in the program. When a property
must be monitored for a class of objects in a program, then every instance of the class has
an associated bespoke monitor instance. To facilitate such monitoring, the input trace must
be sliced such that each slice contains events only specific to a particular monitor instance.
Efficient indexing of monitor instances has been shown to be computationally very efficient
[Jin12].
RV-Monitor [DGH+16] is an evolution of the JavaMOP framework and is used for enforcing
safety and security policies at runtime. A version of RV-Monitor for Android is described in
[DFM+15]. RV-Monitor supports both manual and automated instrumentation, the latter
via a tool such as AspectJ.
Related current research has focused on AOP and AspectJ in particular and in [JZR+16]
the authors discuss the limitations of AspectJ’s join point mechanism and propose a domain-
specific aspect language, DiSL, which they demonstrate leads to extended code coverage. The
authors provide a compiler for translating existing AspectJ aspects into DiSL.
2.4.3 Rule-based approaches
Rule-based runtime verification approaches comprise systems in which a specification is
written as a set of rules, each of which is separated into its antecedants - sets of facts about
the current state – and a set of consequents – future time formulae that must hold in (current
and) future states. MetateM utilised this method splitting LTL formulae into present and
future formulae using separated normal form (2.3.1).
MetateM influenced a range of rule-based, runtime verification logics developed significantly
by Barringer, Havelund, Rydeheard et al. In [BGHS04a, BGHS04b] the authors introduced
Eagle, a temporal fixed-point logic defined over finite traces. The full syntax and semantics
of Eagle is presented in [BGHS04a]. Eagle was designed as a general purpose, rule-based
temporal logic for runtime verfiication which included support for interval logic, LTL with
36 Chapter 2: Runtime verification
future and past time, and regular expressions. In Eagle temporal operators are expressed
in terms of minimal and maximal fixpoints:
max Always(Form F ) = F ∧ ©Always(F )
min Eventually(Form F ) = F ∨ ©Eventually(F )
min Until(Form F1,Form F2) = F2 ∨ (F1 ∧ ©Until(F1,F2))
where max and min denote maximum and minimum fixpoints respectively; Form is the type of
formulae; and © is the strong-next operator from LTL.16 In Eagle the semantics of formulae
are defined over finite intervals, σ, whose states are indexed from 1 to |σ|. The indexes 0 and
|σ| + 1 define the boundary of the interval. Rules defined using max evaluate to True at the
interval boundaries, thus the following rule [BB08] holds only when the formula is observed
at one of the boundaries:
max Limit() = False
Safety properties (e.g. 2p) use a maximal fixpoint interpretation and, as such, are considered
to be satisfied throughout the trace once the end is reached. If this were not the case then a
contradiction would have been discovered earlier. Alternatively liveness properties (e.g. 3p)
use a minimal fixpoint interpretation. This means that if the end of the trace is reached
then the property is not satisfied, otherwise it would have been discharged earlier. This
interpretation of liveness is based upon finite path semantics (cf. page 15).
Eagle includes a non-deterministic, sequential composition operator. The formula F1 ; F2
is satisfied by a (finite) interval σ provided that the interval can be split into a prefix σp and
suffix σs such that σp(| σp |) = σs(1), i.e. the final state of σp coincides with the first state
of σs , and F1 holds on σ
p (observed from some position i), and F2 holds on σ
s . Importantly,
future operators within F1 are limited to the scope of σ
p and, conversely, past-time operators
within F2 are limited to the scope of σ
s . The full semantics of Eagle logic is presented in
[DH05]. The following excerpt defines the behaviour of sequential composition:17
σ, i |= F1 ; F2 iff exists j s.t. i < j ≤ |σ|+ 1 and σ1..j−1, i |= F1 and σj−1..|σ|, 1 |= F2
Eagle also supports a related concatenation construct: F1 · F2. In this case the prefix and
suffix intervals do not overlap: thus σ = σpσs (where juxtaposition here represents sequence
concatenation).
16A brief discussion of fixpoint logics is found in Section 8.4 of [Eme90] and Section 2.8.4 of [Fis11].
17In Eagle semantics, the first state is indicated by 1, not zero.
2.4 Architectures 37
σ, i |= F1 · F2 iff exists j s.t. i ≤ j ≤ |σ|+ 1 and σ1..j−1, i |= F1 and σj ..|σ|, 1 |= F2
In [BB08] the authors show that sequential composition can be represented using
concatenation, and vice versa, and therefore that each is equally expressive. However, it
is observed that the non-determinism in these operators can be computationally expensive
searching for a suitable set of cut points that satisfy a formula. Deterministic variants of
the concatenation and sequential composition operators are introduced. The authors show
that these deterministic variants do not add any new expressive power to Eagle but, by
identifying them as bespoke operators, it is possible to provide more efficient implementations
of runtime monitors that use them based upon their deterministic semantics. Specifically,
eight variations are defined: these are the left-minimal, left-maximal, right-minimal, and right-
maximal operators for both sequential composition and concatenation. bF1c ◦ F2, dF1e ◦ F2,
F1 ◦ bF2c, and F1 ◦ dF2e, where ◦ can be either · or ; . The semantics for bF1c ; F2 is given
below:
σ, i |= bF1c ; F2 iff exists j s.t. i < j ≤ |σ|+ 1 and σ1 . . σj−1, i |= F1
and σj−1 . . σ|σ|, 1 |= F2
and not exists k s.t. i ≤ k < j − 1 and σ1 . . σk , i |= F1
Eagle itself is not specific to any particular programming language. This means that it
has no means of being instrumented (see Definition 2.5). Jeagle [DH05] is a runtime
verification tool that extends Eagle and is written for the Java programming language.
Jeagle incorporates a compiler that parses specifications written in a specification file and
emits automatic instrumentation code that can be processed by AspectJ (cf. 2.4.2).
In [BRH07] the authors, while acknowledging the richness of Eagle and its appropriateness
for specifiying complex temporal behaviours, also discuss how the non-deterministic
concatenation operator leads to a high computational cost. The authors note that there
are some subsets of Eagle that could be executed efficiently for runtime monitoring – in
particular, the LTL subset of the language. The paper signals a change of research direction
towards a lower level, rule-based logic for runtime verification.
In [BHRG09] RuleR, an online trace analysis tool, is described. In RuleR a set of rules
is defined, each of which has an antecedant and a consequent. Both of these must be state
expressions (i.e. no temporal formulae). The rules of the core system do not remain active
between events – they are so called one-shot rules. As each event is passed to the system,
the antecedants of the active rules are tested thereby conducting a breadth-first search of the
possible traces that satisfy the rules. The only rules that become active in the subsequent
state are the consequents of those whose antecedants were triggered in the current state. The
process continues until either no rule applies, or the trace is terminated. On top of these
38 Chapter 2: Runtime verification
single-state persistence (step) rules, RuleR has also built two others: state persistence
and always persistence. The former defines rules that remain active until they are activated
successfully, and the latter rules that remain activated throughout the verification. [BHRG09]
observes that the state rules were used more often by users writing RuleR specifications,
thus indicating a preference for the state machine approach. It is interesting to note that these
three categories of rules are also reflected in the behaviours of the state functions provided in
the subsequent TraceContract runtime verification tool (Section 2.4.4).
Research into RuleR, whose rule-based system is based on MetateM, led to consideration
of an alternative, yet established, algorithm used extensively in AI rule-based systems:
the Rete algorithm [For82]. [Hav15] discusses the adapation of the Rete algorithm for
rule-based, runtime verification and its realisation as LogFire. The paper summarises
the performances of RuleR and LogFire against each other and five other tools over
seven experiments designed to stress the systems in terms of memory requirements and
monitor indexing. The survey concludes that for low memory experiments RuleR performed
better than LogFire, but that the situation was reversed for high memory experiments.
Interestingly, (unoptimised) TraceContract performed comparably to RuleR. However,
the MOP system outperformed all of the competition by an order of magnitude – the authors
suggest this is due to MOP’s indexing system being significantly faster than algorithms such
as Rete for runtime verification.
2.4.4 TraceContract
TraceContract [BH11, Hav19] is a runtime verification tool implemented as a shallow
embedded DSL (cf. 2.4.1) in Scala. It provides an API that supports specification using state
machines and linear temporal logic. It also provides a persistent ‘database’ in which facts
can be stored for future reference. Such a database provides support for temporal formulae
involving previous events. However, the persistent nature of the facts makes it necessary
for addition and deletion to be performed explicitly as the runtime verification proceeds.
Alternatively, given that the monitors are written as standard Scala code, it is possible to
encode previous events using the language itself rather than using the built-in database.
Fundamental to TraceContract is the class Monitor[Event] – which can be instantiated
to create a monitor capable of processing a list of events List[Event]. Event is a generic type
parameter which is substituted by the actual type of events to be monitored. Each monitor
maintains a private (possibly empty) list of sub-monitors forming a hierarchical composition in
which the sub-monitors at each level are effectively conjoined. As each new event is processed
by a monitor it is, in turn, recursively passed on to each of its sub-monitors. This approach
is utilised in the example given in Section 6.2.5.3.
A number of Formulae can be defined within each monitor that specify the required behaviour.
2.4 Architectures 39
Formulae are separated into two types: one representing state logic, and another representing
future time temporal logic. The two types can be used together within the same monitor if
required. At the heart of the state logic formulae is the Block type:
type Block = PartialFunction[Event, Formula]
which is used in the definition of the state functions, e.g.
def state(block: Block): Formula
The use of PartialFunction allows Scala’s pattern matching notation to be used to capture
specific Event instances as shown in the following example, again taken from 6.2.5.3:
def S0: Formula = state {
case Event(true ,false ,false) => S4
case Event(false ,false ,false) => S0
case _ => error
}
When this state formula (S0) is active then a matched event evolves the monitor into a
subsequent state formula: for either of the valid events shown this is either S4 or S0. The
default case ‘ ’ catches any invalid event and evolves the monitor to an error state formula.
This illustrates how state transitions can be defined based upon events. Once the formula
has evolved to its new state formula then it is this that is matched against the next incoming
event. A range of state functions is defined representing different types of state evolution. In
each case, the parameter is a Block and the semantics of each function determines how the
evolved formula is determined based upon whether or not the incoming event matches one of
the cases. These are:
state(block: Block): Formula This formula remains in the monitor’s list of active
formula until a matching event occurs. Then the formula evolves according to block.
step(block: Block): Formula If the incoming event is matching then the formula
evolves according to block. Otherwise the formula evolves to the special formula True
representing success.
hot(block: Block): Formula This is the same as state with the exception that it is
an error to be in a ‘hot’ state at the end of the trace. This is used to represent liveness
properties with respect to finite path semantics (cf. page 15).
strong(block: Block): Formula A matching event must occur in the next state. Then
the formula evolves according to block. If the match does not occur in the next state,
or if there is no next state, then the formula evolves to False indicating failure.
weak(block: Block): Formula This is the same as strong except that no error occurs
if there is no next step.
40 Chapter 2: Runtime verification
always(block: Block): Formula This is different from the other state functions in that
it is always active. Whenever a matching event occurs then always(block) remains in
the list of active formulae, and the formula that is produced by the match is also added
to the list.
TraceContract also provides functions representing future time LTL formulae. These are
matches(p: PartialFunction[Event, Boolean]): Formula This equals True if and
only if the current event satisfies p; otherwise False.
not(f: Formula): Formula This negates f.
globally(f: Formula): Formula This formula must hold for the current event, and all
future events. At the end of the trace globally(f) equals True.
eventually(f: Formula): Formula This formula must hold either for the current event,
of for some future event. At the end of the trace eventually(f) equals False.
never(f: Formula): Formula This formula must be false for the current event and for
all future events. At the end of the trace never(f) equals True.
strongnext(f: Formula): Formula This formula must be true for the next event and
there must be a next event. In this case strongnext(f) equals True; otherwise False.
At the end of the trace strongnext(f) equals False.
weaknext(f: Formula): Formula This formula must be true for the next event if there
is a next event. In this case, or if there is no next event, then weaknext(f) equals True;
otherwise False. At the end of the trace weaknext(f) equals True.
All formulae, i.e. state formulae and future time LTL formulae, can be combined with the
infix methods and, or, implies, until, and unless. An example of the use of LTL formulae
is shown in Listing 6.2 (page 130).
TraceContract is designed to analyse an event trace. Monitoring can either take place
oﬄine, by processing the complete trace of a previously-run program, or it can be performed
online by passing the events to the monitor as they are encountered. Instrumentation is not
automated and the method, verify(event: Event), must be called explicitly from within
the program under test.
TraceContract is similar to ITL-Monitor in a number of ways: both are implemented
as internal DSLs in Scala; both require manual instrumentation; and both are designed
as experimental runtime verification tools for their respective formalisms. Both systems
make obvious efficiency gains by analysing their internal abstract syntax trees to simplify
2.4 Architectures 41
evaluations, although neither has been subject to extensive optimisation. Both systems
support monitor composition. This makes TraceContract an excellent choice for direct
comparison (see Chapter 6).
However, there are also some fundamental differences. TraceContract does not have the
facility to report judgements back to the program under test. Rather, they are output onto a
transcript in a similar way to AnaTempura (see below Section 2.4.5). ITL-Monitor can report
judgements, or throw exceptions, in response to each new event, thus providing the option
to react at runtime. TraceContract is based upon a hybrid formalism that incorporates
state machines and LTL, whereas ITL-Monitor is based upon ITL. Notwithstanding timed
formulae, TraceContract monitors do not exploit multithreading, whereas every monitor
in ITL-Monitor is an Akka actor. The Akka scheduler can allocate actors to run in parallel on
separate system cores.
2.4.5 AnaTempura
AnaTempura [CZCM96, ZZC05] is an established runtime verification system that uses
Tempura as its basis. The system consists of a Tempura specification, a Tempura interpreter,
and a program to be verified. AnaTempura executes the specification and the program in
parallel checking that the program satisfies the specification at each state.
The program under scrutiny is instrumented by assertion points embedded within the code.
These transmit states to AnaTempura whenever a monitored state variable is modified.
AnaTempura computes the expected trace and compares it with the actual trace supplied
by the program under test, reporting continually whether these traces are in agreement.
AnaTempura permits a user to view the result of this monitoring process in real time and to
intervene should a problem arise. Thus AnaTempura supports a “stop and repair” model of
runtime verification but does not implement a “react at runtime” [LS09] pattern and therefore
does not support automatic fault detection and recovery.
The monitoring consists of three main components
1. The program being analysed. The program contains assertion points that have been
introduced strategically into the code to report any changes to the state that refers to
variables used in the specification. These assertion points may be designed into the code
from the outset or added retrospectively requiring a re-build of the software component.
2. The Tempura interpreter. This ‘runs’ a Tempura specification which is provided in a
separate file. Tempura specifications are written using an executable subset of ITL and
thus generate a deterministic sequence of states. This is the expected trace.
3. The runtime monitor. This compares the incoming states from the program with the
42 Chapter 2: Runtime verification
corresponding states from Tempura to ensure that they are in agreement. As soon as a
discrepancy is discovered this is reported via an output console.
AnaTempura contains further features that are useful for developing specifications. In
particular there is an animator that permits the user to visualise the specification as it is
executed.
In AnaTempura the communication between the program under scrutiny and the monitor is
achieved by the insertion of assertion points into the program. The coupling between the
monitor and the program is therefore loose and unidirectional: snapshots of the state are
sent to the monitor using a “fire and forget” strategy. Specifically, this does not permit the
synchronisation of the monitor and the program, and it does not permit information to be sent
back from the monitor to the program. This asynchronous communication does not require the
program to wait at any time for a response from the monitor and thus the monitoring places
only a very small performance penalty on the program through the execution of assertion
points. It is possible that the expected trace cannot be generated as fast as the actual trace is
being generated. Note that if the monitor and the program are running on the same processor
then the runtime performance of both is affected.
2.5 Summary
Runtime verification has been introduced as a complementary method to model checking.
Two temporal logics were discussed: LTL, used widely in model checking, and the basis
for many runtime verification systems; and ITL, a logic that is not widely used for runtime
verification possibly due to the computational complexity introduced by its non-deterministic
sequential composition operator.
The chapter discussed the principal runtime verification architectures that have emerged from
this relatively recent computer science discipline. Particular emphasis was put upon two tools,
TraceContract and AnaTempura. Both of these have been selected as suitable candidates
for comparison with the current work: TraceContract because it is also implemented as
an internal DSL in Scala and supports LTL; AnaTempura becuase it is the only established
tool that uses ITL. However, the latter uses a deterministic subset of ITL called Tempura.
This thesis proposes a technique whereby ITL with fewer restrictions can be used for runtime
verification. The theory to support this is introduced in the next chapter.
Chapter 3
Development of the first occurrence
operator
Throughout this chapter, and the rest of the thesis, reference is made to a substantial
collection of laws of ITL. These are available as [CMS19], a document in which the syntax
and semantics of ITL have been encoded using Isabelle/HOL and in which every law has a
mechanically checked proof. The laws in that paper include all of Moszkowski’s unpublished
work in [Mos14a]; Moszkowski’s investigation into time reversal [Mos14b]; work by Cau on
Interval Temporal Algebra [Cau08]; as well as laws provided by the author in the process of
developing this work.
The work in this thesis required a thorough investigation into fixed-length intervals, strict
initial intervals, and the first occurrence operator. The latter is a key part of the work
and an extensive collection of laws relating first occurrence to other ITL operators has been
added to ITL. All of these laws and their proofs have been checked automatically within the
Isabelle/HOL framework and appear in Chapter 7 of [CMS19].
3.1 Introduction
ITL [Mos82, Mos83, CZCM96] is a mature mathematical framework for system specification.
Its syntax and semantics were introduced in Section 2.1.3 along with a number of derived
operators. Fundamental to ITL are the chop and chopstar operators. Recall the semantics of
chop (Section 2.1.3):
F [[f1 ; f2]](σ) = tt iff (exists k , s.t. F [[f1]](σ0 . . σk ) = tt and F [[f2]](σk . . σ|σ|) = tt)
Note that the two subintervals share a common state at k which is referred to as the fusion
44 Chapter 3: Development of the first occurrence operator
point. The choice of k is non-deterministic when there is more than one way to satisfy f ; g
for a given interval. Figure 3.1 shows how the formula 2P ; 3Q is satisfied by the interval
〈(P ,¬ Q), (P ,¬ Q), (P ,Q), (P ,¬ Q), (P ,¬ Q)〉 in three ways – each representing a different
fusion point.
:Q
P
:Q
P
Q
P
:Q
P
:Q
P
k = 0
k = 1
k = 2
Figure 3.1: Different ways to achieve 2P ; 3Q for a given interval.
If one of the subformulae were strenghtened then the set of fusion points may be reduced. For
example, consider the formula 2(P ∧ ¬ Q) ; 3Q over the same interval. This reduces the
fusion points to k ∈ {0, 1}. The set of fusion points can be reduced to one by strengthening
the first subformula even further: ((2P) ∧ skip) ; 3Q . In this case the first subinterval must
have unit length leaving the only possible fusion point as k = 1.
When using ITL for runtime verification, determining whether σ |= f0 ; f1 for an interval
σ, requires a search for an appropriate fusion point. If neither f0 nor f1 themselves contain
chop or chopstar operators then every state may have to be considered as a potential fusion
point. If a formula is of the form f0 ; . . . ; fk , for k > 0, where each fi does not contain
chop or chopstar operators, then the maximum number of potential fusion points is given by(|σ|+1
k
)
= (|σ|+1)!(|σ|+1−k)! k ! . This combinatorial complexity is prohibitively expensive in the context
of runtime verification.
3.2 Timing analysis
To compare algorithms for verifying an ITL formula f over a finite interval σ the below
function T is introduced. It estimates the worst-case time taken to perform a verification
based upon the number of simple tests that need to be made. The assumption is made that
both state lookup and establishing interval length take constant time. The primary focus is
on the analysis of chop and chopstar and for this reason only a subset of ITL functions has
been considered. In the definition n represents the length of the interval (i.e. the number of
states minus one).
3.2 Timing analysis 45
T (n, true) = 0
T (n, empty) = 1
T (n,more) = 1
T (n, skip) = 1
T (n, len(k)) = 1
T (n,Q) = 1 (Q represents any propositional variable)
T (n, fin(Q)) = 1
T (n,¬ f ) = 1 + T (n, f )
T (n, f1 ∧ f2) = 1 + T (n, f1) + T (n, f2)
T (n, f1 ; f2) =
n∑
k=0
(T (k , f1) + T (k , f2))
T (n, f ∗) =

0, if n = 0(
n∑
k=1
T (k , f )
)
+
(
n−1∑
k=0
T (k , f ∗)
)
, if n > 0
An algorithm for establishing σ |= f1 ; f2 considers each state σ0, σ1, . . . in turn as a potential
fusion point. Note that whenever σ0 . .σk 6|= f1 then the corresponding test σk . .σ|σ| |= f2 is not
required. Furthermore, if σ0 . . σk |= f1 and σk . . σ|σ| |= f2 then no further fusion points need
to be considered. The definition of T (n, f1 ; f2) assumes the worst case in which every prefix
interval satisfies f1 and no suffix interval satisfies f2 thus requiring every state to be examined
as a potential fusion point. Thus f1 is checked over each of the subintervals σ0, σ0..1, . . . , σ0..n
and, for each of these, f2 must be checked over subintervals σ0..n , σ1..n , . . . , σn respectively.
T (n, f1 ; f2) is therefore given by
n∑
k=0
T (k , f1) +
n∑
k=0
T (n − k , f2) =
n∑
k=0
(T (k , f1) + T (k , f2)).
The summation for T (n, f ∗) is defined a little differently. The first summation ranges over the
states 1 . .n. The reason that f ∗ is not checked over the empty interval σ0 is because f ∗ holds
over any single state interval. Consequently, the second summation ranges over 0 . . (n − 1).
Example formula T (n, f1) T (n, f2) T (n, f1 ; f2)
(a) R ; S 1 1 2n + 2
(b) Q ; (R ; S ) 1 2n + 2 n2 + 4n + 3
(c) P ; (Q ; (R ; S )) 1 n2 + 4n + 3 n
3
3 +
5n2
2 +
37n
6 + 4
(d) (P ; Q) ; (R ; S ) 2n + 2 2n + 2 2n2 + 6n + 4
Figure 3.2: Example timings for T (n, f1 ; f2)
Figure 3.2 illustrates some sample formulae and associated worst-case timings. An example
46 Chapter 3: Development of the first occurrence operator
interval for both 3.2(c) and 3.2(d) is given below (• = proposition holds in state):
σ =

P : •
Q : • • . . . •
R : • • . . . •
S :
σ0 σ1 . . . σn

σ 6|= (P ; Q) ; (R ; S)
σ 6|= P ; (Q ; (R ; S))
Figure 3.3 illustrates the expression trees for P ; (Q ; (R ; S )) and (P ; Q) ; (R ; S ) in which
the trees have depths of 3 and 2 respectively. Worst case evaluation is O(2d ) where d is the
depth of the expression tree.
P
Q
R S
P Q R S
Figure 3.3: Expression trees representing P ; (Q ; (R ; S )) and (P ; Q) ; (R ; S )
The formula for T (n, f ∗) on page 45 is derived from the ITL equivalence ` f ∗ ≡ (empty ∨
((f ∧ more) ; f ∗)) (ChopStarEqv (C .46)). Worst-case performance assumes that all non-empty
subintervals satisfy f except all terminal suffixes: a situation that can be described in ITL by
the formula ((2a (more ⊃ f )) ; skip) ∧ 2¬ f .
Equation 3.2.1 T (n, f ∗) =
n∑
j=1
2n−jT (j , f ), n > 0
Proof of Equation 3.2.1 is by induction.
Case n = 1
T (1, f ∗) = T (1, f ) + T (0, f ∗) = T (1, f ) =
1∑
j=1
21−jT (j , f )
Case n + 1
T (n + 1, f ∗) =
(
n+1∑
k=1
T (k , f )
)
+
(
n∑
k=0
T (k , f ∗)
)
= T (n + 1, f ) + T (n, f ∗) +
(
n∑
k=1
T (k , f )
)
+
(
n−1∑
k=0
T (k , f ∗)
)
3.3 Determining fusion points 47
= T (n + 1, f ) + T (n, f ∗) + T (n, f ∗)
= T (n + 1, f ) + 2T (n, f ∗)
= T (n + 1, f ) + 2
(
n∑
j=1
2n−jT (j , f )
)
Equation 3.2.1 by induction
= T (n + 1, f ) +
(
n∑
j=1
2n+1−jT (j , f )
)
=
n+1∑
j=1
2n+1−jT (j , f )
Example 3.2.1 The formula P ∧ fin P holds for any interval in which proposition P holds
in both the initial and final states. T (n,P ∧ fin P) = 3, therefore T (n, (P ∧ fin P)∗) =
3×
n∑
j=1
2n−j = 3× (2n − 1). 
As discussed in [MGL14], such exponential complexity makes it is infeasible to perform
runtime verification of ITL formulae containing multiple chop operators over nontrivial
intervals.
3.3 Determining fusion points
The worst-case performance described in the previous section can be reduced significantly by
constraining the number of potential fusion points that need to be considered when checking
formulae containing chop and chopstar. The rest of this chapter develops a framework in ITL
that supports such an approach.
The timing function for f1 ; f2 can be modified if it is known that there exists a unique fusion
point whereby the interval satisfies the formula. Suppose that σ |= f1 ; f2 holds, and that m,
0 ≤ m ≤ n = |σ|, is the unique fusion point, then
Equation 3.3.1 T (n, f1
m
; f2) =
(
m∑
k=0
T (k , f1)
)
+ T (n −m, f2)
The chop operator has been annotated to indicate the unique length of the prefix interval
(to the ‘left’ of the fusion point). The summation captures the iteration through the prefix
intervals until the unique fusion point m is determined. The algorithm does not assume
prior knowledge of the unique fusion point m although it may be pre-determined with certain
formulae such as, for example, len(5)
5
; f . 1
1Code in the implementation of the ITL library that exploits such fixed-length formulae is shown on page
100.
48 Chapter 3: Development of the first occurrence operator
The associativity of the chop operator means that it is possible to rewrite formulae such as
(f1 ; f2) ; f3 as f1 ; (f2 ; f3). To see why it is better to use a right-parenthesised form, consider
each in turn (see also Figure 3.2):
• Left-parenthesised:
T (n, (f
m
; g)
m+m ′
; h)
=
(
m+m ′∑
k=0
T (k , f
m
; g)
)
+ T (n −m −m ′, h)
=
(
m+m ′∑
k=0
((
m∑
j=0
T (j , f )
)
+ T (m ′, g)
))
+ T (n −m −m ′, h)
The outermost sum repeatedly tries to establish σ0 . . σm+m ′ |= f ; g , (m + m ′ + 1)
times. In the context of runtime verification, the innermost summations (over j ) would
be bounded by k because each test would take place over the most recent prefix interval
σ0 . .σk . Using ↓ and ↑ to represent the min and max functions respectively, the formula
would be:(
m+m ′∑
k=0
((
k↓m∑
k=0
T (k , f )
)
+ T ((k −m ′) ↑ 0, g)
))
+ T (n −m −m ′, h)
Nevertheless, the nested summation indicates an unnecessary complexity when
compared to right-parenthesisation.
• Right-parenthesised:
T (n, f
m
; (g
m ′
; h))
=
(
m∑
k=0
T (k , f )
)
+
(
m ′∑
k=0
T (k , g)
)
+ T (n −m −m ′, h)
In contrast to the formula for T (n, f1 ; f2) given on page 45, in this case a fully right-
parenthesised formula is advantageous. There is no need for an algorithm to backtrack
across any of the fixed fusion points. This means that evaluation can proceed linearly,
which conveniently aligns with the execution requirements of runtime verification.
Figure 3.4 illustrates some right-parenthesised formulae with their associated timings.
3.3 Determining fusion points 49
Example formula T (n, f1) T (n, f2) T (n, f1 ; f2)
(a) R
m ′′
; S 1 1 m ′′ + 2
(b) Q
m ′
; (R
m ′′
; S ) 1 m ′′ + 2 m ′ + m ′′ + 3
(c) P
m
; (Q
m ′
; (R
m ′′
; S ) 1 m ′ + m ′′ + 3 m + m ′ + m ′′ + 4
(d) (Q ; R)
m ′′
; S 2n + 2 1
(
m ′′∑
k=0
2k + 2
)
+ 1
= (m ′′)2 + 3m ′′ + 3
(e) (P ; Q)
m ′
; (R
m ′′
; S ) 2n + 2 m ′′ + 2
(
m ′∑
k=0
2k + 2
)
+ m ′′ + 2
= (m ′)2 + 3m ′ + m ′′ + 4
Figure 3.4: Example timings for T (n, f1
m
; f2)
In a similar way, a timing formula for f ∗ can be constructed upon the assumption that each f
is satisfied over a unique, non-empty subinterval. As before, let n be the length of the interval
σ, i.e. n = |σ|. Let ms be a sequence of non-zero subinterval lengths such that sum(ms) < n.
The chopstar operator (∗) is annotated with the sequence representing the fusion points. For
example, f
〈m,m ′,m ′′〉∗ = f m; (f m
′
; (f
m ′′
; f )).
Note that:
(i) The fusion points are only hypothetical for the purpose of estimating the timing formula;
(ii) The interval lengths are non-zero because empty sub-intervals do not contribute towards
establishing σ |= f ∗.
Equation 3.3.2 T (n, f
ms∗ ) =

0, if n = 0
T (n, f ), if n ≥ 1 and ms = 〈〉
T (n, f
hd(ms)
; f
tl(ms)∗ ), if n ≥ 1 and ms 6= 〈〉
where hd and tl are the sequence head and tail functions
In order to simplify the analysis of T (n, f
ms∗ ), assume that the interval σ can be split into l
50 Chapter 3: Development of the first occurrence operator
subintervals of length m, i.e. lm = n, and that for each 1 ≤ i ≤ l , σ(i−1)m . . σim |= f . This
provides a simplified formula:
Equation 3.3.3 T (l ×m, f ∗) = l ×
(
m∑
k=0
T (k , f )
)
Thus, comparing equations (3.2.1) and (3.3.3) the former grows exponentially whereas the
latter grows linearly.
Reconsider the previous example 3.2.1 (page 47) (P ∧ fin P))∗. Assume that |σ| = n = l ×m
for some l and m. Using equation (3.2.1) the worst-case timing to establish satisfaction of
an interval was calculated to be O(2n). Using equation (3.3.3), the timing is calculated thus:
l × (∑mk=0 3) = 3l(m + 1) = 3n + 3l which is O(n).
3.3.1 Introducing first occurrence
In the previous section when considering a formula such as f1
m
; f2 it was assumed that the
prefix over which f1 was satisfied had length m and that this was uniquely determined. This
thesis introduces a new operator, B, into ITL which specifies the first occurrence of a formula.
Specifically, if σ |= B f then there is no strict prefix interval that satisfies f : i.e. for all k < |σ|,
σ0 . . σk 6|= f . The semantics of B f is given below.
Equation 3.3.4 F [[B f ]](σ) = tt iff F [[f ]](σ) = tt and for all 0 ≤ i < |σ|, F [[¬ f ]](σ0 . . σi) = tt
This operator can be used in conjunction with a chop operator to ensure that a fusion point
is uniquely determined, e.g. f1 ∧ f . The intuition is that if any prefix interval satisfies f1, i.e.
σ |= 3i f1, then at least one prefix of σ satisfies f1, and B f1 specifies the shortest (first) such
prefix (DiImpExistsOneDiLenAndFst (C .251)).
In the context of runtime verification, the primary role of the B operator is to define a unique
partitioning of the incoming interval. The importance of establishing deterministic fusion
points using formulae such as B f1 ; (B f2 ; . . . is that no backtracking across these fusion
points is necessary – because these are the only candidate fusion points.
3.3.2 Non-determinism
The operator B can be used to structure specifications sequentially to facilitate efficient
runtime verification: B f1 ; B f2 ; . . . . However, it is possible to combine each deterministic
formula, B fi , with a non-deterministic formula, gi , in the following way: (B f1 ∧ g1) ; (B f2 ∧
g2) ; . . . . For example, the pattern illustrated in Figure 3.5 demonstrates the formula
(B f1 ∧ g1) ; (B f2 ∧ g2) ; (B f3 ∧ g3) ; (B f4 ∧ g4). If this formula is satisfied by an
3.3 Determining fusion points 51
interval then so is B(f1 ∧ g1) ; B(f2 ∧ g2) ; B(f3 ∧ g3) ; B(f4 ∧ g4) due to the laws
FstWithAndImp(C .223) and LeftChopImpChop(C .101).
.f2.f1 .f3 .f4
g1 g2 g3 g4
Figure 3.5: Splitting an incoming interval into subintervals using B. Each B fi is deterministic
whereas each of the gi may be non-deterministic formulae.
This pattern allows each (B fi ∧ gi) to combine a ‘control’ element, B f1, which uniquely
determines the next fusion point, and a ‘payload’ element, gi , which may include any ITL
formula. The complexities of the subformulae fi and gi will, of course, determine the overall
complexity of evaluating B fi ∧ gi but, the ‘payload’ formula needs to be calculated at most
once.
To analyse the performance assume that σ |= (B f1 ∧ f ) ; f2 for some interval σ, and therefore
that there exists a unique fusion point m such that 0 ≤ m ≤ |σ|. In this case it follows that
σ0 . . σm−1 |= 2i ¬ f1, σ0 . . σm |= f1 ∧ f , and σm . . σ|σ| |= f2. The number of tests required to
discover m, and establish that the formula holds, is given by:
Equation 3.3.5 T (n, (B f1 ∧ f ) m; f2) =
(
m∑
k=0
T (k , f1)
)
+ T (m, f ) + T (n −m, f2)
The rationale for this is as follows: f1 must be tested for each prefix interval until the fusion
point (m) is found. At this point the conjoined formula f must be tested to check that it
holds over the same prefix. Finally, the second formula, f2, must be tested on the remaining
suffix interval.
The case when a control and payload combination is repeated is given by the formula
(B f ∧ f )∗. The timing analysis for this formula is given below:
Equation 3.3.6
T (n, (B f1 ∧ f )
ms∗ ) =

0, if n = 0(
n∑
k=0
T (k , f1)
)
+ T (n, f ), if n ≥ 1 and ms = 〈〉
T (n, (B f1 ∧ f )
hd(ms)
; (B f1 ∧ f )
tl(ms)∗ ), if n ≥ 1 and ms 6= 〈〉
Once again, for the purpose of analysing performance, it is useful to consider a special case
in which the interval can be split into l ×m subintervals each of which satisfies B f1 ∧ f .
52 Chapter 3: Development of the first occurrence operator
Equation 3.3.7 T (l ×m, (B f1 ∧ f )∗) = l ×
(
m∑
k=0
T (k , f1)
)
+ l × T (m, f )
3.4 Managing termination
The runtime monitors that are the subject of this thesis each represent a formula in (finite)
ITL. Therefore they are designed to terminate, and the termination condition is part of
the specification. There are three principal patterns of termination whose templates are
presented below. Note that although a monitor is designed to verify a finite execution trace,
the termination condition can be dependent upon the system being verifiied and, in particular,
may be a STOP signal issued when the system is itself ready to halt.
Monitor specifications often utilise iterated subformulae. The templates below consider two
cases in which the termination condition aligns with the end of a repeated subinterval, and
one in which it does not. The latter is more complicated, requiring a specification of how a
subinterval may be interrupted successfully.
Template 3.4.1 Iteration
(B f ∧ g)k
It is straightforward to determine the length of a runtime verification by repeating a specific
formula a given number of times. The interval is split into a sequence of k deterministic
subintervals, each specified by B f . If g also holds within each subinterval then the verification
succeeds.
Template 3.4.2 Managed halt
halt(w) ∧ (B f ∧ g)∗ provided that halt(w) ⊃ (B f )∗
If it is known (or can be arranged) that a terminating condition w always aligns with the
termination of a subinterval, then a ‘managed halt’ can be specified. Figure 3.6 illustrates a
managed halt showing how the terminating condition must align with a deterministic fusion
point.
3.4 Managing termination 53
.f .f .f
g g g
halt(w)
.f
g
Figure 3.6: A managed halt. halt(w) ⊃ (B f )∗.
Template 3.4.3 Exception
halt(w) ∧ (B(fin(w) ∨ f ) ∧ (fin(w) ∨ g))∗
The formula halt(w) specifies that the runtime verification must terminate as soon as state
formula w holds – this could be a propositional variable, STOP , for example. The termination
condition represents an exceptional condition in the sense that it may occur part way through
an iteration.
The formula B(fin(w) ∨ f ) specifies the shortest interval such that either w occurs in the
final state or the interval satisfies f . If B f is established, and the associated subinterval does
not satisfy w in its final state, then formula g must be satisfied. However, if the subinterval
satisfies B f and fin(w) then g is not required to hold. Figure 3.7 illustrates an exceptional
termination under two different circumstances.
fin(w)
.f.f.f.f
.f .f .f
g g g
g g g
halt(w)
halt(w)
(i)
(ii)
fin(w)
Figure 3.7: A exceptional termination: (i) non-aligned and, (ii) aligned with B f .
Example 3.4.1 A critical section is managed by a counting semaphore S whose value can
vary between 0 and n.
halt(STOP) ∧
54 Chapter 3: Development of the first occurrence operator
( B(fin(STOP) ∨ ¬ stable(S ))
∧ (fin(STOP) ∨ ((abs(fin(S )− S ) = 1) ∧ (fin(S ) ≥ 0) ∧ (fin(S ) ≤ n)) )∗
The formula stable(S ) requires that the value of S remains constant throughout the interval.
The first occurrence of ¬ stable(S ) therefore is the smallest initial interval for which S is
constant in all but the last state. Whenever S changes its value must have increased or
decreased by one and its value must remain within the semaphore limits of 0 and n. 
3.5 Properties of interval length
The first occurrence operator B was introduced in Section 3.3.1. Due to its extensive roˆle in
constructing ITL-Monitor specifications, the relationship between B and other ITL operators
must be explored. The investigation begins with intervals of fixed length and introduces the
notion of a fixed-length formula which specifies such an interval.
Definition 3.1 Fixed-length formula A formula f is a fixed-length formula if, whenever
σ |= f for some interval σ, there is no k < |σ| such that σ0 . . σk |= f .
ITL contains three formulae that specify intervals of specific length: empty denotes a single-
state interval; skip denotes a two-state (unit) interval; and len(k) defines an interval with k +1
states. The formula halt(w) also specifies a fixed-length interval given that this determines
that w must hold only in the final state. B is more general than halt but acts in a similar
way to determine an interval of unique length.
There is not a body of laws available in the literature relating to ITL intervals of fixed length
and the development below constitutes an addition in this area. The proofs of the laws in
this section are recorded in Section 6.4 of [CMS19].
3.5.1 Interval length
len(k) specifies that the interval length is k – i.e. that the interval has k + 1 states.
F [[len(k)]](σ) = tt iff |σ| = k LenIffModSig(C .150)
The definitions of iteration and interval length are given below:
f 0 =̂ empty IterZeroDef (C .23)
f n+1 =̂ f ; f n , [n ≥ 0] IterDef (C .24)
len(n) =̂ skipn LenDef (C .35)
3.5 Properties of interval length 55
It follows directly that:
` len(0) ≡ empty LenZeroEqvEmpty(C .143)
` len(1) ≡ skip LenOneEqvSkip(C .144)
` len(n + 1) ≡ skip ; len(n) LenNPlusOneA(C .145)
Therefore, an interval with length i + j , (i , j ≥ 0) can be chopped into two intervals of length
i and j respectively.
` len(i + j ) ≡ len(i) ; len(j ) LenEqvLenChopLen(C .146)
Using LenEqvLenChopLen(C .146) (setting i = n, j = 1), and LenOneEqvSkip(C .144) it follows
that
` len(n + 1) ≡ len(n) ; skip LenNPlusOneB (C .147)
Note that every (finite) interval, σ, must have a (finite) length, |σ|, and therefore, this
tautological statement can be conjoined with any formula.
` ∃ k • len(k) ExistsLen(C .148)
` f ≡ f ∧ ∃ k • len(k) AndExistsLen(C .149)
3.5.2 Laws with fixed-length formulae
A fixed-length formula on either side of a chop operator uniquely determines the fusion point.
Straightforward examples of this include, e.g., (f ; skip) or (len(5) ; g). The following two
laws capture the way in which chop can distribute through conjunction when the fusion point
is deterministic.
` (f ∧ len(k)) ; p ∧ (g ∧ len(k)) ; q ≡ (f ∧ g ∧ len(k)) ; (p ∧ q)LFixedAndDistr (C .151)
` p ; (f ∧ len(k)) ∧ q ; (g ∧ len(k)) ≡ (p ∧ q) ; (f ∧ g ∧ len(k)) RFixedAndDistr (C .152)
In ITL ((f1 ∧ f2) ; p) only implies (f1 ; p) ∧ (f2 ; p). However, if the lengths of intervals
defined by f1 and f2 are equal then this can be strengthened to an equivalence. Four
symmetrical specialisations of the above laws are presented below:
` (f ∧ len(k)) ; p ∧ (g ∧ len(k)) ; p ≡ (f ∧ g ∧ len(k)) ; p LFixedAndDistrA(C .153)
` (f ∧ len(k)) ; p ∧ (f ∧ len(k)) ; q ≡ (f ∧ len(k)) ; (p ∧ q) LFixedAndDistrB (C .154)
` p ; (f ∧ len(k)) ∧ p ; (g ∧ len(k)) ≡ p ; (f ∧ g ∧ len(k)) RFixedAndDistrA(C .155)
` p ; (f ∧ len(k)) ∧ q ; (f ∧ len(k)) ≡ (p ∧ q) ; (f ∧ len(k)) RFixedAndDistrB (C .156)
56 Chapter 3: Development of the first occurrence operator
3.5.3 Fixed-length formulae and negation
There are few useful laws involving the negation of formulae containing chop due to the non-
determinism of the fusion point. There are some exceptions including the unit length interval
skip. If the fusion point is uniquely determined, irrespective of where it occurs, then formulae
can be negated easily.
` ¬ (f ; h) ≡ ¬ 3h ∨ (¬ f ; h) where h ≡ g ∧ len(k) NotChopFixed (C .160)
` ¬ (h ; f ) ≡ ¬ 3i h ∨ (h ; ¬ f ) where h ≡ g ∧ len(k) NotFixedChop(C .161)
Cau had previously communicated the following laws2 that involve negation with chop and
skip. They can both be derived from the latter, more general laws, by setting h ≡ skip.
` ¬ (skip ; ¬ g) ≡ empty ∨ (skip ; g) NotSkipNotChop(C .129)
` ¬ (¬ f ; skip) ≡ empty ∨ (f ; skip) NotNotChopSkip(C .130)
3.6 Strict initial intervals
This section introduces the new ITL operators 2s (all strict initial intervals) and 3s (some
strict initial interval) along with their reflected counterparts, 2t (all strict final intervals) and
3t (some strict final interval). Their definitions and the investigation into their properties
form part of the original contribution of this thesis. 2s is required for the definition of the first
occurrence operator, B, which was introduced in Section 3.3.1 and which is defined formally
in Section 3.7. Following the introduction of the new operators, the focus will concentrate
upon 2s and 3s alone. All of their properties have equivalent versions for 2t and 3t under
time reversal [Mos14b].
Firstly, the behaviour of 2s and 2t is illustrated diagramatically in Figure 3.8.
f
f
f
s f f
f
f
ft
Figure 3.8: all strict prefixes, 2s , and all strict suffixes, 2t .
Note that 2s f (and 2t f ) hold vacuously over an empty interval. Their duals, 3s f and 3t f ,
do not hold over the empty interval. The formal definitions of these new operators are given
below:
2Private communication but the laws are included in [CMS19].
3.6 Strict initial intervals 57
2s f =̂ empty ∨ 2i f ; skip BsDef (C .185)
3s f =̂ ¬ 2s ¬ f DsDef (C .186)
2t f =̂ empty ∨ skip ; 2f BtDef (C .215)
3t f =̂ ¬ 2t ¬ f DtDef (C .216)
The effect of each these operators can be appreciated more readily by considering their
semantics.
F [[2s f ]](σ) = tt iff for all 0 ≤ i < |σ|,F [[f ]](σ0 . . σi) = tt
F [[3s f ]](σ) = tt iff exists 0 ≤ i < |σ|,F [[f ]](σ0 . . σi) = tt
F [[2t f ]](σ) = tt iff for all 1 ≤ i ≤ |σ|,F [[f ]](σi . . σ|σ|) = tt
F [[3t f ]](σ) = tt iff exists 1 ≤ i ≤ |σ|,F [[f ]](σi . . σ|σ|) = tt
3s and 3i satisfy a range of useful algebraic properties which are listed below.
Distributive laws
` 2s f ∧ 2s g ≡ 2s (f ∧ g) BsAndEqv (C .194)
` 3s f ∨ 3s g ≡ 3s (f ∨ g) DsOrEqv (C .195)
` 2s f ∨ 2s g ⊃ 2s (f ∨ g) BsOrImp(C .196)
` 3s (f ∧ g) ⊃ 3s f ∧ 3s g DsAndImp(C .197)
Absorption laws
` 3i f ∨ 3s f ≡ 3i f DiOrDsEqvDi (C .207)
` 3i f ∧ 3s f ≡ 3s f DiAndDsEqvDs(C .208)
Complement laws
` f ∨ 3s f ≡ 3i f OrDsEqvDi (C .209)
` f ∧ 2s f ≡ 2i f AndBsEqvBi (C .210)
Laws relating to 2i and 3i
` 3s f ≡ 3i f ; skip DsDi (C .188)
` 2s f ≡ 2i (more ⊃ f ; skip) BsEqvBiMoreImpChop(C .214)
` 2i f ⊃ 2s f BiImpBs(C .200)
` 2s f ⊃ 2s 2s f BsImpBsBs(C .201)
` 2s f ≡ 2s 2i f BsEqvBsBi (C .211)
` f ⊃ g ⇒ ` 2s f ⊃ 2s g BsImpBsRule(C .203)
58 Chapter 3: Development of the first occurrence operator
` 3s (f ; g) ⊃ 3s f DsChopImpDsB (C .204)
` 2s f ∨ 2s g ≡ 2s (2i f ∨ 2i g) BsOrBsEqvBsBiOrBi (C .206)
State formulae
A state formula w refers only to variables in the first state (see Section 2.1.3.2).
Therefore if w holds (in the first state) of an interval then it must hold over all non-
empty, strict initial intervals. In the case that the interval is empty, then 2s w holds
vacuously (BsDef (C .185)).
` w ⊃ 2s w StateImpBs(C .212)
Time reversal
Recent developments in ITL include Moszkowski’s work on time reversal [Mos14b]. Both
2s and 3s operate in ‘forward time’ – i.e. over σ0 . . σk for increasing k . However, each
of these operators has a counterpart under time reversal, namely 2t and 3t .
In keeping with established practice in ITL, these are referred to informally as “box-t”
and “diamond-t” respectively.3 The following theorems state that each operator is the
reflection of its counterpart:
` (2s f )r ≡ 2t f r BsrEqvBtr (C .217)
` (3s f )r ≡ 3t f r DsrEqvDtr (C .218)
` (2t f )r ≡ 2s f r BtrEqvBsr (C .219)
` (3t f )r ≡ 3s f r DtrEqvDsr (C .220)
All of the laws relating to 2s and 3s have related laws for 2t and 3t under time
reversal. These are not considered further in this thesis since they are not required for
the development of runtime monitors, nor the operator B upon which they are based.
Laws relating to these operators are available in Section 6.2 of [CMS19].
3.7 Formalisation of the first occurrence operator
The introduction of the first occurrence operator B along with a thorough investigation of
its properties is one of the main contributions of this thesis. Its roˆle in restricting the chop
operator was described in Section 3.3.1. The formal definition of B f is given below.
B f =̂ f ∧ 2s ¬ f FstDef (C .222)
3The use of ‘t’ was selected because, while it is usefully follows ‘s’ alphabetically, ‘t’ can bring to mind the
word “tail”. The reflected operators 2t and 3t refer to strict suffixes (tails).
3.8 Algebraic properties of the first occurrence operator 59
The definition reflects its semantics (Equation 3.3.4, page 50) repeated below for convenience,
and comprises two parts: (i) the whole interval satisfies f , and (ii) no strict initial interval
satisfies f .
F [[B f ]](σ) = tt iff F [[f ]](σ) = tt and for all 0 ≤ i < |σ|, F [[¬ f ]](σ0 . . σi) = tt
Figure 3.9 illustrates an interval over which B f holds.
:f
:f
:f
.f
f
Figure 3.9: B f
Other authors have proposed restricting the chop operator using a combination of first and
last occurrences, most notably in Eagle [BB08] which was discussed previously in Section
2.4.3. The approach taken here is different: in this thesis no change to the semantics
of the chop operator is proposed. The new operator B, derived within existing ITL, is
defined independently of chop, although one of its principal applications is to restrict chop
in specific circumstances. In fact, B turns out to be a generalisation of halt – specifically,
B(fin(w)) ≡ halt(w). A discussion of the relationship between B and halt is presented in
Section 3.8.6.
B f denotes the first initial interval that satisfies f – i.e. no strict prefix satisfies f . Therefore
the length of such a satifying interval is uniquely determined:
` 3i (B f ∧ len(i)) ∧ 3i (B f ∧ len(j )) ⊃ i = j FstLenSame(C .250)
A related law states that if f holds for some initial interval then there is a unique initial
interval that satisfies B f defined by its length.
` 3i f ⊃ ∃1 k • 3i (len(k) ∧ B f ) DiImpExistsOneDiLenAndFst (C .251)
3.8 Algebraic properties of the first occurrence operator
In the remainder of this chapter the algebraic properties of B are investigated. The majority
of the work below was developed to establish and reason about the semantics of the runtime
monitors whose formal semantics will be given in Chapter 4. Indeed, it was the consideration
of how one might compose runtime monitors that led to the development of B as a suitable
60 Chapter 3: Development of the first occurrence operator
structuring mechanism. These laws, along with their proofs, are presented in Sections 6.3
and 6.4 of [CMS19].
3.8.1 First with simple formulae
The shortest interval is empty.
` B true ≡ empty FstTrue(C .226)
Since no interval satisfies false4 there can be no shortest interval that does so.
` B false ≡ false FstFalse(C .227)
The shortest interval that satisfies more (i.e. has at least two states) is an interval of unit
length.
` Bmore ≡ skip FstMoreEqvSkip(C .233)
Any formula of the form, len(k) is equivalent to its own first occurrence. This is an obvious
consequence of specifying a length.
` B len(k) ≡ len(k) FstLenEqvLen(C .272)
There are two special cases of FstLenEqvLen(C .272) deriving from LenZeroEqvEmpty(C .143)
and LenOneEqvSkip(C .144):
` B empty ≡ empty FstEmpty(C .229)
` B skip ≡ skip FstSkip(C .273)
Furthermore, conjoining a formula f with empty renders the B operator redundant.
` B f ∧ empty ≡ f ∧ empty FstAndEmptyEqvAndEmpty(C .230)
Conversely, disjoining formula f with empty renders f redundant.
` B(empty ∨ f ) ≡ empty FstEmptyOrEqvEmpty(C .231)
State formulae, denoted conventionally by w , do not include any temporal operators (Section
2.1.3.2) and hold whenever w is true in the first state. Therefore, Bw can only be satisfied
4In infinite-time ITL the formula true ; false is satisfied by an infinite interval. However, this thesis only
uses finite ITL.
3.8 Algebraic properties of the first occurrence operator 61
by an empty interval:
` Bw ≡ empty ∧ w FstState(C .243)
3.8.2 First with conjunction and disjunction
` B f ∧ g ⊃ B(f ∧ g) FstWithAndImp(C .223)
` B(f ∨ g) ≡ (B f ∧ 2s ¬ g) ∨ (B g ∧ 2s ¬ f ) FstWithOrEqv (C .224)
FstWithAndImp(C .223) states that if B f and g are both satisfied then this implies that the
interval satisfies the first occurrence of f ∧ g together. This follows because f ∧ g are satisfied
by the interval and, since no strict initial interval satisfies f , this must be the first occurrence
of the conjunction. FstWithOrEqv (C .224) separates the first occurrence of a disjunction f ∨ g
into two cases: either the interval satisfies the first occurrence of f with no strict initial
interval satisfying g , or vice versa. Note that this includes the possibility of B f ∧ B g .
It may appear that a corresponding law for B(f ∧ g) would be appropriate. However, such a
formula does not permit anything more interesting than f ∧ g , or 2s ¬ (f ∧ g), to be deduced.
Both of these formulae follow directly from the definition FstDef (C .222), so nothing new is
derived. The first occurrence of the conjunction does not preclude any number of strict initial
intervals satisfying either f or g – but not both together. However, if the first conjunct is
of the form B f then there is a useful law which allows the introduction or elimination of B
around an expression of the form B f ∧ g .
` B(B f ∧ g) ≡ B f ∧ g FstFstAndEqvFstAnd (C .225)
Consider the first occurrence of a disjunction B(f ∨ g). Suppose an interval satisfies B f ,
then it only satisfies B(f ∨ g) if no strict initial interval satisfies g . Otherwise B g would
occur before B f . This is the basis of the law FstWithOrEqv (C .224).
` B(f ∨ g) ≡ (B f ∧ 2s ¬ g) ∨ (B g ∧ 2s ¬ f ) FstWithOrEqv (C .224)
The following laws state that in the formula B(f ∨ g), both f ≡ B f and g ≡ B g hold. These
laws are useful for moving B outside of parentheses in proofs.
` B(B f ∨ g) ≡ B(f ∨ g) FstFstOrEqvFstOrL(C .269)
` B(f ∨ B g) ≡ B(f ∨ g) FstFstOrEqvFstOrR(C .270)
` B(B f ∨ B g) ≡ B(f ∨ g) FstFstOrEqvFstOr (C .271)
62 Chapter 3: Development of the first occurrence operator
3.8.3 First with prefix intervals
Although 2s ¬ f ∧ f appears, at first sight, to be stronger than 2s ¬ f ∧ 3i f , it turns out that
they are, in fact, equivalent. This may be understood by considering the following argument:
2s ¬ f states that no strict initial interval satisfies f ; therefore 2s ¬ f ⊃ (3i f ≡ f ). This leads
to an alternative equivalence for B f :
` B f ≡ 2s ¬ f ∧ 3i f FstEqvBsNotAndDi (C .257)
The two laws, FstOrDiEqvDi (C .234) and FstAndDiEqvFst (C .235), permit the absorption of
either B f or 3i f depending upon whether they are disjoined or conjoined.
` B f ∨ 3i f ≡ 3i f FstOrDiEqvDi (C .234)
` B f ∧ 3i f ≡ B f FstAndDiEqvFst (C .235)
The two laws, DiEqvDiFst (C .236) and FstDiEqvFst (C .237), show that terms involving both of
the operators 3i and B in either order consecutively can be reduced by the removal of one of
the operators.
` 3i f ≡ 3i B f DiEqvDiFst (C .236)
` B3i f ≡ B f FstDiEqvFst (C .237)
The laws below can be derived from DiEqvDiFst (C .236) and FstDiEqvFst (C .237). The second
law, DiOrFstAndEqvDi (C .239), demonstrates an absorptive property, and the third law,
FstDiAndDiEqv (C .240), shows how B limits the effect of 3i .
` 3i f ∧ (B f ∨ g) ≡ B f ∨ (3i f ∧ g) DiAndFstOrEqvFstOrDiAnd (C .238)
` 3i f ∨ (B f ∧ g) ≡ 3i f DiOrFstAndEqvDi (C .239)
` B(3i f ∧ 3i g) ≡ (B f ∧ 3i g) ∨ (B g ∧ 3i f ) FstDiAndDiEqv (C .240)
Finally, the following two laws demonstrate that if there is no initial interval (or strict initial
interval) satisfying B f then there is no initial interval (or strict initial interval) satisfying f .
Both laws are equivalences.
` 2i ¬ B f ≡ 2i ¬ f BiNotFstEqvBiNot (C .241)
` 2s ¬ B f ≡ 2s ¬ f BsNotFstEqvBsNot (C .242)
3.8 Algebraic properties of the first occurrence operator 63
3.8.4 Distribution
3.8.4.1 Through conjunction and disjunction
This section includes a key result in this thesis: LFstAndDistr (C .252). Essentially this law
permits the distribution of chop across conjunction because the interval length on the left
side has been fixed thus making the chop point deterministic. The law has four useful
specialisations.
` (B f ∧ g1) ; h1 ∧ (B f ∧ g2) ; h2 ≡ (B f ∧ g1 ∧ g2) ; (h1 ∧ h2) LFstAndDistr (C .252)
There are some special cases of LFstAndDistr (C .252) that are also useful laws in their own
right. Each is a straightforward derivation.
• Setting h1 ≡ h2 in LFstAndDistr (C .252) generates the law:
` (B f ∧ g1) ; h ∧ (B f ∧ g2) ; h ≡ (B f ∧ g1 ∧ g2) ; h LFstAndDistrA(C .253)
• Setting g1 ≡ g2 in LFstAndDistr (C .252) generates the law:
` (B f ∧ g) ; h1 ∧ (B f ∧ g) ; h2 ≡ (B f ∧ g) ; (h1 ∧ h2) LFstAndDistrB (C .254)
• Setting g1 ≡ g2 ≡ true in LFstAndDistr (C .252) generates the law:
` B f ; h1 ∧ B f ; h2 ≡ B f ; (h1 ∧ h2) LFstAndDistrC (C .255)
Note that it is unnecessary to specify a similar (valid) law for disjunction:
B f ; g ∨ B f ; h ≡ B f ; g ∨ B f ; h
since it is a direct application of ChopOrEqv (C .107).
• Setting h1 ≡ h2 ≡ true in LFstAndDistr (C .252), and using DiDef (C .13) generates the law:
` 3i (B f ∧ g1) ∧ 3i (B f ∧ g2) ≡ 3i (B f ∧ g1 ∧ g2) LFstAndDistrD (C .256)
3.8.4.2 Through chop
This section introduces a number of laws that describe the behaviour of the first occurrence
operator as it distributes through chop. It contains two of the most important mathematical
results of this thesis. The first is FstFstChopEqvFstChopFst (C .260) whose intuitive appeal
is obvious but which turned out to be remarkably difficult to prove. It expresses the
64 Chapter 3: Development of the first occurrence operator
fact that the sequential composition (the fusion) of two first occurrences itself denotes
a first occurrence. The second important result, FstFixFst (C .261), is a corollary of
FstFstChopEqvFstChopFst (C .260) and states another intuitive idea that the first occurrence
of f has no other first occurrence of f as a strict prefix.
There is a particular boundary case that occurs when chop is combined with formulae on an
empty interval. This results in the following theorem:5
` f ; g ∧ empty ≡ f ∧ g ∧ empty ChopEmptyAndEmpty(C .139)
The chop operator requires a shared state. The only way that the composition f ; g can
occur in a single state is if each of f and g is true over the empty interval. A useful corollary
is:
` f ; skip ∧ empty ≡ false ChopSkipAndEmptyEqvFalse(C .140)
which states that it is impossible for any formula of the form f ; skip to be satisfied over an
empty interval.
Before the two particularly important results are presented the next two laws provide some
necessary background. They involve the negation of chop in which one of the formulae is a
first occurrence. The law NotFstChop(C .258) states that if the first occurrence of f followed
by g does not hold, then either there is no initial interval that satisfies the first occurrence
of f , or there is an initial interval that satisfies B f but the corresponding suffix interval does
not satisfy g .
` ¬ (B f ; g) ≡ ¬ 3i B f ∨ B f ; ¬ g NotFstChop(C .258)
NotFstChop(C .258) can be compared to NotSkipNotChop(C .129), ` ¬ (skip ; ¬ g) ≡ empty ∨
(skip ; g), and, indeed, can be considered a generalisation of it. This is interesting because
combining negation and chop is difficult due to the non-determinism inherent in the chop
operator. However, when the length of one of the subintervals is fixed then a useful law
emerges. The aforementioned NotSkipNotChop(C .129) is such a special case and has proved
to be very useful in its own right. However, it is interesting to note that this new law,
NotFstChop(C .258), is a generalisation.
To illustrate the point an informal argument will be employed to show how to specialise
NotFstChop(C .258) and produce NotSkipNotChop(C .129).
5The importance of this law emerged during informal discussions about this research with Peter
Messer, previously Head of School of Computing at De Montfort Univeristy. The law is used
in the proof of FstChopEmptyEqvFstChopFstEmpty(C .232) which, in turn, is used in the proof of
FstFstChopEqvFstChopFst(C .260). This latter law expresses a key property of the first operator B.
3.8 Algebraic properties of the first occurrence operator 65
Set f ≡ skip, then it follows that ¬ (B skip ; g) ≡ ¬ 3i B skip ∨ B skip ; ¬ g . As will
be established later, B skip ≡ skip (FstSkip(C .273)), so the law reduces to ¬ (skip ; g) ≡
¬ 3i skip ∨ skip ; ¬ g . Arguing informally, the first disjunct expresses the fact that no initial
subinterval has two states (i.e. skip), which is more concisely written as empty. Hence:
¬ (skip ; g) ≡ empty ∨ skip ; ¬ g which, negating g , leads to the more specific law.
The law BsNotFstChop(C .259) further extends NotFstChop(C .258) in that it requires the
property to hold over all strict initial intervals. This variation is required in the proof of
the main result that follows it.
` 2s ¬ (B f ; g) ≡ empty ∨ ¬ 3i B f ∨ B f ; 2s ¬ g BsNotFstChop(C .259)
The following theorem is one of the most important mathematical results in this thesis and
expresses an important property about the sequential composition of first occurrences.
` B(B f ; g) ≡ B f ; B g FstFstChopEqvFstChopFst (C .260)
The intuition is that the expression B f ; B g requires that the first occurrence of f is followed
by the first occurrence of g . This is not equivalent to the first occurrence of f followed by
any occurrence of g because 0 g ⊃ B g . However, the introduction of B around the whole
expression, B(B f ; g), forces the first occurrence of g .
Another of the important mathematical results in this thesis is a corollary of
FstFstChopEqvFstChopFst (C .260):
` BB f ≡ B f FstFixFst (C .261)
which expresses the idea that if an interval satisfies B f then no strict prefix interval can satisfy
B f – i.e. the interval not only represents the first occurrence of f but it also represents the
first (and only) occurrence of B f . Thus B f is a fixpoint of B. This result underpins another
important theorem that appears later in this thesis – the First Fixpoint Law for primary
monitors, MFixFst (C .309).
3.8.5 First occurrence with iteration
The previous section discussed the combination of the first occurrence operator and
chop. However, care must be taken when combining first occurrence with chopstar. The
propositional axioms for ITL include
` f ∗ ≡ (empty ∨ ((f ∧ more) ; f ∗)) ChopStarEqv (C .46)
66 Chapter 3: Development of the first occurrence operator
which specifies that an empty interval satisfies f ∗6 Therefore
` B(f ∗) ≡ empty FstCSEqvEmpty(C .276)
and, in general,
B(f ∗) 6≡ (B f )∗
Alternatively, it may be useful to write specifications including, e.g., B(f n), as this determines
a specific number of iterations rather than a choice. The following law states that the finite
iteration of B f is itself a first occurrence.
` (B f )n ≡ B((B f )n), [n ≥ 0] FstIterFixFst (C .277)
One must distinguish between (B f )n and B(f n) because
B(f n) 6≡ (B f )n
As an example consider the formula f ≡ (fin X mod 2 = 1 ∧ fin X = X + 2) ∨ (fin X = 2X )
and the interval σ in which σ0(X ) = 1, σ1(X ) = 2, σ2(X ) = 3, . . . .
X 1 2 3 5 7 8 16 32
(256)
4
a)
b)
c)
d)
Figure 3.10: Comparing the four initial intervals satisfying f 3
In Figure 3.10 the four prefix intervals satisfying f 3 have been labelled a) . . . d). The interval
marked a) represents B(f 3): the shortest initial interval satisfying f 3. The interval marked d)
represents (B f )3: at each step the shortest interval satisfying f is taken. This is the shortest
path (B((B f )3)) that can be generated in this way (see FstIterFixFst (C .277)). The intervals
b) and c) represent neither B(f 3) nor (B f )3 but do represent other ways of satisfying f 3.
3.8.6 First and halt
Both halt w and B f define a fixed-length interval. The difference is that halt is used with a
state formula w whereas B can be used with a temporal formula. Consider the semantics of
6The empty interval even satisfies false∗.
3.9 The last occurrence operator 67
these operators:
F [[B f ]](σ) = tt iff F [[f ]](σ) = tt and for all 0 ≤ i < |σ|, F [[¬ f ]](σ0 . . σi) = tt
F [[halt f ]](σ) = tt iff F [[f ]](〈σ|σ|〉) = tt and for all 0 ≤ i < |σ|, F [[¬ f ]](σi . . σ|σ|) = tt
For example, the formula halt P holds over an interval in which P is true in the final state
and not in any previous states. halt P holds over an empty interval if P does. The following
laws each express halt w in terms of B:
` halt w ≡ B(fin w) HaltStateEqvFstFinState(C .246)
` halt w ≡ B(halt w) HaltStateEqvFstHaltState(C .247)
` B(3w) ≡ halt w FstDiamondStateEqvHalt (C .248)
3.9 The last occurrence operator
A reflected first occurrence operator C f could be considered to represent the most recent
interval to satisfy f .
C f =̂ f ∧ 2t ¬ f LstDef (C .282)
It is possible to determine a relationship between B and C as follows:
(B f )r
≡ (f ∧ 2s ¬ f )r FstDef (C .222)
≡ f r ∧ (2s ¬ f )r TRAnd (C .61)
≡ f r ∧ 2t (¬ f )r BsrEqvBtr (C .217)
≡ f r ∧ 2t ¬ f r TRNot (C .57)
≡ C f r LstDef (C .282)
And symmetrically:
(C f )r
≡ (f ∧ 2t ¬ f )r LstDef (C .282)
≡ f r ∧ (2t ¬ f )r TRAnd (C .61)
≡ f r ∧ 2s (¬ f )r BtrEqvBsr (C .219)
≡ f r ∧ 2s ¬ f r TRNot (C .57)
≡ B f r FstDef (C .222)
68 Chapter 3: Development of the first occurrence operator
Thus the following laws hold:
` (B f )r ≡ C f r FstrEqvLstr (C .284)
` (C f )r ≡ B f r LstrEqvFstr (C .285)
A straightforward corollary can be obtained using FstrEqvLstr (C .284) and TRChop(C .59):
` (B f ; B g)r ≡ C gr ; C f r FstChopFstREqvLstrChopLstr (C .286)
Recall that one of the most important results in this thesis, FstFstChopEqvFstChopFst (C .260),
proved that the sequential composition of two first occurrence expressions is itself a first
occurrence: ` B(B f ; g) ≡ B f ; B g . It is expected that the reflected law would also hold:
i.e. that ` C(g ; C f ) ≡ C g ; C f . The following argument can be used:
C gr ; C f r
≡ (B f ; B g)r FstChopFstREqvLstrChopLstr (C .286)
≡ (B(B f ; g))r FstFstChopEqvFstChopFst (C .260)
≡ C(B f ; g)r FstrEqvLstr (C .284)
≡ C(gr ; (B f )r ) TRChop(C .59)
≡ C(gr ; C f r ) FstrEqvLstr (C .284)
Thus, relabelling, the following holds:
` C(g ; C f ) ≡ C g ; C f LstChopLstEqvLstChopLst (C .288)
This final section has shown how the reflected theory could be developed and future work will
investigate these relationships in more detail.
3.9.1 Last and until
The LTL operator U is not provided as part of the standard library of derived operators
in ITL [CM16]. However, a definition of U for finite intervals was provided by Moszkowski
[Mos83]:
Equation 3.9.1 f1 U f2 =̂ ∃P • (P ∧ 2(P ⊃ (f2 ∨ (f1 ∧ ©P))))
where P does not occur free in f1 or f2.
The ITL operator U is illustrated in Figure 3.11.
3.10 Summary 69
f1
f1
f1
f2
P P P
Figure 3.11: Moszkowski’s definition of f1 U f2 in ITL
f1U f2 is defined over a finite interval such that for some 0 ≤ k ≤ |σ|, σ0 . .σ|σ| |= f1, σ1 . .σ|σ| |=
f1, . . . , σk−1 . . σ|σ| |= f1 and σk . . σ|σ| |= f2. There may be more than one value of k that
satisfies f1 U f2. However, it is possible to specify that k is maximal, and therefore that f1
holds up to the last occurrence of f2, by writing f1U (C f2). Thus the reflected first occurrence
operator can be used to construct a deterministic until formula.
3.10 Summary
This chapter introduced the background to the first occurrence operator. An investigation
into fixed length intervals within ITL discovered a collection of useful laws. Three new ITL
operators, 2s and 3s , and B were introduced. A significant number of laws relating these new
operators to each other and to existing ITL operators was developed. These laws provide the
basis of ITL-Monitor, the runtime monitor system introduced in Chapter 4.
Two of the most important mathematical results in this thesis have been presented: the
laws FstFstChopEqvFstChopFst (C .260) and FstFixFst (C .261). These laws capture fundamental,
intuitive properties of B upon which the later theory relies. A discussion pointing to future
work in which the theory can be developed using reflection was presented.
70 Chapter 3: Development of the first occurrence operator
Chapter 4
ITL Monitor
ITL-Monitor is a restricted subset of ITL used to construct specifications whose components
describe a deterministic partitioning of an execution trace. This was illustrated previously
in Section 3.3.2. Furthermore, this deterministic partitioning property is preserved under
monitor composition – this is a key property of ITL-Monitor which is based upon the fact that
every ITL-Monitor represents its own first occurrence.
ITL-Monitor has also been realised as a DSL (cf. 2.4.1) in Scala. As code, a monitor performs
the roˆle depicted in Figure 2.15 (page 32), receiving states from a running program, and
maintaining an internal representation of the execution trace. At each deterministic fusion
point the monitor assesses whether or not the current trace satisfies its ITL formula. The
implementation of ITL-Monitor in Scala is presented in the following chapter.
In this chapter, the syntax of ITL-Monitor expressions is introduced along with a translation
function to their respective ITL formulae. The behaviour of each monitor operator is explained
with an emphasis on their practical roˆle in runtime verification. In Section 4.4 the algebraic
properties of ITL-Monitor are presented. The analysis of these properties formed another
major aspect of the current work and resulted in a comprehensive list of monitor laws and
associated proofs. All of these have been mechanically checked by Isabelle/HOL and appear
as Chapter 8 of [CMS19].
The chapter concludes with a small example specification.
4.1 Monitor syntax and translation to ITL
The syntax of a monitor expression, ITL-Monitor, is given in Figure 4.1.
72 Chapter 4: ITL Monitor
ITL-Monitor ::= FIRST (ITL-Formula)
| ITL-Monitor UPTO ITL-Monitor
| ITL-Monitor THRU ITL-Monitor
| ITL-Monitor THEN ITL-Monitor
| ITL-Monitor WITH ITL-Formula
where ITL-Formula represents any well-formed ITL formula.
Figure 4.1: ITL-Monitor syntax
The unary operator FIRST has the highest priority. Each of the binary operators has equal
priority and is left-associative. Parentheses can be used to override these defaults. The ITL
formula represented by each ITL-Monitor expression is defined by the translation function
M : ITL-Monitor → ITL-Formula (Figure 4.2).
M(FIRST (f )) =̂ B f MFirstDef (C .289)
M(a UPTO b) =̂ B(M(a) ∨M(b)) MUptoDef (C .290)
M(a THRU b) =̂ B(3i M(a) ∧ 3i M(b)) MThruDef (C .291)
M(a THEN b) =̂ M(a) ; M(b) MThenDef (C .292)
M(a WITH f ) =̂ M(a) ∧ f MWithDef (C .293)
Figure 4.2: ITL-Monitor translations to ITL formulae
A description of each of the ITL-Monitor operators is given below. (Note that all monitors are
first occurrences: ` M(a) ≡ BM(a) (MFixFst (C .309)). This law will be presented formally
in Section 4.4.1).
FIRST (f )
This monitor succeeds as soon as the states consumed comprise an interval that satisfies
B f . This basic monitor is used to define the extent of the subintervals into which an
execution trace is divided.
a UPTO b
If a specification can be expressed as the first occurrence of an interval that satisfies
either one of two independent formulae, M(a) or M(b), then a UPTO b permits each
to be run independently and both terminated as soon as one is satisfied.
4.1 Monitor syntax and translation to ITL 73
.f
σ ¬g¬g¬g¬g ¬g
Figure 4.3: FIRST (f ) UPTO FIRST (g)
Figure 4.3 illustrates a situation in which the expression FIRST (f ) UPTO FIRST (g) is
satisfied with formula f occuring before formula g .
a THRU b
This monitor specifies the shortest interval containing prefixes in which bothM(a) and
M(b) are satisfied. Necessarily, this means that a satisfying interval is a model for the
first occurrence of either (or both) of these formulae. The monitor terminates as soon as
either a or b has terminated: this ensures that the fixed-length property is maintained.
Furthermore, the monitor fails if either of its two component monitors, a or b, fails.
.f
σ
.g
.f ; true
Figure 4.4: FIRST (f ) THRU FIRST (g)
Figure 4.4 illustrates an interval that satisfies FIRST (f ) THRU FIRST (g). The interval
satisfies B g and a prefix interval satisfies B f : i.e. the example interval satisfies
3i B f ∧ B g .
a THEN b
The ITL formula represented byM(a THEN b) is the sequential composition of two first
occurrences, M(a) ; M(b). The resulting formula is itself a first occurrence:
M(a) ; M(b)
≡ BM(a) ; BBM(b) MFixFst (C .309), FstFixFst (C .261)
≡ B(BM(a) ; BM(b)) FstFstChopEqvFstChopFst (C .260)
≡ B(M(a) ; M(b)) MFixFst (C .309)
74 Chapter 4: ITL Monitor
Since M(a) is a first-occurrence (MFixFst (C .309)), this ensures that the monitor
composition M(a THEN b) defines a unique point of fusion within the execution trace.
.f
σ
.g
Figure 4.5: FIRST (f ) THEN FIRST (g)
Figure 4.5 illustrates the sequential composition of two monitors FIRST (f ) THEN
FIRST (g). To succeed both components must succeed: B f up to the uniquely
determined fusion point, and then B g to the end of the interval.
a WITH f
The conjoinment of M(a) and f . This monitor consumes sufficient states to satisfy
M(a) and then checks that the formula f , which can be any ITL formula, holds over
the same interval. Mathematically, this is the same monitor as FIRST (M(a) ∧ f )
M(FIRST (M(a) ∧ f )))
≡ B(M(a) ∧ f ) MFirstDef (C .289)
≡ B(BM(a) ∧ f ) MFixFst (C .309)
≡ BM(a) ∧ f FstFstAndEqvFstAnd (C .225)
≡M(a) ∧ f MFixFst (C .309)
≡M(a WITH f ) MWithDef (C .293)
By separating the components of the formula using a WITH f , it is possible for an
implementation to separate the search for a suitable interval (BM(a) must be checked
with the addition of each new state) from the final verification of f – a check that only
needs to be performed once.
A number of derived monitors are defined in Figure 4.6 below. These capture common
specification patterns. The unary operators take precedence over the binary operators. Each
of the latter has equal priority and is left-associative. Parentheses can be used to override
these defaults.
4.1 Monitor syntax and translation to ITL 75
LEN (k) =̂ FIRST (len(k)) MLenDef (C .295)
SKIP =̂ FIRST (skip) MSkipDef (C .297)
FAIL =̂ FIRST (false) MFailDef (C .300)
EMPTY =̂ FIRST (empty) MEmptyDef (C .296)
HALT (w) =̂ FIRST (fin w) MHaltDef (C .294)
a TIMES 0 =̂ EMPTY
a TIMES (k + 1) =̂ a THEN (a TIMES k), k ≥ 0 MTimesDef
(C .299)
GUARD (w) =̂ EMPTY WITH w MGuardDef (C .298)
w1 UNTIL w2 =̂ (HALTw2) WITH (2m w1) MUntilDef
(C .303)
a ALWAYS w =̂ a WITH (2i fin w) MAlwaysDef
(C .301)
a SOMETIME w =̂ a WITH (3i fin w) MSometimeDef
(C .302)
a WITHIN f =̂ a WITH (2s ¬ f ) MWithinDef (C .304)
a AND b =̂ a WITHM(b) MAndDef (C .305)
a ITERATE b =̂ a WITH (M(b))∗ MIterateDef (C .306)
Figure 4.6: Derived monitors
These derived monitors are useful in three respects.
• To express useful zero and unit elements in the algebra: EMPTY and FAIL.
• To improve readability: e.g. LEN , HALT and GUARD .
• To improve efficiency. This includes the group of monitors defined using WITH. The
discussion of WITH on page 74 showed how the right-hand operand only needs to be
evaluated once. The specific behaviours of each of these monitors have been used to
provide more efficient code implementations.
Each of the derived monitors is described below.
LEN (k) and SKIP. These monitors are satisfied by any intervals of the required length.
Recall that skip ≡ len(1). For example, a THEN b shares a common state, whereas in
a THEN SKIP THEN b, a and b have no common state.1 The difference is demonstrated
by Figure 4.7.
1THEN is an associative operator (MThenAssoc(C .355)).
76 Chapter 4: ITL Monitor
σ
a b
a THEN b
σ
a
SKIP
b
a THEN SKIP THEN b
Figure 4.7: The effect of introducing a SKIP monitor
FAIL and EMPTY. These monitors represent annihilators and units when combined with
various binary monitor operators. As such they perform an important roˆle in the ITL-
Monitor algebra which is presented below in Section 4.4.
HALT (w). This is a special case of FIRST in which an interval is defined up to the first
occurrence of state formula w , or, in ITL, 2m ¬ w ∧ fin w . The relationship between
first occurrence, B, and halt was discussed in Section 3.8.6. The HALT monitor can
be used to define a finite subinterval up to the first occurrence of a state event – for
example, HALTButton Pressed . However, FIRST can be used to define a subinterval
based upon temporal relationships – for example, FIRST (3((X ← X ) ∧ more)): “Up
to the first point at which the state variable X receives a value that it was assigned
previously.” The addition of more ensures that progress is made because X ← X is
trivially satisfied by an empty interval.
a TIMES k . This monitor represents a specific number of instances of a fused together. An
example showing a TIMES 8 is shown in Figure 4.8.
σ
a a a a a a a a
Figure 4.8: a TIMES 8
If k = 1 then this is equivalent to a, alone; and if k = 0 then this is equivalent to
EMPTY.
4.1 Monitor syntax and translation to ITL 77
GUARD (w). This monitor treats the current state as an empty interval and establishes
whether or not w holds in this empty interval. A guard can be useful for specifying
an intial condition, e.g. GUARD (X = 0) THEN a, or for analysing the final state of an
interval, e.g. a THEN GUARD (X = 0). A series of guards can also be used to determine
future behaviour as described in Section 4.3.
w1 UNTIL w2. This monitor specifies the shortest interval that satisfies w1 U w2. This is
equivalent to B(2m w1 ; w2).
The remaining derived monitors are special cases of a WITH f . Each monitor can be
implemented more efficiently by exploiting the properties related to its specific function.
a ALWAYS w . w can be checked in each state. If ever ¬ w holds then the whole monitor fails
immediately.
a SOMETIME w . w can be checked in each state. If w holds in the final state of some
prefix interval σ0 . . σi , then the property holds for any extended interval σ0 . . σj where
0 ≤ i ≤ j .
a WITHIN f . As each new state is supplied, f is checked against each newly-extended prefix
interval. If f should ever be satisfied, but M(a) is not satisfied, then the monitor fails.
The monitor FAIL is equal to FIRST (false) WITHIN EMPTY.
a AND b. The monitors a and b must be satisfied simultaneously by the same interval. It is
possible for an implementation to run these monitors simultaneously, failing if, and as
soon as, either monitor fails. Figure 4.9 illustrates FIRST (f ) AND FIRST (g).
.f
σ
.g
Figure 4.9: FIRST (f ) AND FIRST (g)
a ITERATE b. This monitor combines a with a repetition of b. This is similar to AND above
in that for a satisfying interval bothM(a) and (M(b))∗ must hold. Figure 4.10 provides
an illustrative example.
78 Chapter 4: ITL Monitor
σ
a a a a a a a a
b b b b
Figure 4.10: (a TIMES 8) ITERATE b
Example 4.1.1 Partition. Consider the ITL-Monitor m where
m = a ITERATE b
b = FIRST (X <∼ X + 1) WITH f
The ITL formula represented by M(b) is (X <∼ X + 1) ∧ f . The first three cycles of
(M(b))∗ are illustrated in Figure 4.11.
σ
X X + 1 X + 2 X + 3
X <∼ X + 1 X <∼ X + 1 X <∼ X + 1
f f f
f∗
f∗
Evaluation of ((X <∼ X + 1) ∧ f )∗
Figure 4.11: Partitioning using a counter
This demonstrates a partitioning of an evolving system using one of the state variables
as a counter. The checkout example (Section 6.3) uses a transaction counter to partition
the execution trace by customer transaction. The example can be generalised by writing,
e.g.
m = a ITERATE b
b = FIRST (X <∼ X + 1) ITERATE c
This demonstrates that levels of partitioning can be nested. 
4.2 Importable assumptions and exportable commitments 79
4.2 Importable assumptions and exportable commitments
Moszkowski demonstrated how the use of temporal fixpoints could be used to reason
compositionally in ITL [Mos94, Mos96a, Mos98]. The original work was applied primarily to
safety and liveness conditions. However, it also provided a general framework for reasoning
about ITL specifications compositionally. The application of this theory within ITL-Monitor
is explored in this section.
4.2.1 Background
Recall that sequential composition connects formulae using ITL’s chop operator, σ |= f1 ; f2 iff
exists k s.t. σ0. .σk |= f1 and σk . .σ|σ| |= f2. Parallel composition relates to formulae composed
with ∧ requiring both conjuncts to be satisfied simultaneously: σ |= f1 ∧ f2 iff σ |= f1 and
σ |= f2.
Consider the sequential composition, f1 ; f2. Suppose that f1 ⊃ Co, f2 ⊃ Co, and Co∗ ≡ Co.
In this case if f1 ; f2 holds for some interval, then so does Co ; Co and hence Co
∗ which
is equivalent to Co. A formula Co with the property that Co∗ ≡ Co is an exportable
commitment.
Furthermore, consider some property As that holds over an interval and also satisfies
As ≡ 2a As. In this case As holds over every subinterval. Such a formula is an importable
assumption.
It is possible for a formula to be simultaneously an importable assumption and an exportable
commitment. An example of such a formula is keep f . Such formulae are referred to as very
compositional. Moszkowski [Mos96a] considers the following general form of an ITL theorem:
` w ∧ As ∧ Sys ⊃ Co ∧ fin w ′
in which w is an initial state formula, As is an assumption about the overall interval, Sys is
the system under consideration, Co is a commitment about the overall interval, and w ′ is a
final state formula. Thus, an interval that satisfies the formula w ∧ As ∧ Sys also satisfies the
commitment Co and final state w ′. The composition of two systems (Sys ; Sys ′) with suitable
importable assumption As and exportable commitment Co is summarised in the following
proof rule 4.1 [Mos96a].
Rule 4.1
` w ∧ As ∧ Sys ⊃ Co ∧ fin w ′
` w ′ ∧ As ∧ Sys ′ ⊃ Co ∧ fin w ′′
` w ∧ As ∧ (Sys ; Sys ′) ⊃ Co ∧ fin w ′′
80 Chapter 4: ITL Monitor
For this rule to be sound the following conditions must be satisfied:2
Importable assumption As ≡ 2a As
Exportable commitment Co ≡ Co?
(1)
(2)
Note that (Sys ; Sys ′) is satisfied by the whole interval but the fusion point is non-
deterministic. Therefore, if the global assumption As is to apply to an arbitrary subinterval
then it must be a fixpoint of 2a (all subintervals) (condition (1)). Furthermore, if both Sys
and Sys ′ imply Co then the whole interval satisfies (Co ; Co), and hence Co (condition (2)).
Sequential composition can be generalised to handle zero or more iterations, (Sys∗). Once
again, (4.2) is taken from [Mos96a]. The soundness conditions (1) and (2) apply.
Rule 4.2
` w ∧ As ∧ Sys ⊃ Co ∧ fin w
` w ∧ As ∧ Sys? ⊃ Co ∧ fin w
Both proof rules 4.1 and 4.2 have simpler counterparts that may be generated by setting
various components to true. This technique can be used to remove the initial and final states
(w and w ′), the assumptions As, or the commitments Co, or any combination of these as
required.
A collection of formulae that are fixpoints of chopstar and 2a – and hence can be used for
exportable commitments and importable assumptions – are contained in [Mos96c].
Consider an ITL-Monitor, a ITERATE b, that is monitoring the property M(a) ∧ (M(b))∗. If
M(b) implies some exportable commitment Co, then each successful iteration of b maintains
Co∗ which, in turn, establishes Co over the whole interval. This is illustrated in Figure 4.12
and demonstrates how an exportable commitment Co can be verified incrementally.
2These conditions are expressed as equivalences. However, to establish them one only needs to show that
Co∗ ⊃ Co and As ⊃2a As because their converses are laws.
4.2 Importable assumptions and exportable commitments 81
σ
a ITERATE b
Co Co Co
Co
Co
M(b) M(b) M(b)
Within the monitor a ITERATE b, the image shows three cycles of b. If M(b) ⊃ Co
then Co∗ is established at the end of each cycle and, if Co is an exportable
commitment (i.e. Co ≡ Co∗), then Co holds over the whole interval.
Figure 4.12: Exportable commitment
4.2.2 Examples
Example 4.2.1 Invariant. Consider the ITL-Monitor m where
m = a ITERATE (FIRST (f ) WITH (A← A))
The monitor verifies an execution trace against the ITL formulaM(a) ∧ (B(f ) ∧ (A← A))∗.
The subformula A ← A specifies that the value of A in the final state of the subinterval
equals its value in the initial state of the subinterval. The formula A ← A is also a fixpoint
of chopstar, and hence an exportable commitment. Therefore, sinceM(m) ⊃ (A← A)∗, and
(A ← A)∗ ≡ (A ← A), each iteration re-establishes A ← A and, when the loop terminates,
this invariant property will also hold over the whole interval. 
Example 4.2.2 Refactor. Consider the ITL-Monitor m where
m = a ITERATE (FIRST (f ) ALWAYS (w)) ITERATE (FIRST (g) ALWAYS (w))
which monitors the ITL formula M(a) ∧ (B f ∧ 2w)∗ ∧ (B g ∧ 2w)∗. Suppose that this
monitor is determining an exportable commitment Co where
Co ≡ Cof ∧ Cog
2w ∧ f ⊃ Cof
2w ∧ g ⊃ Cog
The monitor (inefficiently) duplicates the evaluation of the subexpression ALWAYS (w). In
general, one cannot refactor (B f ∧ h)∗ ∧ (B g ∧ h)∗ to (B f )∗ ∧ (B g)∗ ∧ h. However, the
formula 2w is a fixpoint of 2a and hence an importable assumption. Therefore, it is possible
82 Chapter 4: ITL Monitor
to establish separately that 2w holds over the whole interval, and import it into all of the
subintervals specified by the individual B f and B g subformulae.
m = a ALWAYS (w) ITERATE FIRST (f ) ITERATE FIRST (g)
Thus ALWAYS (w) runs concurrently with the two parallel iterations. If w is discovered not to
hold in any state then the whole monitor fails immediately. (See discussion on ALWAYS (page
77). 
4.3 Selection
The monitor a UPTO b is satisfied by an interval provided that the interval satisfies either
a or b (or both). Both monitors analyse the evolving interval until either M(a) or M(b)
holds, at which point the composition succeeds. This concept can be specialised so that the
choice between a and b is based upon the first state of the interval. Such a situation arises at
the point of fusion between two monitors a THEN b. The final state of a becomes the initial
state of b thus providing the possibility of communication between the two subintervals. The
continuation branch can be selected following the application of a single-state monitor that
involves a state expression, w . For example, consider the following pattern:
(a UPTO (HALT (w))) THEN ( (GUARD (w) THEN b0) UPTO
(GUARD (¬ w) THEN b1)
)
(S1)
The monitor expression (a UPTO (HALT (w))) is satisfied by an interval over which either
M(a) holds, or halt(w) holds. Suppose that M(a) ∧ 2(¬ w) represents normal termination
and halt(w) represents some exceptional condition. The GUARD s can be used to analyse the
value of this formula and determine which subsequent monitor (b0 or b1) to evaluate. Both
branches of UPTO will be evaluated simultaneously and will continue until one of the branches
succeeds. However, if the guards are mutually exclusive, as is the case in this example, then
one of these guarded expressions will be eliminated immediately.
This pattern can be extended by using an integer flag, I say, to denote normal termination
(I = 0) or an error code (I > 0). In general, if I ∈ {0 . . .M } then each one of M different
interrupts might be matched.
4.4 Algebraic properties of monitors 83
a UPTO (FIRST (fin I > 0)) THEN ( (GUARD (I = 0) THEN b0) UPTO
(GUARD (I = 1) THEN b1) UPTO
...
(GUARD (I = M ) THEN bM )
)
(S2)
All of the guards are checked in parallel. In this case all except one will fail and the monitor
will quickly reduce to one of the bi , i ∈ {0 . . .M }.
If no guard succeeds then the monitor fails. The style of selection described by this pattern
is reminiscent of Dijkstra’s Guarded Command Language [Dij75].
4.4 Algebraic properties of monitors
The ITL-Monitor operators respect a number of algebraic laws which are presented in this
section. The calculus permits the specification/monitor designer to compose and refactor
ITL-Monitor specifications whilst maintaining equivalent ITL formulae for analysis. All of the
laws in this Chapter have been developed as part of this thesis and appear in Chapter 7 of
[CMS19].
4.4.1 First occurrence fixpoint law
Primary monitors satisfy a fixpoint law: M(a) is a fixpoint of B:
` M(a) ≡ BM(a) MFixFst (C .309)
This law states that the formula represented by any monitor is a first-occurrence formula.
Therefore, every monitor operator preserves this property. This result is used extensively
throughout the proofs of many of the algebraic monitor laws.
4.4.2 Equivalence of monitors
The following equivalence relation3 facilitates a succinct expression of the algebraic monitor
laws.
(a ' b) ≡ (` M(a) =M(b)) EqDef (C .324)
a ' a MonEqRefl (C .325)
a ' b ` b ' a MonEqSym(C .326)
3Defined by A Cau as part of the Isabelle translation of the laws [CMS19].
84 Chapter 4: ITL Monitor
a ' b, b ' c ` a ' c MonEqTrans(C .327)
4.4.3 Annihilator and identity laws
FAIL UPTO a ' a MFailUpto(C .330)
FAIL THRU a ' FAIL MFailThru(C .331)
FAIL AND a ' FAIL MFailAnd (C .332)
a THEN FAIL ' FAIL MThenFail (C .333)
FAIL THEN a ' FAIL MFailThen(C .334)
FAIL WITH f ' FAIL MFailWith(C .335)
a WITH false ' FAIL MWithFalse(C .336)
a WITH true ' a MWithTrue(C .337)
EMPTY UPTO a ' EMPTY MEmptyUpto(C .338)
EMPTY THRU a ' a MEmptyThru(C .339)
a THEN EMPTY ' a MThenEmpty(C .340)
EMPTY THEN a ' a MEmptyThen(C .341)
EMPTY ITERATE b ' EMPTY MEmptyIterate(C .342)
4.4.4 Idempotence laws
a UPTO a ' a MUptoIdemp(C .344)
a THRU a ' a MThruIdemp(C .345)
a AND a ' a MAndIdemp(C .346)
(WITH f ) ◦ (WITH f ) ' (WITH f ) MWithIdemp(C .347)
a ITERATE a ' a MIterateIdemp(C .343)
The law MWithIdemp(C .347) uses the notation of operator sections: (WITH f ) = λm •
m WITH f
4.4.5 Commutativity laws
a UPTO b ' b UPTO a MUptoCommut (C .348)
a THRU b ' b THRU a MThruCommut (C .349)
a AND b ' b AND a MAndCommut (C .350)
(WITH f ) ◦ (WITH g) ' (WITH g) ◦ (WITH f ) MWithCommut (C .351)
4.4 Algebraic properties of monitors 85
a
b
a UPTO b
a THRU (a UPTO b)
a
b
a UPTO b
a THRU (a UPTO b)
Figure 4.13: Pictorial representation of MThruUptoAbsorp(C .358)
4.4.6 Associativity laws
(a UPTO b) UPTO c ' a UPTO (b UPTO c) MUptoAssoc(C .352)
(a THRU b) THRU c ' a THRU (b THRU c) MThruAssoc(C .353)
(a AND b) AND c ' a AND (b AND c) MAndAssoc(C .354)
(a THEN b) THEN c ' a THEN (b THEN c) MThenAssoc(C .355)
4.4.7 Absorption laws
a UPTO (a THRU b) ' a MUptoThruAbsorp(C .357)
a THRU (a UPTO b) ' a MThruUptoAbsorp(C .358)
(WITH f ) ◦ (WITH g) ' (WITH (f ∧ g)) MWithAbsorp(C .356)
The second of these laws is illustrated in Figure 4.13.
86 Chapter 4: ITL Monitor
4.4.8 Distributivity laws
a UPTO (b THRU c) ' (a UPTO b) THRU (a UPTO c) MUptoThruDistrib(C .359)
(a THRU b) UPTO c ' (a UPTO c) THRU (b UPTO c) MThruUptoRDistrib(C .362)
a THRU (b UPTO c) ' (a THRU b) UPTO (a THRU c) MThruUptoDistrib(C .361)
(a UPTO b) THRU c ' (a THRU c) UPTO (b THRU c) MUptoThruRDistrib(C .360)
a THEN (b AND c) ' (a THEN b) AND (a THEN c) MThenAndDistrib(C .364)
a THEN (b UPTO c) ' (a THEN b) UPTO (a THEN c) MThenUptoDistrib(C .366)
a THEN (b THRU c) ' (a THEN b) THRU (a THEN c) MThenThruDistrib(C .367)
((HALTw) WITH f ) UPTO ((HALTw) WITH g) ' (HALTw) WITH (f ∨ g)
MHaltWithUptoHaltWithEqvHaltWithOr (C .369)
((HALTw) WITH f ) AND ((HALTw) WITH g) ' (HALTw) WITH (f ∧ g)
MHaltWithAndDistrib(C .368)
((HALTw) WITH f ) THRU ((HALTw) WITH g) ' ((HALTw) WITH f ) AND ((HALTw) WITH g)
MHaltWithThruHaltWithEqvHaltWithAndHaltWith(C .370)
Figure 4.14 provides a pictorial representation of the law MThruUptoDistrib(C .361).
4.4.9 Algebraic structures
The monitor properties listed in the previous sections permit various algebraic structures
to be identified. Table 4.15 summarises the algebraic properties that are satisfied by these
operators.
Using the properties summarised in Table 4.15 the following categorisations can be made.
• (ITL-Monitor,AND) is an idempotent, commutative semigroup.
• (ITL-Monitor,THEN, EMPTY) is a monoid.
• (ITL-Monitor,UPTO, FAIL) is an idempotent, commutative monoid. This is also a
bounded, meet-semilattice with an order relation a ≤ b ⇔ a UPTO b ' a with greatest
element FAIL.
• (ITL-Monitor,THRU, EMPTY) is an idempotent, commutative monoid. This is also a
bounded, join-semilattice with an order relation a ≥ b ⇔ a THRU b ' a with least
element EMPTY.
• (ITL-Monitor,UPTO, FAIL,THRU, EMPTY) is an idempotent semiring (R,+, 0, ◦, 1). The
absorption laws, MThruUptoAbsorp(C .358) and MUptoThruAbsorp(C .357), combine the
4.4 Algebraic properties of monitors 87
a
b
c
b UPTO c
a THRU (b UPTO c)
a THRU b
a THRU c
(a THRU b) UPTO (a THRU c)
a
b
c
b UPTO c
a THRU (b UPTO c)
a THRU b
a THRU c
(a THRU b) UPTO (a THRU c)
a
b
c
b UPTO c
a THRU (b UPTO c)
a THRU b
a THRU c
(a THRU b) UPTO (a THRU c)
a
b
c
b UPTO c
a THRU (b UPTO c)
a THRU b
a THRU c
(a THRU b) UPTO (a THRU c)
a
b
c
b UPTO c
a THRU (b UPTO c)
a THRU b
a THRU c
(a THRU b) UPTO (a THRU c)
a
b
c
b UPTO c
a THRU (b UPTO c)
a THRU b
a THRU c
(a THRU b) UPTO (a THRU c)
Figure 4.14: Pictorial representation of MThruUptoDistrib(C .361)
UPTO THRU AND THEN ITERATE WITH
Annihilator(L) FAIL FAIL FAIL FAIL FAIL
Annihilator(R) FAIL FAIL FAIL false
Identity(L) FAIL EMPTY EMPTY EMPTY
Identity(R) FAIL EMPTY EMPTY true
Idempotent X X X X
Commutative X X X
Associative X X X X
UPTO distributes through LR
THRU distributes through LR
THEN distributes through L L L
UPTO absorption X
THRU absorption X
Figure 4.15: Summary table of algebraic properties
88 Chapter 4: ITL Monitor
two semilattices into a bounded lattice with top element FAIL and bottom element
EMPTY.
FAIL
|
3s (Ma)
|
B(Ma)
|
2s ¬ (Ma)
|
EMPTY
The relationship between UPTO, THRU, AND, EMPTY, and FAIL is illustrated in Figure
4.16.
hsiM(a) ^ hsiM(b)
hsiM(a) ^ .M(b) .M(a) ^ hsiM(b)
[s]:M(a) ^ .M(b).M(a) ^ [s]:M(b)
[s]:M(a) ^ [s]:M(b)
FAIL
EMPTY
.M(a) ^ .M(b)
a THRU b
a AND b
a UPTO b
Figure 4.16: Lattice showing the relationship between UPTO, AND, and THRU
4.5 Example specification - scoring tennis 89
4.5 Example specification - scoring tennis
In this section a small example specification is presented that demonstrates the use of the
ITL-Monitor operators. To assist with the explanation of the scenario, Z notation [Spi01] is
used alongside the explanatory text.
Consider a piece of software that is monitoring two players’ scores throughout a tennis match.
The players are represented by the type Player.
Player ::= p1 | p2
In this example, the two players compete by playing the best of five sets. To win a set a player
has to win at least six games and to have won at least two more games than their opponent.
Thus the set may end with a scores of 6-0 or 9-7 for example, but not 6-5.4
A game is won by the first player to win at least four points and to have at least two more
points than their opponent. Rather than use simple numbering, 1 . . 4, the points in tennis
games have special names: fifteen, thirty, forty, and game, respectively, with a special extra
point called advantage. The type Point enumerates these values.
Point ::= love | fifteen | thirty | forty | advantage | game
Because a player must win a game by two clear points, if the score is forty-forty then the
player that wins the next point moves to advantage rather than game. Similarly, if a player at
advantage fails to win the next point then the score reverts to forty-forty. The point transitions
that occur when player p1 wins a point are specified by the function updatePoints. Each pair
of points represents scores for players (p1, p2) respectively.
updatePoints : (Point × Point)→ (Point × Point)
updatePoints =
{ (love, love) 7→ (fifteen, love), (love,fifteen) 7→ (fifteen,fifteen),
(love, thirty) 7→ (fifteen, thirty), (love, forty) 7→ (fifteen, forty),
(fifteen, love) 7→ (thirty , love), (fifteen,fifteen) 7→ (thirty ,fifteen),
(fifteen, thirty) 7→ (thirty , thirty), (fifteen, forty) 7→ (thirty , forty),
(thirty , love) 7→ (forty , love), (thirty ,fifteen) 7→ (forty ,fifteen),
(thirty , thirty) 7→ (forty , thirty), (thirty , forty) 7→ (forty , forty),
(forty , love) 7→ (game, love), (forty ,fifteen) 7→ (game,fifteen),
(forty , thirty) 7→ (game, thirty), (forty , forty) 7→ (advantage, forty),
(forty , advantage) 7→ (forty , forty), (advantage, forty) 7→ (game, forty) }
The tennis match may be represented by the following state comprising variables for the
4In this example tie breaks for a set are not used.
90 Chapter 4: ITL Monitor
number of points, games, and sets. Each variable holds a pair of values for p1 and p2
respectively.
Match
Points : Point × Point
Games : N× N
Sets : N× N
At the start of the match all the scores are zero:5
StartMatch =̂ [Match ′ | Points ′ = (love, love) ∧ Games ′ = (0, 0) ∧ Sets ′ = (0, 0)]
The operation to update the scores when a point is won is defined as the sequential
composition of three operations: UpdatePoints, then UpdateGames, then UpdateSets. Each of
these is presented below. (In Z an operation relates the before values of the state and their after
values. Within each operation schema the before states are introduced by including Match
and the after states are introduced by including Match ′. The primed variables represent the
after states.)
UpdatePoints inputs the winner of the point and uses this to decide how to update the points.
If p2 wins the point then the arguments to, and results from, the updatePoints function must
be reversed. The other state variables are not changed.
UpdatePoints
Match
Match ′
winner? : Player
winner? = p1⇒ Points ′ = updatePoints(Points)
winner? = p2⇒ Points ′ = let (x1, x2) == Points;
(y2, y1) == updatePoints(x2, x1) • (y1, y2)
Games ′ = Games
Sets ′ = Sets
UpdateGames must check to see if a game has just been won by either of the players. This
is determined by inspecting the first and second fields of the Points variable respectively. If
either player’s score has reached game that player’s game count is incremented. If neither
player has won a game then the state variables are unchanged. In any case the Sets variable
is unchanged at this stage and will be checked in the subsequent schema. Note that the first
two conjuncts are mutually exclusive because only one player can win a game.
5In Z initial states are conventionally primed – i.e. they are considered as after states.
4.5 Example specification - scoring tennis 91
UpdateGames
Match
Match ′
first(Points) = game ⇒ Games ′ = (first(Games) + 1, second(Games))
second(Points) = game ⇒ Games ′ = (first(Games), second(Games) + 1)
first(Points) 6= game ∧ second(Points) 6= game ⇒ Games ′ = Games
Points ′ = Points
Sets ′ = Sets
UpdateSets must check to see if a set has just been won by one of the players. If neither
player has won a set then no state variables are changed. The operation also outputs a set of
winners which is empty if neither player has won, or contains the winning player otherwise.
Once again, the first two conjuncts are mutually exclusive because only one player can win a
game.
UpdateSets
Match
Match ′
winner ! : PPlayer
first(Games) ≥ 6 ∧ first(Games) > (second(Games) + 1)⇒
Sets ′ = (first(Sets) + 1, second(Sets))
second(Games) ≥ 6 ∧ second(Games) > (first(Games) + 1)⇒
Sets ′ = (first(Sets), second(Sets) + 1)(
(first(Games) < 6 ∨ second(Games) < 6 ∨
abs(first(Games)− second(Games)) ≤ 1)
)
⇒ Sets ′ = Sets
Games ′ = Games
Points ′ = Points
winner ! = if first(Sets) ≥ 2 then {p1}
else if second(Sets) ≥ 2 then {p2}
else ∅
Finally, the PlayPoint operation can be expressed as the sequential composition of the three
component operations. (In Z schema composition S o9 T equates the after state of S with the
before state of T and hides this intermediate state.)
PlayPoint =̂ UpdatePoints o9 UpdateGames o9 UpdateSets
The following two operations specify the state transitions required to reset the Points scores
and the Sets scores following a game-win and a set-win respectively. The schemas ResetPoints
92 Chapter 4: ITL Monitor
and ResetGames specify the resetting of the relevant state variables. The schema NewGame
is called following a game-win but not a set-win. The schema NewSet is called following a
set-win and it incorporates the act of starting a new game.
ResetPoints =̂ [Match; Match ′ | Points ′ = (love, love)]
ResetGames =̂ [Games ′ = (0, 0)]
NewGame =̂ [ResetPoints | Games ′ = Games ∧ Sets ′ = Sets]
NewSet =̂ [ResetPoints; ResetGames | Sets ′ = Sets]
The scoring of a particular tennis match is recorded by a trace in which each state holds
the variables Points, Games, and Sets. For example, the trace after seven points have been
played might be:
Points (0, 0) (0, 0) (0, 15) (0, 30) (0, 40) (15, 40) (15,G) (0, 0) (15, 0)
Games (0, 0) (0, 0) (0, 0) (0, 0) (0, 0) (0, 0) (0, 1) (0, 1) (0, 0)
Sets (0, 0) (0, 0) (0, 0) (0, 0) (0, 0) (0, 0) (0, 0) (0, 0) (0, 0)
σ σ0 σ1 σ2 σ3 σ4 σ5 σ6 σ7 σ8
In the above example, σ0 represents the initial state specified by StartMatch. The state σ1
is the start of the first set.6 Each of the transitions σ1 → σ2, σ2 → σ3, σ3 → σ4, σ4 → σ5,
σ5 → σ6, and σ7 → σ8 represent state changes specified by PlayPoint . The state transition
σ6 → σ7 represents the state change specified by NewGame. It is useful to consider the suffix
of some possible later trace that includes a set win:
Points (15, 30) (15, 40) (15,G) (0, 0) (0, 15) (0, 30) (0, 40) (0,G) (0, 0)
Games (4, 5) (4, 5) (4, 6) (0, 0) (0, 0) (0, 0) (0, 0) (0, 1) (0, 1)
Sets (0, 0) (0, 0) (0, 1) (0, 1) (0, 1) (0, 1) (0, 0) (0, 1) (0, 1)
σ σ70 σ71 σ72 σ73 σ74 σ75 σ76 σ77 σ78
In this example the final game in the first set is won in state σ72 – this state is the end of a
game subinterval and a set subinterval. The next state σ73 shows the reset values of Points
and Games and maintains the updated Sets. Play continues and state σ77 shows the end of
the next game, etc.
The previously-defined updatePoints function enumerates all of the possible point score
transitions for both players from the perspective of p1 winning the point. However, the
set of legal point score transitions for a single player can be specified as follows:
6The fact that σ1 = σ0 looks odd but it is only a special case because σ1 is the beginning of the first set.
4.5 Example specification - scoring tennis 93
 : Point ↔ Point
∀ p1, p2 : Point •
p1  p2 ⇔
(p1, p2) ∈ { (love,fifteen), (fifteen, thirty), (thirty , forty), (forty , game)
(forty , advantage), (advantage, forty), (advantage, game) }
Thus it is possible to capture a temporal property relating Points(p) and ©(Points(p)) for
each player p following each point-win.7
winPoint = skip ∧ ( ( stable(Points(p1)) ∧ (Points(p2) ©(Points(p2))) ) ∨
( stable(Points(p2)) ∧ (Points(p1) ©(Points(p1))) ) )
validGame specifies an interval representing a single game. Initially the Points score for
each player is set to love, and then a finite sequence of winPoint transitions occurs. The
relationship between the Games scores for each player are defined by their values across the
whole interval. The ITL formula A <∼ e means that the value of state variable A is stable
until the final state in which its value must equal e. Thus, over the course of a single game one
player’s game score must remain constant, whereas the opponent’s game score will increase
by one in the final state: i.e. when the game is won. The end of the interval is determined as
soon as either player’s Points score reaches game.
validGame = (Points(p1) = love) ∧ (Points(p2) = love) ∧
winPoint∗ ∧
( ((Games(p1) <∼ (Games(p1) + 1)) ∧ stable(Games(p2))) ∨
((Games(p2) <∼ (Games(p2) + 1)) ∧ stable(Games(p1))) )
gameOver = (Points(p1) = game) ∨ (Points(p2) = game)
An interval representing a game must satisfy validGame ∧ halt(gameOver). The reason it is
convenient to split this into two parts is because halt(gameOver) can be used to determine
the length of the interval consumed by the corresponding ITL-Monitor. Specifically, the
interval will extend to the first occurrence of the state formula gameOver . Then the formula
validGame can be checked against the accrued interval.
A set of tennis is won by the player who is the first to win at least two more games than their
opponent and who has won at least six games. Initially both players’ Games scores are set
to zero.
7In ITL the formula stable(A) means that A’s value does not change throughout the interval.
94 Chapter 4: ITL Monitor
validSet = (Games(p1) = 0) ∧ (Games(p2) = 0) ∧
( ((Sets(p1) <∼ (Sets(p1) + 1)) ∧ stable(Sets(p2))) ∨
((Sets(p2) <∼ (Sets(p2) + 1)) ∧ stable(Sets(p1))) )
setOver = ( ((Games(p1) >= 6) ∧ (Games(p2) + 1 < Games(p1))) ∨
((Games(p2) >= 6) ∧ (Games(p1) + 1 < Games(p2))) )
Once again, note that it is convenient to split the specification for playing a single set into
two parts. A set must satisfy validSet ∧ halt(setOver). In a similar way to gameOver (above)
the first occurrence of setOver will be used to define the extent of the interval covered by the
corresponding monitor. A match is over as soon as one of the players wins two sets. Thus
the extent of a match is specified as halt(matchOver), where
matchOver = (Sets(p1) = 3) ∨ (Sets(p2) = 3)
The scoring system for a tennis match conveniently splits the specification into subintervals.
Furthermore, the fact that Points are reset to zero at the start of each new game, and Games
are reset to zero at the start of each new set, provides a set of natural fusion points across
which backtracking is unnecessary. In the first state the initialisation requires:
startMatch = Points(P1) = love ∧ Points(P2) = love ∧
Games(P1) = 0 ∧ Games(P2) = 0 ∧
Sets(P1) = 0 ∧ Sets(P2) = 0
A runtime monitor for checking a tennis scoring program against this specification can now
be constructed using ITL-Monitor.
bygame = GUARD (startMatch) THEN HALT (matchOver) ITERATE (
(SKIP THEN HALT (setOver) ITERATE (
SKIP THEN HALT (gameOver) WITH (skip ; validGame)
)
) WITH (skip ; validSet)
)
4.5.1 Running the verification
As the tennis program under test proceeds it sends each update to any of the state variables to
the monitor. Let us consider the evaluation of the first set – for the purpose of this discussion
it will be assumed that the set consists of six games. Each game is preceded by SKIP to
separate each one from the next - i.e. by skipping from the end of one game to the start of
the next game. The diagram in Figure 4.17 shows the interval evolving as each of the games
in a set is verified.
4.5 Example specification - scoring tennis 95
skip one game
one set
Direction of time
No backtracking across these lines
. . .
Figure 4.17: A set of tennis
Games do not share states which is why each is preceded by a single skip. The verification of
a single game may involve backtracking since the specification is non-deterministic. However,
backtracking cannot cross the vertical lines: each game is extended to the first occurrence of
gameOver which cannot be satisfied by any other fusion point.
4.5.2 Adjusting the granularity of the analysis
The match monitor reports on whether or not the system under test meets the specification
after each game is played: this is illustrated in Figure 4.17. Thus the ‘granularity’ of the
analysis is at the level of a single tennis game. Recall that the specification of a game involves
non-determinism which is why it cannot be checked after every state.
It is possible to decrease the granularity of the analysis by testing an interval after each set.
The following ITL specification covers a single set of tennis:
byset = GUARD (startMatch) THEN HALT (matchOver) ITERATE (
(SKIP THEN HALT (setOver)) WITH
((skip ; (halt(gameOver) ∧ validGame))∗ ∧ (skip ; validSet))
)
This monitor will not be able to report upon any violations of the specification until a whole
set has been played. Furthermore, at the points of verification – in this case when a set
has completed – the evaluation will take longer when compared to the sum of several much
smaller evaluations following each game.
Ultimately, it is possible to decrease the granularity of the analysis to cover an entire tennis
match. This effectively generates the entire trace for subsequent analysis. The revised ITL
formula would be:
96 Chapter 4: ITL Monitor
byMatch = GUARD (startMatch) THEN HALT (matchOver) WITH validMatch
This requires significant backtracking given the embedded choice within each of the sub-
specifications, and the employment of two levels of chopstar. In this case all of the verification
would take place as soon as the match is over but no verification would occur while the
program is running.
This example has demonstrated a decrease of the granularity of the analysis from games, to
sets, to the whole match. Is it possible to increase the granularity of the analysis to the level
of individual states? It is not possible simply to reduce the scope of each monitor to analyse
every pair of adjacent states: the non-determinism in the specification does not permit this.
4.6 Summary
This chapter has presented ITL-Monitor syntax and translation into ITL. The monitor
operators were described informally with illustrative examples. The small case study at
the end of the chapter showed how ITL-Monitor could be used to specify a runtime monitor
for an example system. An investigation into the mathematical properties of monitors was
undertaken and the results presented. Algebraic structures were identified for combinations of
ITL-Monitor operators and these have been organised and presented. An important monitor
law, MFixFst (C .309), was established and its roˆle in the maintenance of first occurrence
properties of monitors was explained.
Chapter 5
ITL Monitor implementation
This chapter describes the implementation of ITL-Monitor. The library contains two principal
objects, ITL and Monitor, each of which is described below. ITL defines an Application
Programming Interface (API) for creating ITL formulae, and Monitor defines the API for
specifying runtime verification monitors in ITL-Monitor. Section 5.1.1 introduces the ITL
library, including the implementation of each of its key components. Section 5.1.2 introduces
the Monitor library from the perspective of constructing user-defined specifications. The
translation of the derived monitors using a range of optimisation flags is also explained.
Section 5.2 looks in detail at the underlying representation of runtime monitors as a network
of Akka actors [Wya13, Akk17]. The process of creating an Akka network representing an
abstract monitor is described, and the way the network acts as a monitor, receiving messages
from a program, forming and returning judgements, is illustrated with a worked example.
Throughout this chapter both ITL formulae and ITL-Monitor specifications, which represent
ITL formulae, may be referred to both as temporal logic formulae – as mathematical objects –
or as processes. Mathematically, FIRST (f ) represents an ITL formula, B f , that may satisfied
by some finite interval. Operationally, FIRST (f ) is a monitor (a process) that maintains an
internal representation of the states that have been passed to it (an interval), and terminates
successfully as soon as the interval satisfies f . Mathematically, FIRST (f ) AND FIRST (g) is an
executable ITL-Monitor representing the ITL formula B f ∧ B g . Operationally, it represents
a concrete monitor – a hierarchy of Akka actors – in which the two submonitors FIRST (f ) and
FIRST (g) could be executing in parallel. These examples reflect the purpose of this thesis:
to create a library of executable, runtime monitors that represent ITL formulae directly, and
whose combination reflect new executable monitors that can verify the composition of their
respective formulae.
98 Chapter 5: ITL Monitor implementation
Listing 5.1: Monitor.scala
1 object ITL {
2 abstract class Var[T]
3 case class Val[T](v: T)
4 type VarUpdate = (Var[T],T) forSome {type T}
5 class Interval {
6 def get[T](k: Int , v: Var[T]): Option[Val[T]]
7 def add(updates: VarUpdate* ): Interval
8 }
9 abstract class Expr[T] {
10 def evalExpr[T](expr: Expr[T], sigma: Interval ): Option[Const[T]]
11 case class Const[T](c: T) extends Expr[T]
12 case class Ref[T](v: Var[T]) extends Expr[T]
13 case class Unary[T,U](op: T=>U, x: Expr[T]) extends Expr[U]
14 case class Binary[T,U,V](op: (T,U)=>V, x: Expr[T], y: Expr[U]) extends Expr[V]
15 case class With[T,U](x: Expr[T], f: Const[T] => Expr[U]) extends Expr[U]
16 case class Next[T](v: Var[T]) extends Expr[T]
17 case class Fin[T](v: Var[T]) extends Expr[T]
18 case class IntLen () extends Expr[Int]
19 }
20 abstract class Formula {
21 def evalFormula(sigma: Interval ): Boolean
22 case class Exp (x: Expr[Boolean ]) extends Formula
23 case class Not (f: Formula) extends Formula
24 case class Final (f: Formula) extends Formula
25 case class And (f: Formula , g: Formula) extends Formula
26 case class Len (n: Int) extends Formula
27 case class Chop (f1: Formula , f2: Formula) extends Formula
28 case class Chopstar(f: Formula) extends Formula
29 }
30 }
Figure 5.1: Overview of ITL.scala
5.1 Application programming interface
ITL-Monitor is implemented as a collection of objects and classes in Scala. These are defined
in two Scala files: ITL.scala which contains support for ITL specifications and intervals; and
Monitor.scala which provides the implementation of ITL-Monitor. Each of these is presented
below.
5.1.1 ITL
The ITL API provides all the components necessary to define and evaluate an ITL formula
with respect to an interval. An overview of the key objects, classes, types, and methods
is presented in Figure 5.1. (The code appears in full in Listing A.1). The figure shows
the classes relating to variables, values, intervals, expressions and formulae. Unnecessary
detail has been omitted including some superclass relationships, internal data structures, and
derived operators.
ITL expressions and formulae are implemented as data structures (trees) whose definitions
5.1 Application programming interface 99
1 Not(
2 Chop(
3 Chop(
4 Exp(
5 Const(true)
6 ),
7 And(
8 Len(1),
9 Not(
10 Exp(
11 Binary(
12 RelInt.EQ,
13 Binary(
14 NumInt.Mul ,
15 Ref(A),
16 Const (2)
17 ),
18 Fin(A)
19 )
20 )
21 )
22 )
23 ),
24 Exp(
25 Const(true)
26 )
27 )
28 )
Figure 5.2: Representation of the ITL formula A gets (A ∗ 2)
appear in Figure 5.1 (lines 9-19 and 20-29). For example, the ITL formula A gets (A ∗ 2) is
shown in Figure 5.2.
The expressions and formulae data structure constitutes a deeply embedded DSL (cf. 2.4.1).
The use of case classes to represent the ‘nodes’ in the expression/formulae trees allows Scala’s
pattern matching to recognise structures for evaluation and/or rewriting. An example of
rewriting is given by the function not: when evaluating not(f) the structure of f is matched
to avoid the potential of returning a doubly-negated formula.
def not(f: Formula): Formula = f match { case (Not(g)) => g
case _ => Not(f) }
100 Chapter 5: ITL Monitor implementation
Without this optimisation the subformula And(..) in Figure 5.2 (lines 7-23) would have been
constructed as Not(Not(And(..))).
Pattern matching is also used in the evaluation of formulae. For example, the (private)
f.evalFormula(sigma, i, j) method application evaluates a formula f with respect to
the subinterval sigmai..j. Evaluation of formulae matching the pattern Chop(f, g) can be
simplified if one of the subformulae specifies a subinterval of a specific length. The method
application f.fixed() returns None if f is not a fixed-length formula, and Some(m), where
m is a positive integer representing the fusion point, otherwise. If either f or g has a fixed
length then the search for a fusion point can be reduced from j − i + 1 possibilities to just
one.
case Chop(f, g) => (f.fixed(), g.fixed()) match {
case (None,None) => (i to j).toStream.map(k =>
if (f.evalFormulaFromTo(sigma, i, k))
g.evalFormulaFromTo(sigma, k, j)
else
false).contains(true)
case (Some(m),None) => (i+m >= i && i+m <= j) &&
f.evalFormulaFromTo(sigma, i, i+m) &&
g.evalFormulaFromTo(sigma, i+m, j)
case (None,Some(n)) => (j-n >= i && j-n <= j) &&
f.evalFormulaFromTo(sigma, i, j-n) &&
g.evalFormulaFromTo(sigma, j-n, j)
case (Some(m),Some(n)) => (i+m >= i && i+m <= j) &&
(i+m == j-n) &&
f.evalFormulaFromTo(sigma, i, i+m) &&
g.evalFormulaFromTo(sigma, i+m, j)
}
5.1.1.1 Variables
Figure 5.1 (line 2) introduces a parameterised, abstract class Var[T] representing variables
for use in ITL formulae. The use of the generic type variable T allows the Scala type checker
to perform valuable static type analysis on any user-defined variables.
User-defined variables are created as objects, subclassing from a suitably parameterised
instance of Var[T]. The use of an object for each variable ensures that it is identified with a
single Var instance. Each user-defined variable will inherit a range of ITL operators that are
defined for state variables including V <∼ e (padded temporal assignment), V ← e (temporal
5.1 Application programming interface 101
assignment), V := e (next-state assignment), and V gets e (unit delay).
For example, a state variable C that stores a character value, and B that stores a Boolean
value, are declared as follows.
object C extends Var[Char] { override def toString = "C" }
object B extends Var[Boolean] { override def toString = "B" }
The overridden toString methods permit the client to define how the variables should appear
when printed on the output stream.
On line 4 of the listing the type VarUpdate represents a tuple in which the components are
existentially quantified. Thus, the type T does not appear at top-level with the type itself.
This permits a list of VarUpdate tuples to be constructed in which each pair has correctly
matched types but differently typed tuples can appear in the same List[VarUpdate], e.g.,
List( (C, ’x’), (B, true) ). This is useful in the context of runtime verification in which
variables of different types may be updated simultaneously.
5.1.1.2 Values
Figure 5.1 (line 3) introduces a parameterised case class that is used to construct constant
values in ITL formulae. This is parameterised so that the type checker can ensure that
values are stored in variables of the same type. Looking ahead to the process of updating the
state during a runtime verification, a monitor mu may have its variables updated using a set
method, viz:
mu.set(B, true).set(C, ’x’)
The monitor set method builds internally a list of variable updates as shown at the end of
the previous section (5.1.1.1).
5.1.1.3 Intervals
Figure 5.1 (lines 5-8) introduces a class Interval as an opaque type.1 It is not possible to
parameterise the interval type, i.e. Interval[T], because this would require all the variables
in the state to be of the same type. Similar to the VarUpdate type (cf. 5.1.1.1), the interval
contains mappings in which each variable is bound to a value of the appropriate type.
Intervals are represented internally using a Scala immutable HashMap. However, its behaviour
can be captured by the following function in which the generic type T is hidden using
existential quantification.
1See Listing A.1 for the full implementation of intervals.
102 Chapter 5: ITL Monitor implementation
Interval = ∃T • Var [T ]→ (N→ Val [T ])
For each variable, a mapping is maintained in which the (index,value) pairs are only stored
when changes occur. The value if variable v at index i is equal to the value of v looked up at
the largest index j ≤ i for which an entry exists. This approach avoids potentially duplicated
values being stored in successive states and is similar to the representation used in ITL Tracer
[Jan10]. Locating the most recent index is currently a linear search (from i down to j ).2 Once
the index has been located, lookup in a Scala hashmap is constant time.
Consider the following example in which each state consists of two variables, X : Var [Int ]
and Y : Var [Boolean]. The interval σ:
X 1 1 1 7 7 7 7 7 9 9
Y t t t t f f f f f t
index 0 1 2 3 4 5 6 7 8 9
is stored using the hashmap sigma:
{X 7→ {0 7→ 1, 3 7→ 7, 8 7→ 9},Y 7→ {0 7→ t , 4 7→ f , 9 7→ t}}
In this example, lookup(sigma)(X )(5) = 7.
5.1.1.4 Expressions and formulae
Figure 5.1 (lines 9-19) introduces the abstract class Expr[T] which represents expressions of
type T. Lines 20-29 introduce the abstract class Formula. The basic forms of expressions and
formulae are provided as subclasses. Scala allows class member methods to be used infix,
i.e. method calls of the form o.m(p) can be written o m p. Coupled with the ability to use
symbolic method names, this syntactic sugar permits a useful range of infix binary operators
to be provided for expressions and formulae. Two examples from each abstract class are
provided below. Firstly, infix operators are provided for addition and comparison.
abstract class Expr[T] {
def + (that: Expr[T])(implicit o: Num[T]): Expr[T] = Binary(o.Add, this, that)
def < (that: Expr[T])(implicit o:Ord[T]): Expr[Boolean] = Binary(o.LT, this, that)
The implicit parameters refer to objects that define the appropriate functions for each type.
Thus a Num[Int] object, NumInt, contains the function Add for integers, and an Ord[Char]
2Future work will consider optimisations for sparse mappings which may derive or maintain index iterators.
5.1 Application programming interface 103
object, OrdChar, contains a less-than order relation LT for characters etc. The ITL API
exports implicit objects defining these functions for all of the Scala primitive types.
Scala’s implicit parameters can be applied automatically by the compiler provided there is a
suitably typed value in scope. Thus, if a and b are integer expressions then instead of writing
a.+(b)(NumInt), the expression can be written more succinctly as a + b, and NumInt is
appended silently by the compiler.
Useful infix operators have also been provided for formulae.
abstract class Formula {
def ‘;‘(that: Formula) = Chop(this,that)
def and(that: Formula) = And(this,that)
This syntax permits ITL formulae to be written, e.g., (f and g) ‘;‘ h.
5.1.1.5 Derived operators
All of ITL’s standard derived operators are provided within the API as functions. Some of
these use the standard names such as next and eventually whereas others use descriptions
of their mathematical symbols (which is common in ITL) such as di (‘diamond-i’, 3i ). Some
examples are shown below:
def chop(f1: Formula, f2: Formula): Formula = Chop(f1, f2)
val skip: Formula = Len(1)
def next(f: Formula): Formula = chop(skip, f)
def eventually(f: Formula): Formula = chop(TRUE, f)
def di(f: Formula): Formula = chop(f, TRUE)
5.1.2 Monitor
The Monitor API provides the components necessary to define and execute an ITL-Monitor.
An overview of the key objects, classes, types, and methods is presented in Figure 5.3. (The
full listing appears as Listing A.2). The figure shows the exported class Abstr.Monitor whose
subclasses constitute the core ITL-Monitor syntax. Unnecessary detail has been omitted.
Object Protocol (Figure 5.3, lines 2-10), defines the messages which form the communication
between the monitors internally, and the client program externally. Step extends the
execution trace by one state and passes the updated state as a list of variable updates (cf.
5.1.1.1). Show causes the underlying implementation to display a version of itself on the
104 Chapter 5: ITL Monitor implementation
Listing 5.2: Monitor.scala
1 object Monitor {
2 object Protocol { /* Communication protocol between monitors and clients */
3 abstract class Request
4 case class Step(updates: List[VarUpdate ]) extends Request
5 case class Show(indent: Int) extends Request
6 abstract class Reply
7 case object Fail extends Reply
8 case object More extends Reply
9 case class Done(updates: List[VarUpdate ]) extends Reply
10 }
11 object OptimisationFlags {
12 class OpTy
13 case object ANY_STATE extends OpTy
14 case object ALL_STATES extends OpTy
15 case object ANY_PREFIX extends OpTy
16 case object ALL_PREFIXES extends OpTy
17 case object CHECK_ONCE extends OpTy
18 }
19 object Abstr {
20 class Monitor {
21 def ::( name: String ): Monitor = Name(name ,this)
22 def UPTO(that: Monitor ): Monitor = Upto(this ,that)
23 def THRU(that: Monitor ): Monitor = Thru(this ,that)
24 def THEN(that: Monitor ): Monitor = Then(this ,that)
25 def AND(that: Monitor ): Monitor = And(this ,that)
26 def ITERATE(that: Monitor ): Iterate = Iterate(this ,that)
27 def WITH(opt : OpTy , f: Formula ): Monitor = With(this ,opt ,f)
28 def WITH( f :Formula ): Monitor = With(this ,CHECK_ONCE ,f)
29 def TIMES(k: Int): Monitor = if (k==0) EMPTY
30 else this THEN (this TIMES (k-1))
31 def ALWAYS(w: Formula ): Monitor = With(this ,ALL_STATES ,w)
32 def SOMETIME(w: Formula ): Monitor = With(this ,ANY_STATE ,w)
33 def WITHIN(f: Formula ): Monitor = With(this ,ALL_PREFIXES ,
34 more implies (not(f) ‘;‘ skip))
35 }
36 def FIRST(f: Formula) = First(ANY_PREFIX , f)
37 def LEN(k: Int) = FIRST(len(k))
38 def SKIP = LEN(1)
39 def EMPTY = FIRST(empty)
40 def FAIL = FIRST(false) WITHIN (empty)
41 def HALT(w: Formula) = First(ANY_STATE , w)
42 def SKIPTO(w: Formula) = SKIP THEN HALT(w)
43 def GUARD(w: Formula) = EMPTY WITH (w)
44 def UNTIL (w1 : Formula , w2: Formula) = HALT(w2) WITH (bm(w1))
45
46 case class Name (name: String , a: Monitor) extends Monitor
47 case class First (opt: OpTy , f: Formula) extends Monitor
48 case class Upto (a: Monitor , b: Monitor) extends Monitor
49 case class Thru (a: Monitor , b: Monitor) extends Monitor
50 case class Then (a: Monitor , b: Monitor) extends Monitor
51 case class And (a: Monitor , b: Monitor) extends Monitor
52 case class Iterate(a: Monitor , b: Monitor) extends Monitor
53 case class Project(a: Monitor , b: Monitor , p: Monitor) extends Monitor
54 case class With (a: Monitor , opt: OpTy , f: Formula) extends Monitor
55 }
56 object Runtime {
57 case class RTM(a: Abstr.Monitor , name: String , system: ActorSystem)
58 def set[T](v: Var[T], a: T): RTM
59 def get[T](v: Var[T]): T
60 def stop
61 def verify: Reply
62 }
63 }
Figure 5.3: Overview of Monitor.scala
5.1 Application programming interface 105
output terminal for visual analysis/debugging. Fail, Done, and More represent the three
judgements that can be reported by a monitor following a Step.
Lines 21-44 define the ITL-Monitor operators, both infix and prefix, and their translations into
the internal data structure defined on lines 46-54. Like the ITL expressions and formulae,
this tree structure represents a deep-embedded DSL.
Object OptimisationFlags on lines 11-18 defines an optimisation type OpTy and a set of
subclass objects, each representing a different form of evaluation. On page 77 optimisations
of WITH were defined as derived monitors. It was noted that more efficient implementations
could be provided by exploiting their specific behaviours. The effect of each optimisation flag
is explained below:
ANY STATE – used by With to implement g.SOMETIME(w) (line 32) where w is a state
formula. The formula is checked when each new state is received. If any state satisfies
w then the formula 3w has succeeded and the monitor can simply become g.
This flag is also passed to First in the implemention of HALT(w) (line 41). This monitor
succeeds as soon as a state is received that satisfies the formula. With this optimisation
only the most recent state needs to be inspected obviating the need to store or search
an evolving subinterval within the monitor.
ALL STATES – used by With to implement .ALWAYS(w) (line 31). Once again, w is a
state formula. As each new state arrives, if any fails to satisfy w then the monitor
fails immediately. As with ANY STATE, the monitor does not need to maintain an
evolving interval.
ANY PREFIX – used by First as the default implemention of FIRST(f) (line 36). The
semanitcs of B f require that this monitor must terminate as soon as the accumulated
interval satisfies f. Therefore, this optimisation flag requires each prefix interval to be
examined in turn until the monitor succeeds.
ALL PREFIXES – used by With to implement g.WITHIN(f) (line 33). This flag requires
every prefix to satisfy the formula more ⊃ (¬ f ; skip). It guarantees that f does
not occur before g although the accumulated interval could satisfy both f and g
simultaneously. The monitor fails should f be satisfied before g.
CHECK ONCE – used by With as the default implemention of g.WITH(f). It maintains
the evolving interval but does not need to check that it satisfies f until g has completed
successfully. The implementation of UNTIL(w1, w2) (line 44) is an example of this
strategy.
Line 57 shows the constructor for a runtime monitor, RTM, which requires three parameters:
an instance of Abstr.Monitor which has been defined using the functions described above;
106 Chapter 5: ITL Monitor implementation
an identifying name to be used when printing to log files and the standard output stream;
an Akka [Akk17] actor system to be used for the underlying implementation. The abstract
monitor, a, is processed when the RTM is created, and transformed into its corresponding
concrete implementation. This is discussed in more detail in the Section 5.2.
The four methods on lines 58-61 define how the runtime monitor interacts with the program
being verified. set updates the monitor with a new variable/value pair. The monitor can
collect multiple updates to the state before performing the next analysis. The reason it
returns an RTM is because the method returns a reference to itself which allows multiple set
calls to be chained: for example, mu.set(B, true).set(C, ’x’). The method get looks
up the latest value of a variable stored in the monitor. stop terminates a monitor. verify
causes the monitor to process the latest state and return a judgement.
5.2 Concrete monitors
The abstract monitors described previously (Abstr.Monitor) reflect the syntax of ITL-
Monitor. Thus, for suitable ITL formulae f, g, h and p, a client could construct an abstract
monitor such as
val m: Abstr.Monitor = (FIRST(f) AND FIRST(g)) UPTO (FIRST(h) WITH p)
representing the ITL formula B((B f ∧ B g) ∨ (B h ∧ p)). This would be transformed (using
o1, o2 etc. to represent the appropriate optimisation flags) into the data structure:
Upto(And(First(o1, f), First(o2, g)), With(First(o3, h), o4, p))
Unlike the ITL formulae representations, this data structure is not evaluated directly. Rather,
it is translated into a network of Akka [Akk17] actors. The parent-child relationships in the
abstract syntax tree are reflected by communication channels between the corresponding
actors. The resulting actor network forms the concrete realisation of the ITL-Monitor
expresssion.
Figure 5.4 shows the principal components within Monitor.scala that implement concrete
monitors (Concr.Monitor). This is a skeleton view and extraneous detail has been omitted.
(The full code appears in Listing A.2).
5.2.1 Actor initialisation
Figure 5.4 (line 5) defines a concrete Monitor as an actor. Each of the classes shown on lines
8-14 are actors representing a node in the abstract monitor syntax tree. The startUp method
5.2 Concrete monitors 107
1 private object Concr {
2 import Protocol._
3 import OptimisationFlags._
4
5 abstract class Monitor extends Actor with ActorLogging
6
7 def startUp(mu: Abstr.Monitor , context: ActorContext ): ActorRef
8 case class First(name: String , opt: OpTy , f: Formula) extends Monitor
9 case class With(name: String , a: Abstr.Monitor , opt:OpTy , f: Formula) extends Monitor
10 case class Upto(name: String , a: Abstr.Monitor , b: Abstr.Monitor) extends Monitor
11 case class Thru(name: String , a: Abstr.Monitor , b: Abstr.Monitor) extends Monitor
12 case class And(name: String , a: Abstr.Monitor , b: Abstr.Monitor) extends Monitor
13 case class Then(name: String , a: Abstr.Monitor , b: Abstr.Monitor) extends Monitor
14 case class Iterate(name: String , a: Abstr.Monitor , b: Abstr.Monitor) extends Monitor
15 }
Figure 5.4: Overview of concrete monitor implementation
on line 7 is responsible for initiating a concrete monitor (actor) associated with an abstract
monitor. Calling startUp with an abstract monitor a creates a corresponding concrete actor
c, which, if a has children, calls startUp for each child.
The steps in the creation of a runtime monitor for the formula ((FIRST (f ) AND
FIRST (g)) UPTO (FIRST (h) WITH (p)) are shown below. For clarity, only the monitor and
formula parameters are given.
1. Within the program define the ITL formulae f, g, h, and p.
2. Define an ITL-Monitor:
val a = (FIRST(f) AND FIRST(g)) UPTO (FIRST(h) WITH (p))
3. The following chain of events is depicted in Figure 5.5.
(i) Define a runtime monitor (assuming a suitable Akka system, as, is in scope):
val mu: Runtime.RTM = RTM(a, "monitor name", as)
(ii) Initialisation of mu creates an RTMActor(a)
(iii) RTMActor(a) initiates Upto(And(First(f), First(g)), With(First(h), p))
(iv) Upto(And(First(f), First(g)), With(First(h), p))
initiates And(First(f), First(g))
(v) And(First(f), First(g)) initiates First(f)
(vi) And(First(f), First(g)) initiates First(g)
(vii) Upto(And(First(f), First(g)), With(First(h), p))
initiates With(First(h), p)
(viii) With(First(h), p) initiates First(h)
108 Chapter 5: ITL Monitor implementation
(i)
Program
(ii)
Program Monitor
(FIRST(f) AND FIRST(g))
UPTO(FIRST(h) WITH(p))
(iii)
Program Monitor
(FIRST(f) AND FIRST(g))
UPTO(FIRST(h) WITH(p))
UPTO
(iv)
Program Monitor
(FIRST(f) AND FIRST(g))
UPTO(FIRST(h) WITH(p))
UPTO
AND
(v)
Program Monitor
(FIRST(f) AND FIRST(g))
UPTO(FIRST(h) WITH(p))
UPTO
AND
FIRST(f)
σ
(vi)
Program Monitor
(FIRST(f) AND FIRST(g))
UPTO(FIRST(h) WITH(p))
UPTO
AND
FIRST(f) FIRST(g)
σ σ
(vii)
Program Monitor
(FIRST(f) AND FIRST(g))
UPTO(FIRST(h) WITH(p))
UPTO
AND WITH
FIRST(f) FIRST(g)
σ σ
σ
p
(viii)
Program Monitor
(FIRST(f) AND FIRST(g))
UPTO(FIRST(h) WITH(p))
UPTO
AND WITH
FIRST(f) FIRST(h)FIRST(g)
σ σ σ
σ
p
Figure 5.5: Initialisation of a concrete monitor
5.2 Concrete monitors 109
The behaviour of each actor is defined using an Akka receive block – an instance of a Scala
partial function, PartialFunction[Any, Unit]. The domain of the partial function is Any,
the root of Scala’s typeclass system, which allows any kind of message to be passed. This
is slightly dangerous because the communication channels are untyped.3 Only instances
of Request and Reply (Listing 5.3 lines 2-10) should be sent between monitors. Pattern
matching associates each received message with a corresponding action. The full listing of
Monitor.scala (Appendix A Listing A.2) shows the concrete monitor implementations and
how each actor’s behaviour is defined by a receive block.
5.2.2 Runtime monitoring
Once the actor network implementing a monitor has been initiated it receives Step
messages from the program being verified, and can deliver verdicts (cf. Figure 2.15). The
communication between the program, the monitor (actor), and each of the other actors uses
a synchronous protocol. Normally, within an actor network, the communication channels are
used asynchronously to avoid blocking. However, ITL-Monitor has been designed to execute in
lock-step with the program being verified. Thus, when the program sends a new state to the
monitor, it waits for a response. The decision to use a synchronised communication model
was taken to enable the program to ‘react at runtime’ in response to the verdicts it receives
from the monitor.
To see the runtime operation of a monitor, consider the earlier example: ((FIRST (f ) AND
FIRST (g)) UPTO (FIRST (h) WITH (p)). An actor representing UPTO is created and this
actor then spawns two children. These, in turn, have their own children. The situation is
illustrated in Figure 5.6. The architecture exhibits a loose form of coupling between the
program, the monitor, and the sub-monitors. The program and monitor communicate using
message passing.
Figure 5.7 illustrates what happens when the program generates the first state. It is passed on
to the monitor which, in turn, passes it down through each of the nodes, replicating the state
at each fork, until a copy of the state reaches each terminal node in the tree. This illustrates
how each terminal node maintains its own copy of the evolving interval. The terminal nodes
represent monitors such as FIRST which need access to a copy of the current subinterval in
order to judge whether or not it satisfies the given formula.
The design requires that these terminal nodes share an evolving subinterval. Any particular
implementation can decide how to achieve this depending upon the functionality required. For
example, references to a shared state could be used, to minimise duplication. Alternatively,
duplication could be used precisely to avoid shared, mutable state. Duplication provides for
3This is the definition in the Akka API.
110 Chapter 5: ITL Monitor implementation
Program Monitor
(FIRST(f) AND FIRST(g))
UPTO(FIRST(h) WITH(p))
UPTO
AND WITH
FIRST(f) FIRST(h)FIRST(g)
σ σ σ
σ
p
Program, monitor, and the concrete actors representing ((FIRST (f ) AND FIRST (g)) UPTO
(FIRST (h) WITH (p)). The picture shows the state at the point monitoring begins.
Figure 5.6: Monitoring-1:
5.2 Concrete monitors 111
Program Monitor
(FIRST(f) AND FIRST(g))
UPTO(FIRST(h) WITH(p))
UPTO
AND WITH
FIRST(f) FIRST(h)FIRST(g)
σ σ σ
σ
p
s0
s0 s0 s0
s0
The program generates the first states which is duplicated as it passes down the tree. A copy of
the state is stored in each terminal node.
Figure 5.7: Monitoring-2
112 Chapter 5: ITL Monitor implementation
Program Monitor
(FIRST(f) AND FIRST(g))
UPTO(FIRST(h) WITH(p))
UPTO
AND WITH
FIRST(f) FIRST(h)FIRST(g)
σ σ σ
σ
p
s0
s0 s0 s0
s0
MORE
MORE MORE
MORE
MORE
MORE
MORE
Each terminal node (monitor) makes its judgement on the interval consisting of the first state.
These judgements are reported up the tree to the parent nodes which interpret the results and
report their own judgements according to their behaviour.
Figure 5.8: Monitoring-3
a local copy within each monitor which minimises state-lookup overheads if parallel monitor
components were to be distributed. The Scala implementation used in this thesis adopts the
latter strategy.
Figure 5.8 demonstrates the first judgement that the monitor returns to the program following
the generation of the first state. The dotted lines on the right indicate the reports passed
back ‘up’ the process hierarchy. Each message is a judgement on the interval so far. In this
example p might be a state formula which is satisfied in the first state. more indicates that
the monitor has not reached a final judgement and is asking for more states to be provided.
Figure 5.9 presents a table of the message values that can be returned by each monitor
following the introduction of each new state.
The monitor response protocol includes done, fail, and more, representing three possible
judgements that can be returned to a program. done informs the program that its runtime
verification has successfully terminated: the program may continue beyond this point but
no further verification will occur. fail informs the program of a verification failure and an
error code will also be communicated to indicate the nature of the non-compliance. more
5.2 Concrete monitors 113
Message Description Judgement Readiness
done Verification success Final Will accept no more states
more Cannot anticipate judgement Inconclusive Requires more states
fail Verification failure Final Will accept no more states
Figure 5.9: Monitor-response messages
informs the program that the monitor has insufficient data to make a final judgement at this
stage and, remaining impartial it requests more state(s). This implements a three-valued logic
response [LS09].
In Figure 5.10 the situation arises when a final judgement can be made and the monitoring
is completed. The system is shown after three states have been generated by the program.
The monitor expressions FIRST (f ) and FIRST (g) have completed successfully. Therefore the
expression FIRST (f ) AND FIRST (g) has completed successfully and reports done. On the
right-hand side of the expression tree the monitors have not completed and are requesting
more states. However, the semantics of UPTO is that it succeeds if, and as soon as, either of
its operands succeeds and, since this is the case, the UPTO node reports done to the main
monitor which, in turn, is relayed to the main program.
114 Chapter 5: ITL Monitor implementation
Program Monitor
(FIRST(f) AND FIRST(g))
UPTO(FIRST(h) WITH(p))
UPTO
AND WITH
FIRST(f) FIRST(h)FIRST(g)
σ σ σ
σ
p
s0s1s2
s0s1s2 s0s1s2 s0s1s2
s0s1s2
DONE
DONE MORE
MORE
DONE
DONE
DONE
A final judgement can be made. The left-hand part of the tree succeeds. The right-hand part
has not yet delivered a judgement. However, UPTO requires only one side to succeed, and can
therefore pass DONE to its parent.
Figure 5.10: Monitoring-4
5.2 Concrete monitors 115
Program Monitor
(FIRST(f) AND FIRST(g))
THEN(FIRST(h) WITH(p))
THEN
AND
FIRST(f) FIRST(g)
σ σ
s0s1s2
s0s1s2 s0s1s2
DONE
DONE
DONE
After three states the WITH monitor is able to report success. The THEN monitor must discard
the old subtree and create a new one based on the right-hand subformula before it can complete
its analysis.
Figure 5.11: Monitoring-5
In contrast to the previous example, consider the monitor ((FIRST (f ) AND FIRST (g)) THEN
(FIRST (h) WITH (p)). In this case the top-most combinator has been changed from a parallel
combinator, UPTO, to a sequential one, THEN. Figure 5.11 shows the state part-way through
the analysis performed by the node THEN. The left-hand branch has just reported successful
termination. However, fusion shares a state: the last state of the previous interval becomes
the first state of the new interval. At this stage, therefore, THEN can discard its left subtree
since its purpose has ended, and create a new right subtree based on the right-hand part of
the formula. The newly evolved state is shown in Figure 5.12. The THEN operator represents
a dynamic transition in that the shape of the graph changes when the transition from left
child to right child occurs.
116 Chapter 5: ITL Monitor implementation
Program Monitor
(FIRST(f) AND FIRST(g))
THEN(FIRST(h) WITH(p))
THEN
WITH
FIRST(h)
σ
σ
p
s0s1s2
s2
s2
MORE
MORE
MORE
MORE
The newly-created right subtree is passed the previous final state to become its first state. The
analysis is now completed.
Figure 5.12: Monitoring-6
Figure 5.12 shows the system following the pruning of the now-terminated left sub-tree and
the creation of the new right subtree. The newly created node, WITH, has been forwarded
the current state – the state that terminated the previous subinterval – which becomes the
first state of the new interval. This has been cascaded down to the terminal nodes and a
suitable judgement has been reported back. At this stage no conclusion can be reached so
the nodes request more information (another state). The next two figures will demonstrate
how the system could evolve.
5.2 Concrete monitors 117
Program Monitor
(FIRST(f) AND FIRST(g))
THEN(FIRST(h) WITH(p))
THEN
WITH
FIRST(h)
σ
σ
p
s0s1s2s3
s2s3
s2s3
MORE
MORE
MORE
MORE
This shows the system after four states. The overall monitor remains impartial and anticipatory.
Figure 5.13: Monitoring-7
Figure 5.13 illustrates the generation of a fourth state, s3. The full interval, 〈s0, s1, s2, s3〉, is
drawn inside the program to illustrate its history. However, see how the intervals stored in
the terminal nodes are only 〈s2, s3〉. This demonstrates that the terminal nodes store only
the states relevant to their subinterval.
118 Chapter 5: ITL Monitor implementation
Program Monitor
(FIRST(f) AND FIRST(g))
THEN(FIRST(h) WITH(p))
THEN
WITH
FIRST(h)
σ
σ
p
s0s1s2s3s4s5
s2s3s4s5
s2s3s4s5
DONE
DONE
DONE
DONE
This shows the system after five states. The current network is concerned with only the suffix
interval which, in this case, satisfies its components: 〈s2, s3, s4〉 |= B h ∧ p.
Figure 5.14: Monitoring-8
Finally, in Figure 5.14, the introduction of the fifth state, s4, creates an interval that satisfies
WITH: 〈s2, s3, s4〉 |= B h ∧ p. The judgements are reported back to the program. Following
this judgement the monitor can be discarded, and garbage-collected, as it has completed
its function. If, at this stage, the program has not completed, then a new monitor may be
created according to a new formula and runtime verification can continue. This demonstrates
the dynamic behaviour of the monitors.
The example illustrates how the program’s behaviour satisfied the formula (B f ∧
B g) ; (B h ∧ p). Thus 〈s0, s1, s2〉 |= B f ∧ B g and 〈s2, s3, s4〉 |= B h ∧ p. The program
also satisfies the more general formula: (f ∧ g) ; (h ∧ p):
1 ` B f ∧ B g ⊃ f ∧ g FstAndElimL(C .264), logic
2 ` B h ∧ p ⊃ h ∧ p FstAndElimL(C .264), logic
3 ` (B f ∧ B g) ; (B h ∧ p) ⊃ (f ∧ g) ; (h ∧ p) 1, 2, LeftChopImpChop(C .101),
RightChopImpChop(C .102)
5.3 Summary 119
5.3 Summary
The chapter introduced the practical realisation of ITL-Monitor as a Scala API. The main
components for building monitors were explained: ITL for constructing ITL formulae, and
Monitor for constructing ITL-Monitors and executing them. Although the libraries have
not been extensively optimised, certain efficiency measures have been taken in respect of
determining fusion points when a formula specifices an interval of a predefined length; and
adjusting the evaluation strategies of certain derived monitors to take advantage of their
semantics.
The use of Akka actors to implement the concrete monitors provides the potential to exploit
multiple cores which ameliorates the impact of an inline, runtime monitoring system which
shares resources with the program under test. Furthermore, the distribution of actors
across available cores is a task that is handled by the Akka dispatcher and not the monitor
implementation itself.
120 Chapter 5: ITL Monitor implementation
Chapter 6
Examples and evaluation
6.1 Introduction
In this chapter two example scenarios are presented and analysed.
The first (latch) example (Section 6.2) is specified and verified using four different approaches
and three different runtime verification tools. The tools compared are TraceContract
[BH11, Hav19], a runtime monitoring system developed as a Domain Specific Language in
Scala; AnaTempura [Mos96b], an established runtime verification system for ITL; and ITL-
Monitor, the monitoring system developed in this thesis.
The example illustrates the use of each of these systems and provides a comparative
performance analysis. To facilitate a fair comparison, the example utilises a specification
that can be expressed in LTL, Tempura (a subset of ITL), and ITL.
The second (checkout) example (Section 6.3) concentrates predominantly on ITL-Monitor. Its
purpose is to demonstrate the performance when monitoring a significantly more complex
system capable of generating large execution traces. In this example, two of the temporal
requirements are also adapted for use with TraceContract for comparison with ITL-
Monitor.
All experiments were run using sbt [sbt19] on a Macbook Pro with 2.6GHz Intel Core i5;
OSX 10.13.6; Scala version 2.12.7; Akka version 2.5.19.
6.2 Latch example
A program is written in Scala to simulate the operation of system governed by the relative
temporal behaviour of three Boolean flags. A set of requirements is developed for the system
and verified in four ways:
122 Chapter 6: Examples and evaluation
1. Using ITL-Monitor, the inline runtime verification system proposed in this thesis;
2. Using AnaTempura (Section 2.4.5), an outline runtime verification system based upon a
subset of ITL;
3. Using TraceContract [Hav19, BH11], an inline runtime verification system also
written as a Scala DSL, with two specification styles:
(a) Future time LTL
(b) State machines
The different styles of specification and runtime verification will then be compared both
qualitatively and quantitatively. The latter will include an analysis of the runtime results
and their relative timings. The full code for the latch example is provided in Section B.2 from
which relevant extracts are presented below as required.
Consider a system which consists of two latches, A and B , and a signal, S . The behaviour
is defined informally as follows. When latch A is down then B must remain stable up to
and including the first moment when latch A is up. When latch A is up then B is free to
switch between up and down states. Every time a state change in B occurs then a signal S
is raised just at the point that B ’s state changes. Unless B changes state in the very next
moment then S returns to its down state. Thus A is used to enable B ’s switching behaviour,
and S signals every state change in B . The diagram in Figure 6.1 illustrates a prefix of some
example simulation run.
A
B
S
Figure 6.1: Latch example
The set of system requirements is given:
R1 Whenever B is stable in two successive states then the signal S is low in the second of
those states.
6.2 Latch example 123
R2 Whenever B is not stable in two successive states then the signal S is high in the second
of those states: i.e. any change to B is signalled by S .
R3 Whenever A is low in two successive states then B is stable across those states.
R4 Whenever A is raised across two successive states then B is stable across those states.
6.2.1 Description in ITL
Consider a single cycle of A from down, through up, and then to down again. This cycle can
be described by the ITL formula halt(A) ; halt(¬ A). The formula halt(A) specifies that ¬ A
holds in all states except the final state whereupon A holds. halt(¬ A) specifies the inverse
situation. Furthermore, until A holds, B is required to be stable. These conditions can be
combined into the following formula describing a cycle of A.
(halt(A) ∧ stable(B)) ; (halt(¬ A)) (1)
To specify finitely many A-cycles, the formula can be repeated:
( (halt(A) ∧ stable(B)) ; (halt(¬ A)) )∗
In a similar way the latching behaviour of B can be specified. Every change in state by B
must be accompanied by the raising of the signal S . Each cycle of B consists of a series of
states in which B remains stable and a final state in which B ’s value changes.
(B <∼ ¬ B) ∧ (skip ; halt(S )) (2)
The operator <∼ is padded temporal assignment. The formula B <∼ ¬ B specifies that B is
stable until the final state, at which point it changes. The formula skip ; halt(S ) specifies that
S is low from the second state and raised at the end. Skipping the initial state is necessary
because the initial state of each B -cycle (except the first B -cycle) coincides with the final
state of the previous B -cycle and in each of these states S holds. The repetition of finitely
many B -cycles is given by:
( (B <∼ ¬ B) ∧ (skip ; halt(S )) )∗
Assume that some terminating condition STOP is specified to align with the end of an A-cycle
and a B -cycle, i.e.
halt(STOP) ⊃ 3(skip ∧ A ∧ ©(¬ A) ∧ ©(B) = ¬ B)
halt(STOP) specifies the interval in which STOP holds only in the final state. This defines
124 Chapter 6: Examples and evaluation
the extent of the simulation. When halt(STOP) holds then there must be a two-state suffix
subinterval (skip ∧ . . . ) which satisfies the final transitions of an A and B -cycle respectively.
Every variable is false in the initial state. The system can be specified as follows:
(empty ∧ ¬ A ∧ ¬ B ∧ ¬ S ) ; Initial state
( halt(STOP) Termination condition
∧ ( (B <∼ ¬ B) ∧ (skip ; halt(S )) )∗ (1)∗
∧ ( (halt(A) ∧ stable(B)) ; (halt(¬ A)) )∗ (2)∗
)
The four requirements (R1−R4) can be derived from this ITL specification. The derivations
are presented in B.2.1. Note that keep f requires f to hold over all unit subintervals – i.e.
over all subintervals that consist of precisely two states.
R1 : keep( (©(B) ≡ B) ⊃ ©(¬ S ) )
R2 : keep( (©(B) 6≡ B) ⊃ ©(S ) )
R3 : keep((¬ A ∧ ©(¬ A) ⊃ (B = ©(B)))
R4 : keep((¬ A ∧ ©(A) ⊃ (B = ©B))
Noting that (B <∼ ¬ B) ≡ B(B <∼ ¬ B), the above ITL specification can be translated into
an ITL-Monitor formula:
m =̂ GUARD (¬ A ∧ ¬ B ∧ ¬ S )
THEN ( HALT (STOP)
ITERATE ( FIRST (B <∼ ¬ B) WITH (skip ; halt(S )) )
ITERATE ( (HALT (A) WITH (stable(B))) THEN HALT (¬ A) )
)
The structure of this specification exhibits a managed halt patern (Section 3.4.2).
6.2.2 Properties expressed in Tempura
The four requirements (R1−R4) can also be written in Tempura for analysis with AnaTempura.
As with the LTL specification in the following subsection, the requirements do not require the
use of an iteration construct (chopstar). Each of the requirements is expressed as a formula
that applies over all unit intervals. In Tempura this is achieved using the keep operator.
define R1(B,S) = { keep( ((next B) = B) implies not next(S) ) }.
define R2(B,S) = { keep( ((next B) = not B) implies next(S) ) }.
define R3(A,B) = { keep( (not A and not next(A)) implies (B = (next B))) }.
6.2 Latch example 125
define R4(A,B) = { keep( (not A and next(A)) implies (B = (next B))) }.
6.2.3 Properties expressed in LTL
Unlike ITL, LTL does not have an iteration construct and therefore the original ITL
specification cannot be translated directly. However, the four requirements (R1 - R4) can
be expressed in LTL using the form 2(. . . ). Each requirement is a formula that holds over
pairs of successive states. Weak-next is used instead of strong-next because the intervals are
finite (Section 2.1.2).
R1 2((B ⇔ ©w (B))⇒ ©w (¬ S ))
R2 2(¬ (B ⇔ ©w (B))⇒ ©w (S ))
R3 2((¬ A ∧ ©w (¬ A))⇒ (B ⇔ ©w (B))
R4 2((¬ A ∧ ©w (A))⇒ (B ⇔ ©w (B)))
6.2.4 State machine
The behaviour of the latch example can also be expressed as a deterministic, finite state
machine (Figure 6.2). Each transition is implicitly labelled with a 3-tuple consisting of the
next state of the three variables (A,B ,S ). The nodes represent each of the eight possible
states. In the initial state, s0, all three flags are down. The system can terminate in either
of the states s1 or s3 – each of these represents a situation in which a final B -transition has
occurred.
6.2.5 Simulation and runtime verification
The latch simulation is written as a Scala program and the full listing appears in Appendix
B in two parts as Listing B.4 and Listing B.5. The simulation has been written in such a way
that it can be executed using any combination of the following monitoring options:
• Using ITL-Monitor with the ITL specification
• Using AnaTempura with the Tempura specification
• Using TraceContract with the LTL specification
• Using TraceContract with the state machine specification
It is also possible to run the simulation with no monitoring at all. This provides a baseline
for performance measurement.
126 Chapter 6: Examples and evaluation
ABS
s0
ABS
s3
ABS
s1
ABS
s2
ABS
s4
ABS
s7
ABS
s5
ABS
s6
Figure 6.2: Finite state machine for the latch example
Both ITL-Monitor and TraceContract are embedded domain specific libraries written in
Scala. In both cases their respective monitors are created dynamically as Scala objects
within the simulation and therefore perform inline monitoring. Instrumenting the simulation
to communicate with these monitors entails internal method calls. In contrast to these,
AnaTempura runs externally to the simulation and thus performs outline monitoring.1 In this
case the instrumentation is handled by sending specially encoded ASCII messages to stdout.
To ensure that the same state data is communicated to all running monitors, the
instrumentation for each system is abstracted into a single verify() method:
def verify () {
if (runAna)
println("!PROG: assert Event:"+mu.get(A)+":"+mu.get(B)+":"+mu.get(S)+":!");
if (runLTL || runStM) nu.verify(TC.Event(mu.get(A), mu.get(B), mu.get(S)))
if (runITM) mu.!!
numOfStates = numOfStates + 1
}
Each monitoring system is guarded by its own flag (runAna, runITL, runITM) and these flags
can be set in any combination when the simulation is run.
1Inline and outline monitoring was discussed in Section 2.4.
6.2 Latch example 127
6.2.5.1 ITL monitoring
The simulation contains a mixture of unmonitored and monitored variables. The former are
simply standard Scala variables. The latter are represented using the type Var from the
ITL-Monitor API (cf. Section 5.1.1.1). The three flags are declared thus:
object S extends Var[Boolean] { override def toString = "S" }
object A extends Var[Boolean] { override def toString = "A" }
object B extends Var[Boolean] { override def toString = "B" }
The ITL specification (6.2.1) is translated into ITL-Monitor. It has been split into subclauses
for ease of reading.
val initial = (∼A and ∼B and ∼S)
val clause2 = FIRST(B <∼ ∼B) WITH (skip ‘;‘ halt(S))
val clause3 = (HALT(A) WITH (stable(B))) THEN (HALT(∼A))
val spec = (GUARD(initial) THEN (HALT(STOP) ITERATE clause2 ITERATE clause3 ))
A monitor, mu, is created to perform a runtime verification using this specification. The
constructor requires a name field, and a reference to an Akka actor system (as).
val mu = RTM(spec , "Latch", as)
mu encapsulates the state of the monitored variables which can be accessed via get and set
methods. For example, this shows how to assign B := ¬ B and S := true:
mu.set(B,!mu.get(B)).set(S,true)
When an assertion point is reached and the current state is to be added to the interval for
analysis, this instruction can be made by the following method call.
mu.!!
This can result in one of three outcomes:
1. more is returned – the verification is inconclusive and more state(s) are required. This is
the normal situation while the simulation is being verified, before a definitive judgement
can be made.
2. done is returned – the execution trace satisfies the formula.
3. An exception is thrown – the execution trace cannot satisfy the formula.
If mu.!! occurs within a try block then a failure can be handled using a corresponding catch
block. The simulation demonstrates the potential of this approach.
128 Chapter 6: Examples and evaluation
catch {
case e: RTM.RTVException =>
println(e) // ITM detected a violation
println("React at Runtime ...") // Alternative action goes here
}
6.2.5.2 AnaTempura monitoring
AnaTempura invokes the simulation but both run as separate programs. The specification is
contained within a special Tempura file latch.t (Listing 6.1).2
Listing 6.1: AnaTempura specification
1
2 load "conversion".
3 load "exprog".
4
5 /* sbt demo.latch.Simulation 2 t off 1 Latch */
6
7 set print_states = true.
8
9 define get_var(A,B,S,Z) = {
10 exists T : {
11 get2(T) and
12 A = if T[1]="true" then true else false and
13 B = if T[2]="true" then true else false and
14 S = if T[3]="true" then true else false and
15 Z = if T[4]="true" then true else false
16 }
17 }.
18
19 define Pass(R) = format("-- Pass R%d\n",R).
20 define Fail(R) = format("** Fail R%d\n",R).
21
22 define R1(B,S) = { keep if ((next B = B) implies (not next S))
23 then Pass (1) else Fail (1)
24 }.
25 define R2(B,S) = { keep if ((next B = not B) implies (next S))
26 then Pass (2) else Fail (2)
27 }.
28 define R3(A,B) = { keep if ((not A and not next(A)) implies (B = next B))
29 then Pass (3) else Fail (3)
30 }.
31 define R4(A,B) = { keep if ((not A and next(A)) implies (B = next B))
32 then Pass (4) else Fail (4)
33 }.
34
2Antonio Cau adapted AnaTempura (version 3.5) to run Scala programs within sbt (The simple build tool –
a command line development environment for Scala projects). The current latch example was the catalyst for
this development and the original latch.t code was provided by A Cau. The author and A Cau co-developed
the file to work with latch.scala and AnaTempura.
6.2 Latch example 129
35 /* run */ define test() = {
36 exists A,B,S,Z: {
37 get_var(A,B,S,Z) and
38 format("A=%t, B=%t, S=%t, STOP=%t\n",A,B,S,Z) and
39 keep (get_var(next A,next B,next S,next Z)) and
40 keep format("A=%t, B=%t, S=%t, STOP=%t\n",next A,next B,next S,next Z) and
41 halt(Z) and
42 R1(B,S) and
43 R2(B,S) and
44 R3(A,B) and
45 R4(A,B)
46 }
47 }.
Listing 6.1 contains the following features:
line 5 This comment specifies how AnaTempura should call the Scala simulation. It states that
the simulation is run within sbt, Scala’s terminal-based development environment. The
simulation path and command line arguments are provided as an sbt batch command.
lines 9-17 The get var function parses the string passed to AnaTempura from the simulation
for each state. Each state is passed as a string such as:
!PROG: assert Event:true:false:true:false:!
The components of the string are parsed into T where, in this example, T[1], T[2], T[3],
and T[4] are true, false, true, and false respectively. These values are assigned to
the state variables A, B, S, and Z.
lines 19-20 These definitions specify the messages to be output when monitor R succeeds
or fails. The function format(...) returns true so the formula itself always succeeds.
The printed message indicates the truth value associated with R.
lines 22-33 The requirements R1-R4 are expressed as function definitions. Note that in
each case the condition keep cond has been expressed as (for R1) keep if cond then
Pass(1) else Fail(1). This construction allows for the test itself to succeed whether
or not cond passes or fails. However, the appropriate report message is printed on the
output transcript.
lines 35-46 This is the main function test which is executed from within AnaTempura.
lines 37 and 38 Read and write the first state.
lines 40 and 41 Read and write all subsequent states.
lines 41-45 The extent of the finite interval is defined using the variable Z which becomes
true when a STOP event is received. The remaining lines conjoin the four requirements.
130 Chapter 6: Examples and evaluation
6.2.5.3 TraceContract monitoring
The code required to specify the LTL and state machine specifications in TraceContract
is relatively lengthy compared to the ITL-Monitor specification above. Therefore, this code
is encapsulated into a separate object, TC, (see Listing B.5). These specifications will be
discussed further below, but first the construction of a TraceContract monitor, nu, as
provided within the main simulation program is shown:
val nu = if (runLTL && runStM) TC.monitorAll
else if (runLTL) TC.monitorLTL
else if (runStM) TC.monitorStM
else TC.monitorNil
The simulation sets up nu to run one of four combinations of TraceContract verification:
just LTL, just the state machine, both, or neither. The flags controlling the simulation are
derived from command line arguments when the simulation is initiated. When a new state is
ready for analysis it needs to be encoded as an Event (a type defined within TC that consists
of the three Boolean values) and then passed to nu using the verify() method call:
nu.verify(TC.Event(mu.get(A), mu.get(B), mu.get(S)))
The interplay between (ITL-Monitor) mu and (TraceContract) nu is important here. The
state values are obtained from mu using mu.get methods and these are used to construct a
TC.Event to be passed to monitor nu. This occurs whether or not mu is used for performing
a runtime verification, and ensures that the same states are passed to all runtime monitors
being used.
The LTL formulae representing R1-R4 are encoded using the TraceContract API. Firstly,
a mumber of named propositions are defined and represented as partial functions. Each is a
projection function inspecting a particular component of the TC.Event state:
def aHi: PartialFunction[Event ,Boolean] = { case Event(true , _,_) => true }
def aLo: PartialFunction[Event ,Boolean] = { case Event(false ,_,_) => true }
def bHi: PartialFunction[Event ,Boolean] = { case Event(_,true , _) => true }
def bLo: PartialFunction[Event ,Boolean] = { case Event(_,false ,_) => true }
def sHi: PartialFunction[Event ,Boolean] = { case Event(_,_,true ) => true }
def sLo: PartialFunction[Event ,Boolean] = { case Event(_,_,false) => true }
Each requirement is written as a subclass of a TraceContract Monitor and thus inherits
all of the monitor behaviour. The code for R1 is shown below. The function globally
corresponds to the LTL operator 2. Also note the use of weaknext which does not fail when
applied in the final state of a finite interval.
6.2 Latch example 131
Listing 6.2: Definition of R1
class R1 extends Monitor[Event] {
/*
* If B is stable across two adjacent states then S is low in the 2nd state
*
* 2((B ⇔©w (B))⇒©w (¬ S))
*/
def bStable = (( matches{bHi}) and weaknext(matches{bHi})) or
(( matches{bLo}) and weaknext(matches{bLo}))
property(’R1) {
globally {
bStable implies (weaknext(matches{sLo}))
}
}
}//R1
The remaining requirements are encoded similarly and then combined into a single monitor
representing the conjunction of all four requirements. 3
class LTLRequirements extends Monitor[Event] {
monitor( new R1, new R2, new R3_R4 )
}
6.2.5.4 State machine with TraceContract
TraceContract supports the encoding of a state machine for runtime verification. To
prepare a monitor to behave as a state machine each of the nodes from Figure 6.2 are
represented as TraceContract monitors. The method state is used in conjunction
with a partial function that matches the event (next state) and moves to the next node
as appropriate. Two of the nodes, s0 and s4, are provided as examples:
property(’R5) { S0 }
def S0: Formula = state {
case Event(true ,false ,false) => S4
case Event(false ,false ,false) => S0
case _ => error
}
def S4: Formula = state {
case Event(false ,false ,false) => S0
case Event(false ,true ,true ) => S3
case Event(true ,true ,true ) => S7
case Event(true ,false ,false) => S4
case _ => error
}
3In the example the requirements R3 and R4 are combined within a single monitor R3 R4. See the code
in Listing B.4.
132 Chapter 6: Examples and evaluation
The initial state s0 is indicated by the construction of a property (R5) which contains s0.
This property forms the StMRequirements monitor:
class StMRequirements extends Monitor[Event] {
monitor( new R5 )
}
6.2.5.5 Execution timings
The first set of experiements provides a relative performance analysis of the inline monitoring
systems ITL-Monitor and TraceContract. Both of these systems perform runtime
verification by constructing monitors dynamically via a Scala API and executing these
alongside the simulation itself. In this respect, TraceContract follows the same
architectural paradigm as ITL-Monitor making TraceContract an excellent candidate for
comparative analysis.
For each experiment the time to run the simulation is measured using Java’s nanotime()
system call and the recorded time is the average over ten runs. The experiments are repeated
for 20, 40, 60, 80, and 100 A-cycles so that the performance of the verification over intervals
with different numbers of states can be compared. The same runtime environment (via sbt)
is used for each experiment. For each A-cycle length, four experiments are performed: no
runtime verification; using ITL-Monitor (ITL); using TraceContract (LTL); and using a
TraceContract state machine. The results are listed below (in Table 1 and Table 2).
6.2 Latch example 133
Table 1
Num of Without ITL-Monitor TraceContract Num of Time ∗
A-cycles monitoring ITL LTL State machine states∗ (s)
20 X 687 0.011
40 X 1172 0.016
60 X 1931 0.038
80 X 2490 0.057
100 X 3170 0.096
20 X 614 0.330
40 X 1222 0.453
60 X 1775 0.542
80 X 2555 0.734
100 X 3119 0.753
20 X 616 0.103
40 X 1249 0.179
60 X 1765 0.242
80 X 2631 0.333
100 X 3162 0.380
20 X 611 2.447
40 X 1240 18.336
60 X 1925 67.325
80 X 2483 143.435
100 X 3059 281.840
∗ Average for ten simulation runs.
The results without monitoring provide a baseline measurement. Runtime verification with
ITL-Monitor increases the time taken by one order of magnitude up to about 1.5K states,
and then remains at the same order of magnitude up to circa 32K states (Table 2). However,
after circa 23K states the experiments run more quickly with ITL-Monitor performing runtime
analysis. This counterintuitive result is explained when the CPU loading and number of active
threads is inspected. Without monitoring the CPU load for the JVM is maintained around
100% and a single thread is running at any one time. However, when the experiment uses
ITL-Monitor the CPU usage for JVM increases to around 300%4 and the number of active
threads increases peaking at eight. ITL-Monitor is written in Akka and its performance will
be governed by Akka’s threadpool management. Analyis of how to fine tune the threadpool
performance for given architectures is left for future work.
The table below summarises a series of experiments in which the ITL-Monitor and
TraceContract(LTL) monitors were executed with significantly longer execution traces.
4Apple OSX reports up to 100% for each virtual core.
134 Chapter 6: Examples and evaluation
Table 2
Num of Without ITL-Monitor TraceContract Num of Time ∗
A-cycles monitoring ITL LTL states∗ (s)
250 X 7825 0.588
500 X 15538 2.191
750 X 23339 4.916
1000 X 31513 9.042
2000 X 62706 35.640
250 X 7836 1.759
500 X 15676 3.168
750 X 23525 4.661
1000 X 31823 6.318
2000 X 63341 12.008
250 X 7874 1.177
500 X 15946 3.393
750 X 23843 6.659
1000 X 31441 11.069
2000 X 62801 40.978
∗ Average for ten simulation runs.
Each of the TraceContract monitors R1, R2, and R3 R4 are of the form globally(..).
TraceContract forks a new monitor for each matching event within a globally clause,
and each monitor processes events until its formula has been satisfied. Monitors R1 and R2
have complementary antecedants and therefore one or the other of these must be triggered
in every state. Furthermore, in every state when A is low R3 R4 is triggered. Each of these
monitors’ lifetime is only two states but there is nonetheless an extra overhead in creating
and disposing of monitors with every new event.
TraceContract performance exhibits exponential growth over the simulation lengths
from 0.5K states to 3K states with LTL monitoring being better than the state machine
performance. Monitoring of the CPU load during the TraceContract experiments shows
that multiple threads are being utilised across the cores but to a significantly less extent with
the state machine than the LTL specification. This accords with the sequential flow through
the deterministic state machine rather than the forking of multiple monitors within LTL.
The ITL-Monitor specification analyses the data in subintervals according to cycles of A or B.
Each fusion point between cycles is the cause of the disposal of one monitor and the creation
of a new monitor. Thus the number of monitors created is proportional to the number of A
and B cycles and not to the number of states. This is a significant reduction in performance
overhead as demonstrated by the timing data.
Considering the AnaTempura verification it is significant to note that the monitoring is
performed outline. The simulation does not synchronise with any AnaTempura process and
6.2 Latch example 135
will therefore run independently. However, it is relevant to consider how quickly AnaTempura
can process the stream of incoming state data.
Any timing analysis of the AnaTempura monitoring does not affect the time taken to run
the simulation because the runtime verification is performed outline. Thus the reported time
by AnaTempura is different from that reported by sbt. The following table illustrates the
difference by showing some sample runs with reported timings (rounded to whole seconds).
Each row in the following table is based upon average values from five similar experiments.
Num of Num of Elapsed time (s)
A-cycles states AnaTempura sbt
20 612 16 3
40 1228 21 3
60 1863 21 5
80 2557 23 6
100 3088 25 8
250 7828 60 26
500 15938 116 54
1000 31789 224 109
The timings are similar to those for TraceContract (LTL). It is noticable that the
simulation completes significantly before the analysis in each case.
ITL-Monitor revisited
The initial ITL-Monitor specification was based upon subintervals that aligned with cycles
of A and B. The resulting ITL modelled the operation of the latches very closely. The
four requirements, R1 - R4, were derived from the original ITL specification and it was
demonstrated that these were being verified implicitly. However, it is also possible to verify
these requirements directly within ITL-Monitor:
val R1 = SKIP WITH ((Next(B)‘=‘B) implies not(Next(S)))
val R2 = SKIP WITH ((Next(B)‘/=‘B) implies Next(S))
val R3 = SKIP WITH ((not(A) and not(Next(A))) implies (B‘=‘Next(B)))
val R4 = SKIP WITH ((not(A) and Next(A)) implies (B‘=‘Next(B)))
val spec2 = (GUARD(initial) THEN (HALT(STOP) ITERATE (R1 AND R2 AND R3 AND R4)))
Here, formulae with the form keep f have been expressed equivalently as (skip ∧ f )∗. There is
an associated cost with this approach: all of the subintervals used for generating ITL-Monitors
are of unit length. This means that a monitor will need to be created for every state. In this
way the verification approach is now closer to TraceContract (LTL) in its operation. The
table below shows the timings for running ITL-Monitor using this revised formula. The timings
are higher than the equivalent ones for the original ITL-Monitor specification and approach
the TraceContract (LTL) timings at the higher numbers of states. This observation
136 Chapter 6: Examples and evaluation
is consistent with the fact that the revised spec2 spawns monitors at every state as does
TraceContract (LTL).
Num of ITL-Monitor Num of Time ∗
A-cycles ITL states∗ (s)
20 X 691 0.697
40 X 1310 0.921
60 X 1842 1.135
80 X 2599 1.555
100 X 3226 1.811
250 X 7906 4.169
500 X 15440 7.792
750 X 23803 12.348
1000 X 31511 15.418
2000 X 63068 31.445
∗ Average for ten simulation runs.
6.2.5.6 Reporting and recovery
In this section the runtime behaviour of each of the monitoring systems, TraceContract,
ITL-Monitor, and AnaTempura, will be analysed. The discussion takes place within the context
of the latch example and will address how each system provides a running commentary, reports
a successful verification, reports a failure, and supports error recovery.
Displaying progress Each of the monitoring systems can display progress as it receives
states from the simulation. TraceContract prints out a report each time a monitor
is satisfied. Thus, monitor ’R1 is satisfied by the first two states:
Monitor: TC$LTLRequirements.TC$R1
Property ’R1 succeeds
Succeeding event number 2: Event(false ,false ,false)
Trace:
1=Event(false ,false ,false)
2=Event(false ,false ,false)
AnaTempura similarly reports on each individual state:
State 0: A=false , B=false , S=false , STOP=false
State 0: -- Pass R1
State 0: -- Pass R2
State 0: -- Pass R3
State 0: -- Pass R4
State 1: A=false , B=false , S=false , STOP=false
State 1: -- Pass R1
State 1: -- Pass R2
6.2 Latch example 137
State 1: -- Pass R3
State 1: -- Pass R4
For ITL-Monitor each generated state is printed with a judgement. The first two states
of a simulation are shown below – in each case the judgement is more meaning that no
violation has been detected at this stage.
( 0 .061 sec ) : RTM ( Latch1 ) More 0 A −> f a l s e B −> f a l s e S −> f a l s e STOP −> f a l s e
( 0 .062 sec ) : RTM ( Latch1 ) More 1 A −> f a l s e B −> f a l s e S −> f a l s e STOP −> f a l s e
Reporting success All of the systems provide a report when the simulation has completed
– i.e., when the finite execution trace has ended. TraceContract lists each monitor
and reports on the number of violations detected. The simulation ran to completion
and no violations were detected.
Monitor TC$LTLRequirements.TC$R1 property ’R1 violations: 0
Monitor TC$LTLRequirements.TC$R2 property ’R2 violations: 0
Monitor TC$LTLRequirements.TC$R3_R4 property ’R3_R4 violations: 0
AnaTempura simply reports Done! and provides some statistical information about
the computation. For example:
Done! Computation length: 40. Total Passes: 43.
Total reductions: 8061 (7984 successful ). Maximum reduction depth: 15.
Time elapsed: 10.696765
Finally, ITL-Monitor reports Done and lists the elements of the final state. The [INFO]
message indicates that the Akka actor system has shut down the monitor.
Done(List((B,false), (STOP ,true), (S,true), (A,false )))
[INFO] [03/13/2019 22:17:04.641] [run -main -e]
[Monitor$Runtime$RTM(akka :// LatchActorSystem )]
Stop: Monitor Latch1 has been stopped.
Reporting failure TraceContract continuously reports on the status of each of its
monitors until the end of the simulation. The simulation allows for a random failure to
be introduced. In this case an error was introduced at the fourth state:
Monitor: TC$LTLRequirements.TC$R2
Property ’R2 violated
Violating event number 4: Event(true ,true ,false)
Trace:
3=Event(true ,false ,false)
4=Event(true ,true ,false)
138 Chapter 6: Examples and evaluation
AnaTempura reports violations associated with monitors and states. In this case the
nature of the reporting is controlled within the latch.t program itself by side effecting
the Pass/Fail messaging within the monitor formulae (Listing 6.1 lines 22-33).
State 10: A=false , B=true , S=false , STOP=false
State 10: -- Pass R1
State 10: ** Fail R2
State 10: -- Pass R3
State 10: -- Pass R4
In ITL-Monitor a failure causes the verification to terminate with a message on the
transcript. An example of the type of message that appears on the transcipt is shown
below. Extraneous Akka messages have been removed.
Listing 6.3: ITM failure detection
1 ( 0 .025 sec ) : RTM ( Latch1 ) More 3 A −> t rue B −> f a l s e S −> t rue STOP −> f a l s e
2 ( 0 .027 sec ) : RTM ( Latch1 ) Fa i l ed 4 A −> t rue B −> t rue S −> f a l s e STOP −> f a l s e
3 RTVException Fa i l u r e Latch1
4 React at Runtime . . .
5 ============================
6 Terminating monitor Monitor :
7 ============================
8
9 [WARN] ( anon )THEN: RHS f a i l e d
10 [WARN] ( anon )WITH: RHS f a i l e d
11 [WARN] ( anon )ITERATE: LHS f a i l e d
12 [WARN] ( anon )ITERATE: RHS f a i l e d
The message describes a path through a monitor formula to assist in locating the source
of the failure. In this case the failure appears to have occurred in the subformula to the
right of WITH in clause2.
val initial = (∼A and ∼B and ∼S)
val clause2 = FIRST(B <∼ ∼B) WITH (skip ‘;‘ halt(S))
val clause3 = (HALT(A) WITH (stable(B))) THEN (HALT(∼A))
val spec = (GUARD(initial)
THEN (HALT(STOP)
ITERATE clause2 ITERATE clause3 ))
The WARN messages are output using Akka’s asynchronous logging mechanism and, as
such, their order is non-deterministic. In the example there is no ambiguity about the
location of the failure: the only path that satisfies THEN RHS, ITERATE LHS, ITERATE
RHS, WITH RHS leads to the subexpression skip ; halt(S ). However, it is possible to label
any of the ITL-Monitor subformulae to assist in locating the source of a failure or to
resolve any potential ambiguity. For example, consider a monitor formula of the form
(a ITERATE b) ITERATE (c ITERATE d); in such a case a failure report consisting of
{ITERATE LHS, ITERATE RHS} is ambiguous.
The operator :: is provided by the ITL-Monitor API so that individual subformulae can
be labelled. If the following changes were made to the previous example:
6.3 Latch example 139
val clause2 = "clause2"::( FIRST(B <∼ ∼B) WITH (skip ‘;‘ halt(S)))
val spec = "spec"::( GUARD(initial)
THEN "loop"::( HALT(STOP)
ITERATE clause2 ITERATE clause3 ))
then the error reporting would include the subformula labels (anon is the default for
unlabelled formulae).
[WARN] (spec)THEN: RHS failed
[WARN] (clause2)WITH: RHS failed
[WARN] (loop)ITERATE: LHS failed
[WARN] (anon)ITERATE: RHS failed
Error recovery
Both TraceContract and AnaTempura only provide a report on the output
transcript. There is no message passing back to the simulation. The communication
of states from the simulation to AnaTempura is via printf messages on stdout. In
TraceContract each state is evaluated using the verify() method but, because
this method returns ()5, it cannot report a failure back to the simulation. In contrast,
ITL-Monitor verification returns judgements (of type Reply) to the program under test.
The methods provided are:
def verify: Reply // returns a judgement (PASS, FAIL, or MORE)
def ! // a synonym for verify
def !!(e: Exception): Reply // as above but throws e on failure
def !! : Reply // as above but throws default exception
These methods communicate synchronously with the monitor. This design ensures that
the calling program can react at runtime as soon as a failure is reported.
if (mu.verify.isFail)
...
else
...
However, when there are many such assertion points within a block of code, it may be
preferable to associate all of them with the same recovery action. The !! methods
are designed to be used with the try/catch pattern. This is illustrated by the current
example – see Listing B.5. The output displayed in Listing 6.3, line 4, demonstrates that
recovery code within the catch block has been executed following a failure detection.
In this example the recovery code is simply a placeholder message, but the principle has
been established.
5() is the only element of the Unit type in Scala. It is used similarly to void in Java and C to indicate
that the method is called only for its side effect.
140 Chapter 6: Examples and evaluation
6.3 Checkout system
In this section a larger example is described which simulates a self-service checkout of the
type currently popular in many large retail outlets. It is designed to model a single day’s
trading. The checkout is a reactive system designed to operate for a finite length of time. It
models a realistic system and is capable of generating a large volume of data spanning the
full range of possible interactions that can take place during each customer transaction. It
will enable ITL-Monitor to be analysed with large volumes of data.
The simulation is comprised of the following components.
Customers The simulation generates customers with randomised shopping baskets
Attendant The attendant is responsible for a given number of terminals. Each customer
is assigned to a free terminal by the attendant and the attendant reacts to situations
during a transaction such as “assistance required” or “unexpected item in bagging area”
or “check customer age” whenever an age-restricted product is scanned.
Terminals The simulation models several terminals all of which are managed by the
attendant. Each terminal interacts with one customer at a time. The interactions
include scanning products and placing them in the bagging area and finally ensuring
payment for the goods. When items are placed on the scale in the bagging area their
respective weights are checked against the product DB to see if they are correct within
a given tolerance. When the customer requests assistance or an intervention is required
the terminal alerts the attendant and awaits instruction.
Product DB The product DB maintains details of the products including their price and
weight. Within the context of the simulation it is also responsible for generating random
shopping baskets of products for each newly generated customer.
The simulation The main simulation is responsible for initialising, running, and finalising
the components. It is fundamentally a loop which repeatedly generates a new customer
and “offers” the customer to the attendant to be shown to a free terminal. The
simulation polls the attendant at given time intervals and generates a new customer
once the current one has been “accepted”. This ensures a constant supply of new
customers until the store closes.
A diagram showing the interaction of the principal actors in the simulation is shown in Figure
6.3.
If customer C2 were to complete their transaction next then the corresponding terminal T2
would return to the pool of free terminals and the associated customer actor would be removed
6.3 Checkout system 141
Simulation Attendant
busy free
Customers Terminals
C 1
C 2
C 3
C 4
T 1
T 2
T 3
T 4
In this example the attendant looks after four terminals but this number is configurable upon
creation of the attendant. The simulation creates customers and passes them (in turn) to the
attendant. The attendant allocates a free terminal to a customer. In the state depicted the
simulation has just passed the reference to newly created C4 to the attendant who is about to
allocate the new customer to the free terminal T4. Whenever there are no free terminals then
the customer must wait. The attendant then maintains contact with all the customers and all the
terminals reacting to situations that arise. The diagram does not show the product database.
Figure 6.3: The principal actors in the simulation
142 Chapter 6: Examples and evaluation
Simulation Attendant
busy free
Customers Terminals
C 1
C 3
C 4
T 1
T 2
T 3
T 4
Customer C2 has completed their transaction and the now-obsolete actor has been
garbage-collected; terminal T2 is returned to the free pool ready to be assigned by
the attendant to the next customer.
Figure 6.4: The state after customer C2 has completed their transaction
from the simulation. The actor would be garbage collected. The situation in which customer
C4 has been allocated to the previously free terminal T4, and in which C2 has completed
their transaction, is depicted in Figure 6.4.
Communication between the actors in the simulation takes the form of message passing
with immutable data. Each actor represents its own state-transition system that governs
its behaviour. Figure 6.5 shows the behaviour of a terminal. The system described makes a
number of assumptions and simplifications in order to manage its complexity in this context.
For example, it is assumed that the customer will not seek assistance when paying for the
goods; and the range of assistance that may be sought and provided is restricted to a small
number of representative transactions. Notwithstanding these simplifications, the system
generates a sufficiently varied range of traces by which the behaviour of ITL-Monitor can be
demonstrated and analysed. Figure 6.6 shows a part of a runtime trace filtered to show only
the messages received by, and sent from a single terminal.
6.3.1 Modelling the terminal class
In this section the emphasis is solely upon the implementation of the Terminal class so that it
can later be analysed with runtime verification. The principles apply to any of the components
in the simulation and it is equally possible to attach monitors to the attendant, or to each
6.3 Checkout system 143
Uninitialised
Ready
Start
Scan
Authorise Assist
Place Pay
Unexpected
State Waiting for Action Next state
Uninitialised Internal state set-up Initialise (handshake) Ready
Ready New customer arrival New customer assigned Start
Start Customer to start Ask customer to scan Scan
Scan Customer activity Scans non-restricted item Place
Scans restricted item Authorise
Seeks assistance Assist
Places item Unexpected
Finish and pay Pay
Authorise Authorisation Granted Place
Refused / within permitted attempts Scan
Refused / too many attempts → end
transaction
Ready
Place Item placed Weight within tolerance → accept Scan
Weight not within tolerance → reject Unexpected
Pay Customer to insert card Payment accepted / transaction complete Ready
Payment rejected / ok to try again Pay
Payment rejected / too many attempts →
end transaction
Ready
Assist Attendant to help Help provided → carry on Scan
Unwanted item → item removed Scan
Abandon transaction Ready
Unexpected Attendant to adjudicate Ok → remove and carry on Scan
Not ok → end transaction Ready
Figure 6.5: State transition diagram for a Terminal
144 Chapter 6: Examples and evaluation
1 [T 1/C247] [scan ] ----> T2C_ScanNextItem
2 [T 1/C247] [scan ] <---- C2T_Scan: (921)
3 [T 1/C247] [scan ] - - - Reported: TotalPrice: $\$$ 13.67 NbrOfItems: 5
4 [T 1/C247] [scan ] ----> T2A_AuthorisationRequired: 1014987439
5 [T 1/C247] [authorise ] <---- A2T_AuthorisationGranted
6 [T 1/C247] [authorise ] ----> T2C_PlaceItemOnScale
7 [T 1/C247] [place ] <---- C2T_Put: (494)
8 [T 1/C247] [scan ] ----> T2C_ClearScanner
9 [T 1/C247] [scan ] ----> T2C_ScanNextItem
10 [T 1/C247] [scan ] <---- C2T_FinishAndPay
11 [T 1/C247] [scan ] ----> T2C_PayWithCard
12 [T 1/C247] [pay ] <---- C2T_InsertCard
13 [T 1/C247] [pay ] ----> T2C_PaymentAccepted
14 [T 1/C247] [pay ] ----> T2A_TransactionComplete
15 [T 1/C247] [ready ] <---- A2T_Assign: -664662046: (248)
16 [T 1/C248] [ready ] - - - Reported: Sending to customer 72140258
17 [T 1/C248] [ready ] ----> T2C_Welcome
18 [T 1/C248] [start ] <---- C2T_Start
19 [T 1/C248] [start ] ----> T2C_ScanNextItem
20 [T 1/C248] [scan ] <---- C2T_Scan: (901)
21 [T 1/C248] [scan ] - - - Reported: TotalPrice: $\$$ 0.00 NbrOfItems: 0
22 [T 1/C248] [scan ] ----> T2A_AuthorisationRequired: -664662046
23 [T 1/C248] [authorise ] <---- A2T_AuthorisationRefused
24 [T 1/C248] [authorise ] ----> T2C_ClearScanner
25 [T 1/C248] [authorise ] ----> T2C_ScanNextItem
26 [T 1/C248] [scan ] <---- C2T_Scan: (109)
27 [T 1/C248] [scan ] - - - Reported: TotalPrice: $\$$ 0.00 NbrOfItems: 0
28 [T 1/C248] [scan ] ----> T2C_PlaceItemOnScale
29 [T 1/C248] [place ] <---- C2T_Put: (645)
30 [T 1/C248] [scan ] ----> T2C_ClearScanner
31 [T 1/C248] [scan ] ----> T2C_ScanNextItem
32 [T 1/C248] [scan ] <---- C2T_Put: (640)
33 [T 1/C248] [scan ] ----> T2A_UnexpectedItemInBaggingArea
34 [T 1/C248] [unexpected] <---- A2T_ResetForNextCustomer
35 [T 1/C248] [unexpected] ----> T2C_TransactionTerminated
36 [T 1/C248] [unexpected] ----> T2A_TransactionComplete
37 [T 1/C248] [ready ] <---- A2T_Assign: -1076536131: (249)
This short extract from an execution trace shows a sequence of messages received by, and sent
from, terminal T1 during the end of a transaction with customer C247 and at the start of a
transaction with new customer C248.
Figure 6.6: Extract from the messages received by, sent from, a terminal
6.3 Checkout system 145
Simulation Attendant
busy free
Customers Terminals
C 1
C 3
C 4
T 1
T 2
T 3
T 4 Monitor
Monitor
Monitor
Monitor
Each terminal has its own runtime monitor running concurrently with it. If there are
four terminals then there are four concurrent monitors. It is possible to monitor the
state of any class/actor and another could be added to, for example, the attendant.
Since these are Akka actors the Akka dispatcher will distribute the processes across
the available cores although the total monitoring load necessarily becomes part of the
overall computation.
Figure 6.7: Each terminal is associated with its own runtime monitor
customer, or to the simulation driver itself. The terminals have been selected because they
represent static machines that would most likely be candidates for such analysis and also
because they appear as multiple instances. This permits simultaneous monitoring across
multiple, available cores. Figure 6.7 illustrates a situation in which the simulation has four
terminals, each with its own independent runtime monitor.
A terminal is an Akka actor that maintains local state and updates this state in reaction to
messages received from other actors in the system. When a state change occurs the partial
function can be substituted for another in situ: this context switching technique is achieved
using the Akka become method – “become the following state”. Not all of the private state
of a terminal will be monitored and it is useful to partition the state space into monitored
and non-monitored variables.
The following code extract shows the definition of the Terminal class and the subsequent
state variables partitioned accordingly. The unmonitored variables are modelled using Scala
variable types and the monitored variables use the parameterised Var[T] type imported from
the ITL API.
1 class Terminal( attendant: ActorRef , // attendant to which this terminal belongs
146 Chapter 6: Examples and evaluation
2 tid: Int , // terminal ID
3 productDB: ActorRef // product database
4 ) extends Actor with ActorLogging {
5
6 /* *********************************************************************************
7 * Unmonitored state variables
8 ********************************************************************************** */
9
10 private val scanned = ListBuffer [(Int , Int )]() // items scanned (bagging area)
11 private var offered: Product = Product.nothing // item just scanned
12
13 /* *********************************************************************************
14 * Monitored state variables
15 ********************************************************************************** */
16
17 object CID extends Var[Int] {override def toString = "CID" }
18 object TotalPrice extends Var[Int] {override def toString = "TotalPrice" }
19 object NbrOfItems extends Var[Int] {override def toString = "NbrOfItems" }
20 object NbrOfCusts extends Var[Int] {override def toString = "NbrOfCusts" }
21 object NbrOfPayments extends Var[Int] {override def toString = "NbrOfPayments"}
22 object NbrOfRefusals extends Var[Int] {override def toString = "NbrOfRefusals"}
23 object IsClosed extends Var[Boolean] {override def toString = "IsClosed" }
24 object HelpLight extends Var[Boolean] {override def toString = "HelpLight" }
25 object Incoming extends Var[Msg.Value]{ override def toString = "Incoming" }
26 object Outgoing extends Var[Msg.Value]{ override def toString = "Outgoing" }
6.3.2 Specifications
A list of required temporal properties that must be satisfied by a terminal is provided below.
Its execution trace can be divided into a sequence of transactions as illustrated in Figure 6.8.
NbrOfCusts 0 0 0 0 0 0 1 1 1 1 1 2 2 2 2 2 2 2 3 3 3 3
f f f
A terminal processes customers sequentially. The variable NbrOfCusts is incremented
at the start of each new customer transaction. Certain temporal formulae, indicated
by f in the figure, apply to subintervals that correspond to individual transactions.
Figure 6.8: Terminal ‘lifetime’ as a fusion of individual customer transactions
The temporal requirements R1-R5 apply within a single transaction – i.e., per customer.
These properties apply iteratively over the whole execution trace: in ITL this is written f ∗.
Given that the overall execution trace is finite, a condition representing the final state is
necessary. This reflects the fact that the terminal will eventually be shut down. The variable
6.3 Checkout system 147
IsClosed serves this purpose, and its roˆle within an iterative formula representing the whole
interval, is given by the following template:
halt(IsClosed) ∧
(B(NbrOfCusts <∼ NbrOfCusts + 1 ∨ fin(IsClosed)) ∧ (fin(IsClosed) ∨ f ))∗
Figure 6.9: Template formula for a customer transaction with requirement f
This is an example of the exceptional termination pattern (Section 3.4.3). A Scala function
for embedding single-transaction formulae within this ITL-Monitor pattern is given below:
Listing 6.4: Single transaction formula template
def ByCust(f: Formula ): Monitor =
HALT(IsClosed) ITERATE (
FIRST(NbrOfCusts <∼ NbrOfCusts +1 or fin(IsClosed )) WITH (
fin(IsClosed) or f
)
)
This structure emphasises the interval-based properties of these requirements. Each of the
per-transaction requirements (R1 - R5 below) is embedded within the above template to form
the ITL-Monitors: i.e., ByCust(R1), ByCust(R2), etc. As discussed in Section 2.2, aside from
individual propositions, LTL cannot restrict the scope of temporal formulae to apply over
subintervals.
Requirements
The requirements are presented in ITL alongside their translation into ITL-Monitor. Each of
R1-R5 will be substituted into the single transaction formula (see Listing 6.4 and Figure 6.9)
to construct the required monitor for the whole execution trace. Requirements R4 and R5
also have related TraceContract properties defined alongside for comparison.
R1 Whenever the number of (authorisation) refusals exceeds the maximum allowed, then
the transaction must be terminated.6 This property must hold for every transaction.
3(NbrOfRefusals > NUM OF REFUSALS ALLOWED) ⊃
3(Outgoing = T2C TransactionTerminated)
val R1 = even tua l l y ( NbrOfRefusals > NUM OF REFUSALS ALLOWED) i m p l i e s
even tua l l y ( Outgoing ‘=‘ Msg . T2C TransactionTerminated )
6This is an example of an obligation property [MP95].
148 Chapter 6: Examples and evaluation
R2 Whenever the help light is illuminated it will eventually be switched off. The help light
state is used here as a proxy for help being provided, which is denoted by the light being
switched off.7 This property must hold for every transaction.
2m (HelpLight ⊃ 3(¬ HelpLight))
The operator 2m specifies behaviour in all suffix intervals except the final state. This
weaker form of 2 is used because in the final state the implication is a contradiction.
This property must hold for every transaction.
val R2 = bm ( HelpLight i m p l i e s even tua l l y (∼HelpLight ) )
R3 If the number of (failed) payment attempts reaches its limit, then there must have been
precisely that number of payment rejections previously within the current transaction.
This property must hold for every transaction.
3(NbrOfPayments = PAYMENT ATTEMPTS ALLOWED) ⊃
3i (©(halt(Outgoing = T2C PaymentRejected)))PAYMENT ATTEMPTS ALLOWED
val R3 = even tua l l y ( NbrOfPayments ‘=‘PAYMENT ATTEMPTS ALLOWED) i m p l i e s
d i ( next ( ha l t ( Outgoing ‘=‘Msg . T2C PaymentRejected ) ) t imes
PAYMENT ATTEMPTS ALLOWED)
The formula3i (©(halt(w)))k states that there must be some prefix interval that satisfies
k iterations of ©(halt(w)). For example, if k = 3, the formula would be satisfied by an
interval with the following pattern: [• • w • • • w • w ].
R4 Whenever there is an unexpected item in the bagging area then the next outgoing
message must report either a terminated transaction or a removed item. This property
must hold for every transaction.
2( Outgoing = T2A UnexpectedItemInBaggingArea ⊃
3i ( B(¬ (stable(Outgoing))) ∧
fin(Outgoing = T2C TransactionTerminated ∨
Outgoing = T2C RemoveSelectedItem) ) )
val R4 = always (
( Outgoing ‘=‘ Msg . T2A UnexpectedItemInBaggingArea ) i m p l i e s
d i ( f s t ( not ( s t a b l e ( Outgoing ) ) ) and
f i n ( ( Outgoing ‘=‘ Msg . T2C TransactionTerminated ) or
7This is an example of an response property [MP95].
6.3 Checkout system 149
( Outgoing ‘=‘ Msg . T2C RemoveSelectedItem ) ) ) )
This reads as follows. Whenever an unexpected item occurs then, from that point, there
must be some prefix interval whose final state contains the first update to Outgoing
which must be either a transaction terminated or a remove selected item message.
It is useful to consider the use of TraceContract for monitoring this behaviour.
While it is natural for the ITL-based approaches (ITL-Monitor and Tempura) to treat
execution traces as sequences of states, TraceContract considers a trace to contain
events. In the earlier latch case study (Section 6.2) states were treated as events. In
this example, the ingoing and outgoing messages alone can be sent to TraceContract
rather than complete states. The type of data that would be generated is illustrated
below:
1 A2T_Assign :
2 T2C_Welcome 97 T2C_ClearScanner
3 C2T_Start 98 T2C_ScanNextItem
4 T2C_ScanNextItem 99 C2T_FinishAndPay
5 C2T_Scan 100 T2C_PayWithCard
6 T2C_PlaceItemOnScale 101 C2T_InsertCard
7 C2T_Put 102 T2C_PaymentAccepted
: 103 T2A_TransactionComplete
However, such data is generated per-customer and it is possible to adapt the simulation
to start a new TraceContract monitor for each customer transaction. Requirement
R4 can be rewritten in terms of traces of input/output events. If an unexpected item
appears in the bagging area then, there must not be another unexpected item in the
bagging area until the transaction is terminated or the original unexpected item has
been removed.
2(T2A UnexpectedItemInBaggingArea ⇒
©( (¬ T2A UnexpectedItemInBaggingArea) U
(T2C TransactionTerminated ∨ T2C RemoveSelectedItem) )
The translation into TraceContract takes advantage of Scala’s implicit definitions.
In this case messages are lifted to TraceContract LTL formulae automatically – this
simplifies the presentation of property ’R4 and aligns it with the LTL formula above.
class TCR4 extends t r a c e c o n t r a c t . Monitor [ Msg . Value ] {
import t r a c e c o n t r a c t .
implicit def msgToFormula (msg : Msg . Value ) : Formula = matches {
case m i f m == msg => true
150 Chapter 6: Examples and evaluation
case => fa l se
}
property (’TCR4) {
g l o b a l l y {
Msg . T2A UnexpectedItemInBaggingArea i m p l i e s (
s t rongnext (
not (Msg . T2A UnexpectedItemInBaggingArea ) u n t i l (
Msg . T2C TransactionTerminated or
Msg . T2C RemoveSelectedItem
)
)
)
}
}
}
R5 A payment rejected message should only occur if a pay with card message has been sent
previously within the same transaction. This property must hold for every transaction.
2i ( fin(Outgoing = T2C PaymentRejected) ⊃
3(Outgoing = T2C PayWithCard) )
val R5 = bi ( f i n ( Outgoing ‘=‘ Msg . T2C PaymentRejected ) i m p l i e s
even tua l l y ( Outgoing ‘=‘ Msg . T2C PayWithCard ) )
The operator 2i specifies all initial intervals. The requirement states that any prefix
interval ending with PaymentRejected must contain a state in which PayWithCard has
taken place: i.e. that the latter has occurred previously within the interval.
Transaction subintervals are specified with ByCust(R5) (cf. 6.4): thus the subformula
3(Outgoing = T2C PayWithCard) is restricted to the ‘current transaction’.
It is possible to compare this specification with TraceContract using its support
for LTL with past time events. As in R4 above, the TraceContract monitor will
be defined on a per-transaction basis. TraceContract supports LTL with past-time
events by maintaining a ‘facts database’ [BH11]. These facts persist so it is up to the
monitor to add and remove facts at the right times. Unlike ITL where the scope of past
values is delimited by the extent of a subinterval, the database approach relies upon
inserting code into the monitor formula to add and remove facts at the correct times.
Such a facts database has been utilised in the following TraceContract specification
of requirement R5. The postfix operators +, ?, and ~, cause their associated facts to be
added, and queried for presence, and absence respectively.
6.3 Checkout system 151
class TCR5 extends t r a c e c o n t r a c t . Monitor [ Msg . Value ] {
import t r a c e c o n t r a c t .
case object CardPaymentRequested extends Fact
property (’TCR5) {
r e q u i r e {
case Msg . T2C PayWithCard => CardPaymentRequested +
case Msg . T2C PaymentRejected i f CardPaymentRequested ? => ok
case Msg . T2C PaymentRejected i f CardPaymentRequested ˜ => e r r o r
}
}
}
R6 One transaction in each group of ten must complete a successful payment.
HALT (IsClosed) ITERATE (
FIRST (NbrOfCusts <∼ NbrOfCusts + 1 ∨ fin(IsClosed)) TIMES 10 SOMETIME (
(Outgoing = T2C PaymentAccepted) ) )
This specification highlights the use of nested, iterative monitor composition. The
monitor iterates as long as the simultation is running (HALT (IsClosed)). Each iteration
is a sequence of ten transactions. Within that ten-transaction interval, at least one
payment accepted message must hold. The use of SOMETIME means that the proposition
is monitored continually.
def R6 = HALT( I sC losed ) ITERATE (
FIRST( NbrOfCusts <˜ NbrOfCusts+1 or
f i n ( I sC lo sed ) ) TIMES 10 SOMETIME
( Outgoing ‘=‘ Msg . T2C PaymentAccepted )
)
Each of the requirements R1-R5 are transaction-based and thus can be embedded within the
ByCust(f) template. R6 spans transactions and thus stands alone. The combined monitor
expression is presented below. Combining these monitors with AND requires that they all
satisfy the same execution trace.
Each submonitor is labelled to enable identification of component formulae in logfile data.
val specification = "R1":: ByCust(R1) AND
"R2":: ByCust(R2) AND
"R3":: ByCust(R3) AND
"R4":: ByCust(R4) AND
"R5":: ByCust(R5) AND
"R6"::R6
152 Chapter 6: Examples and evaluation
PAYMENT ATTEMPTS ALLOWED 2 number of payment attempts allowed before
the transaction is terminated
NUM OF REFUSALS ALLOWED 1 number of times a restricted item can be
refused before underage customer is evicted
PROBLEM SOLVED LIKELIHOOD 95 percentage likelihood of solving a general
enquiry and continuing with shopping
CUSTOMER TRUST LIKELIHOOD 95 percentage likelihood that the attendant
trusts the customer following mistake
HELP BUTTON PRESSED LIKELIHOOD 10 percentage likelihood of customer pressing the
help button
GENERAL ASSIST LIKELIHOOD 60 percentage likelihood of customer requiring
general assistance
UNDO PREV ITEM LIKELIHOOD 30 percentage likelihood of customer wishing to
undo the last scanned item
PLACE WRONG ITEM LIKELIHOOD 10 percentage likelihood of customer placing the
wrong item in the bagging area
UNDERAGE LIKELIHOOD 10 percentage likelihood of customer being
underage
CARD ACCEPTED LIKELIHOOD 90 percentage likelihood of customer card being
accepted (by machine/bank/etc.)
PUT NOT SCAN LIKELIHOOD 5 percentage likelihood of customer putting an
item down before scanning it
Figure 6.10: Simulation constants for the checkout system
6.3.3 Timing data
The simulation is controlled using a set of constants which is presented as Figure 6.10. The
following values may also be set for a given run:
• The number of terminals available to serve customers.
• The number of shopping items selected randomly for each customer.
• The number of customers to be processed. In terms of the scenario, this determines the
trading period. It therefore controls the length of a simulation run.
The first set of results is used for analysing the time it takes to run sequences of transactions.
The requirements R1-R5 are written on a per-transaction basis and, as such, cause the monitor
to verify the requirements one transaction at a time. The five requirements are monitored
simultaneously. For the purpose of the timing analysis each simulation run completes and
all of the requirements succeed. The simulation generates random events in accordance with
the simulation parameters (Figure 6.10) and these are recorded via instrumentation points
(verify) placed within the Terminal class.
Figure 6.11 shows the outputs for a number of relatively short runs of 100 transactions
(representing 100 customers). The number of items in each customer’s shopping cart has been
6.3 Checkout system 153
set at 10, 50, 100, and 200 respectively. For each run the total number of states generated by
the simulation is recorded along with the total time spent analysing the transactions. These
times are calculated using the system timer within the verification method. Each transaction
has its own interval length depending upon the combination of events that occur. Some
intervals may be significantly shorter than the number of items if, for example, the transaction
is terminated early. However, the interval lengths are averaged over 100 transactions. The
maximum length of any interval is also captured by the system and reported. The interval
lengths and times are averaged over five runs.
These relatively short runs generate interval lengths up to on average c. 350 states. Some of
the maximum values are significantly larger. The average time for simultaneously checking
requirements R1-R5 is less than a third of a second. The interval lengths are based upon
realistic amounts of shopping (even though 200 items is perhaps a little extreme) and thus
demonstrate that checking these requirements is very feasible. In the type of system this is
modelling, these verification times are well within what would be required.
In the first experiment, the time taken to evaluate each of the requirements was dependent
upon the length of the interval and the particular values assigned by the simulation. Figure
6.12 shows the outputs for verification of formulae with guaranteed evaluation worst-case
complexities of O(n3) and O(n4).
The O(n3) formula 2(2((3(empty)))) equates to ¬ (3(3(¬ (3(empty))))) which, in turn,
is equal to ¬ (true ; (true ; (¬ (true ; (empty))))). Evaluation will require the examination
of every possible fusion point for each ; . The results show that for O(n3) formulae, the
evaluation times are within a tenth of a second for intervals up to c. 300 states. However,
once the O(n4) formula is used there is a noticable exponential rise in evaluation times. For
interval lengths up to around 200 states even O(n4) formulae can be verified in under a
second.
The third experiment demonstrates scalability. The computational load on each requirement
is kept low by maintaining average interval lengths of 80 states. This is testing that a constant
performance for the individual interval verifications is maintained as the overall number of
states rises. This occurs as the number of states rises from 80K to just under 1m.
6.3.4 Running with TraceContract
It was shown during the development of R4 and R5 that these requirements could be
adapted for use with TraceContract. Although these monitors do not capture the whole
execution trace, the behaviour of individual intervals is checked by creating and destroying
the TraceContract monitors within the simulation when each new customer arrives.
154 Chapter 6: Examples and evaluation
R1-R5, 1 monitor
No. of No. items Total states Avg intvl Max intvl Total time Avg intvl
intervals per intvl monitored length length (s) time (s)
100 10 8009 80 131 6.376 0.06376
100 10 7671 77 139 5.189 0.05189
100 10 7938 79 136 5.064 0.05064
100 10 8033 80 121 5.751 0.05751
100 10 8251 83 146 6.378 0.06378
avg 80 0.05752
100 50 20963 210 479 36.151 0.36151
100 50 23655 237 485 20.313 0.20313
100 50 23135 231 468 28.292 0.28292
100 50 23565 236 474 18.660 0.18660
100 50 21398 214 476 20.352 0.20352
avg 226 0.24754
100 100 32651 327 900 26.267 0.26267
100 100 26427 264 879 19.728 0.19728
100 100 27148 227 854 19.856 0.19856
100 100 31672 317 892 25.150 0.25150
100 100 28906 289 889 23.289 0.23289
avg 285 0.22858
100 200 33155 332 1655 24.453 0.24453
100 200 31916 319 1673 28.308 0.28308
100 200 34595 346 1492 29.392 0.29392
100 200 32798 328 1553 27.699 0.27699
100 200 34772 348 1644 31.943 0.31943
avg 335 0.28359
Runs for shopping baskets with 10, 50, 100, and 200 items. Experimental output data in Section
B.3.1.
Figure 6.11: Experiment 1
6.3 Checkout system 155
1 monitor
No. of No. items Total states Avg intvl Max intvl Total time Avg intvl
intervals per intvl monitored length length (s) time (s)
Formula for each transaction is 2(2((3(empty)))) – O(n3)
100 10 7795 78 121 2.298 0.02298
100 40 21165 212 383 6.118 0.06118
100 70 24703 247 628 8.565 0.08565
100 100 29038 290 872 9.795 0.09795
100 1000 37913 379 1758 12.844 0.12844
Formula for each transaction is 2(2(2(3(empty))))) – O(n4)
100 10 8503 85 132 7.051 0.70705
100 40 20628 206 379 78.349 0.78349
100 70 24025 240 610 200.102 2.00102
100 100 28461 285 824 367.922 3.67922
Illustrating worst-case performance characteristics. Experimental output data in Section B.3.2.
Figure 6.12: Experiment 2
TraceContract can be set to log event data and to report successful verifications to the
standard output. For example, in a sample transaction, monitor TCR4 reports that Monitor:
TerminalTCMonitor .TerminalTCR4
Property ’TCR4 succeeds
Succeeding event number 58: T2C_RemoveSelectedItem
Trace:
56=T2A_UnexpectedItemInBaggingArea
58=T2C_RemoveSelectedItem
The TraceContract event numbers do not align with the ITL-Monitor trace because the
latter is being monitored for the whole simulation whereas the former only for a given
transaction. However, it is possible to locate the corresponding states in the ITL-Monitor
trace for comparison. The More judgement in state 74 reflects the fact that requirement R4
has passed this sequence successully (some of the variable mappings have been removed for
brevity):
( 0.214 sec): RTM (T_1) More 72 CID -> 1
Incoming -> C2T_Put
Outgoing -> T2A_UnexpectedItemInBaggingArea
156 Chapter 6: Examples and evaluation
R1-R5, 1 monitor
No. of No. items Total states Avg intvl Max intvl Total time Avg intvl
intervals per intvl monitored length length (s) time (s)
1000 10 79949 79 162 41.575 0.04158
2000 10 159838 80 157 80.466 0.04023
3000 10 238610 80 154 112.501 0.03750
12000 10 955706 80 176 468.546 0.03905
The experiment demonstrates that the monitor performance scales linearly, and is capable of
handling large data sets. Experimental output data in Section B.3.3.
Figure 6.13: Experiment 3
( 0.214 sec): RTM (T_1) More 73 CID -> 1
Incoming -> A2T_ClearMostRecentItem
Outgoing -> T2A_UnexpectedItemInBaggingArea
( 0.215 sec): RTM (T_1) More 74 CID -> 1
Incoming -> A2T_ClearMostRecentItem
Outgoing -> T2C_RemoveSelectedItem
It is more difficult with TCR5 because TraceContract cannot identify the relevant states
– the check is made against the ’facts database’. However, by inspecting the event log for
each customer it is possible to locate an example. Below is the tail of a TraceContract
log showing two trigger events, 69 and 71. The required earlier event is number 67. When
event 67 occurred the fact T2C PayWithCard was added to the database. When events 69
and 71 occurred the fact was checked. Note that it is not necessary to clear the fact database
because the TraceContract monitor is terminated at the end of the transaction.
66 C2T_FinishAndPay
67 T2C_PayWithCard
68 C2T_InsertCard
69 T2C_PaymentRejected
70 C2T_InsertCard
71 T2C_PaymentRejected
72 C2T_InsertCard
73 T2C_PaymentAccepted
74 T2A_TransactionComplete
The relevant states from the ITL-Monitor trace are extracted below.
6.4 Summary 157
( 1.895 sec): RTM (T_1) More 3427 CID -> 45 ... Outgoing -> T2C_PayWithCard
( 1.896 sec): RTM (T_1) More 3428 CID -> 45 ... Outgoing -> T2C_PayWithCard
( 1.896 sec): RTM (T_1) More 3429 CID -> 45 ... Outgoing -> T2C_PayWithCard
( 1.897 sec): RTM (T_1) More 3430 CID -> 45 ... Outgoing -> T2C_PaymentRejected
( 1.898 sec): RTM (T_1) More 3431 CID -> 45 ... Outgoing -> T2C_PaymentRejected
( 1.898 sec): RTM (T_1) More 3432 CID -> 45 ... Outgoing -> T2C_PaymentRejected
( 1.898 sec): RTM (T_1) More 3433 CID -> 45 ... Outgoing -> T2C_PaymentRejected
( 1.899 sec): RTM (T_1) More 3434 CID -> 45 ... Outgoing -> T2C_PaymentRejected
( 1.899 sec): RTM (T_1) More 3435 CID -> 45 ... Outgoing -> T2C_PaymentRejected
( 1.899 sec): RTM (T_1) More 3436 CID -> 45 ... Outgoing -> T2C_PaymentRejected
( 1.899 sec): RTM (T_1) More 3437 CID -> 45 ... Outgoing -> T2C_PaymentAccepted
( 1.900 sec): RTM (T_1) More 3438 CID -> 45 ... Outgoing -> T2A_TransactionComplete
The example highlights the difference between storing individual events and storing states.
In the latter approach certain data is duplicated in successive states while other values
change. There is no need to store historical facts because the interval of states for the current
transaction delimits the scope of the operators 2i and 3.
2i ( fin(Outgoing = T2C PaymentRejected) ⊃
3(Outgoing = T2C PayWithCard) )
6.4 Summary
The examples in this chapter have demonstrated that ITL-Monitor can be used both to
specify and to monitor real word applications. The checkout system delivered performance
characteristics in which intervals of length averaging c. 300 states were being verified against
ITL formulae with verification time complexity of O(n3) in around a tenth of a second.
The system also showed that the tool is capable of handling large execution traces. The
experimental requirements R1-R5 were verified over a trace consisting of nearly a million
states. When the length of the subintervals was maintained at 80 states, ITL-Monitor delivered
consistent average interval verification times of c. 0.04 seconds as the number of subintervals
was increased from 1000 to 12000. This demonstrates that the underlying architecture is
capable of handling this level of throughput.
The first example has demonstrated the advantage of dividing the execution trace into a series
of subintervals. For simulation lengths of up to about 300 states both TraceContract and
ITL-Monitor were processing the data in similar times. However, as the number of states
increased beyond that, ITL-Monitor gained a clear advantage over TraceContract with
the latter taking three times longer to complete over 62K states.
ITL-Monitor generates a new monitor each time an A-cycle or a B -cycle completes (about one
158 Chapter 6: Examples and evaluation
in every 10 states), whereas TraceContract is generating a new monitor in every state.
When the ITL specification was changed to reflect the LTL more closely, the resulting ITL-
Monitor performed more slowly – ITL-Monitor took 31 seconds to process 63K states whereas
before it only took 12 seconds. TraceContract took 41 seconds.
Both of these systems are Scala DSLs, which have not been especially optimised, running
inline with the simulation itself. However, TraceContract has not been written to exploit
multi-core architectures, whereas ITL-Monitor has been, by virtue of being implemented as
a network of Akka actors. This design decision delegates the distribution of labour across
multiple cores to the Akka dispatcher. It is also possible, in principle, to distribute actors
across computer systems and networks – Akka already supports this. Exploting this potential
for monitor distribution is left for future work.
There is a potential drawback with performing verification after each subinterval has been
collected. Faults will be detected at this level of granularity. Runtime verification systems
whose monitors check every state against the specification will be able to detect faults
immediately. It is a trade-off. ITL-Monitor is a candidate runtime verification tool for systems
for which the time to evaluate each verification judgement is required to be of the order of
tenths of seconds, or greater, rather than, e.g., miliseconds.
Practice with these runtime verification tools has highlighted the utility of monitor
composition. TraceContract provides this using monitor hierarchies (trees) in which
siblings are run concurrently. The internals of TraceContract ensures that each event
is distributed to all child monitors. The grammar of ITL-Monitor enables monitors to be
composed sequentially, iteratively, and in parallel, and the theory developed in Chapter 4
provides an ITL translation of every ITL-Monitor expression. An example of this approach
was particularly evident in requirement R6 which exploits all of these features (including the
nested iteration of intervals).
HALT (IsClosed) ITERATE (
FIRST (NbrOfCusts <∼ NbrOfCusts + 1 ∨ fin(IsClosed)) TIMES 10 SOMETIME (
(Outgoing = T2C PaymentAccepted) ) )
The use of Scala DSLs for developing runtime verification libraries is a current research topic.
TraceContract is one example and ITL-Monitor is another. Scala’s support for higher
order functions, pattern matching, and partial function syntax, all contribute to the ease
with which such libraries can be developed.
Chapter 7
Conclusion and future work
The use of ITL to specify the ITL-Monitor components required the development of a theory
of fixed-length intervals in ITL (Section 3.5.2). Three new ITL operators were introduced: all
strict initial intervals, 2s ; some strict initial interval, 3s , and the first occurrence operator,
B. An investigation of these operators was conducted which led to the development of a
body of laws that has been added to ITL [CMS19]. The theory includes the important
law FstFstChopEqvFstChopFst (C .260) (` B(B f ; g) ≡ B f ; B g) which states that the
sequential composition of first occurrences is itself a first occurrence. This is a significant
result which has an important corollary1, FstFixFst (C .261) (` BB f ≡ B f ). This states that
a first occurrence of f can have no other first occurrences of f before it. These operators
provide the basis for the translations of the ITL-Monitor expressions into ITL (cf. Chapter 4).
The development of ITL-Monitor as a restriction of ITL enabled monitor operators to be
investigated mathematically. Their algebraic properties have been discovered and documented
[CMS19]. These are particularly useful because, not only does this enable ITL-Monitor
expressions to be rewritten and simplified, it also facilitates the transformation of their
executable counterparts.
The implementation of ITL-Monitor as a Domain Specific Language in Scala means that
monitors exist as dynamic objects within the programs they are verifying and that they can
be constructed and executed under program control. This provides flexibility to the software
engineer to decide how the runtime verification affects the program’s future behaviour. This
feature is an implementation of the react at runtime pattern discussed in [LS09].
Experimental results were carried out using a case study capable of generating large volumes
of simulation data. The performance of ITL-Monitor was found to be scalable – constant
interval processing times of a 0.04 seconds/interval were observed as the size of the execution
trace increased from 80,000 states to just under a million. The average interval length was 80
1Set g ≡ empty.
160 Chapter 7: Conclusion and future work
states. A second experiment showed that verifying ITL formulae with evaluation complexity
of O(n3) over interval sizes of around 300 states ran at approximately 0.1 seconds/interval.
These results indicate that ITL-Monitor is a practical runtime verification tool with real-world
potential application.
7.1 Comparison with related work
Interest in using Scala as a language for building runtime monitor DSLs (cf. 2.4.1) [AHKY15]
has increased in recent years. The syntactic features available in Scala which facilitate
the construction of DSLs, coupled with its compilation into Java bytecode, make it an
attractive implementation target. The DSL approach to monitor construction is one of the
considerations discussed recently in [BHK16] in which the authors propose a move towards
tighter integration of specification logics and programming languages. ITL-Monitor has been
developed as an internal DSL in Scala.
ITL-Monitor shares with AnaTempura the use of manually instrumented checkpoints. However,
unlike AnaTempura, ITL-Monitor provides a closer coupling between the program checkpoint
and the monitor because it uses an internal DSL rather than an external monitor. This
embedded approach benefits from the use of the compiler to type-check the data passed to
and from each monitor. In principle, the instrumentation of ITL-Monitor could be automated
using an approach similar to AspectJ [Asp17] and JavaMOP [JMLR12] with the trigger events
being associated with updates to variables. However, the current manual approach affords
greater control when a new state is added to the trace. In particular it permits multiple
updates at a time to occur to monitored variables (see Section 2.1 in [RH16]).
A key aspect of ITL-Monitor is its compositional construction which it derives from the
underlying ITL. Compositionality in ITL has provided the motivation for both theoretical
[Mos94, Mos98, Mos13, Mos14b], and practical work [Mos96a, JNWC15, Dim00, Dim02,
SCZ03a, SCZ03b, Sie05, JCS+06, JCSZ13, STE+14]. An exciting area of current research
involves temporal projection [MG17]. It is envisaged that ITL-Monitor will develop to
exploit temporal projection to perform simultaneous runtime verification at different time
granularities.
7.2 Limitation
The instrumentation of ITL-Monitor currently utilises a manual approach in which the software
engineer inserts code to pass a new state to the monitor. Although this provides a fine level
of control over when states are passed, it is incumbent upon the software engineer to insert
checkpoints at exactly the right places in the code. This approach is similar to both of the
7.4 Future work 161
other runtime verification tools that have been used in this thesis (TraceContract and
AnaTempura).
7.3 Future work
Distributed monitors. It was a deliberate design decision to use Akka, an industrial
strength, distributed actor system, as the basis for the monitor implementation. This
already enables monitors to exploit multiple cores courtesy of the Akka dispatcher. This
is particularly useful given that ITL-Monitor is an inline monitoring architecture (cf.
2.4). However, Akka actors can also be distributed across networks and it is intended
to explore how to configure ITL-Monitor to perform distributed runtime verification.
Time reversal. The underlying theory expressed in ITL has focused on time flowing in a
forwards direction. The insight is that the monitor is concerned with consuming new
states as they arrive in real time just until the evolving interval satisfies the required
condition. Thus the first occurrence operator was introduced to facilitate the expression
of such requirements. In recent work [Mos14b] time reversal has been introduced into
ITL and has been shown to provide new insights and, in some cases, to lead to simpler
proofs.
An evolving execution trace is extended at only one end. However, a completed interval
can be viewed from either end. It is natural to consider the reflections of the newly
added ITL operators (2t , 3t , C) and how a symmetrical theory of first occurrence
could be developed. It is expected that this will provide a set of transformations that
could provide greater insight into future applications of these new operators.
Temporal projection. ITL-Monitors may be composed sequentially and in parallel. These
are built, fundamentally, upon the ITL operators ( ; and ∧). However, it can be useful
to view intervals at different levels of temporal abstraction. This can be achieved using
temporal projection, f1 proj f2, [MG17, Mos86, BT00], The translation of ITL-Monitor
into ITL will need to be adapted to take into account this new feature.
At a practical level, some exploratory work has already been undertaken, and an initial
implementation of projection has already been added to the Monitor.scala API. In this
experimental version, the projection points must be specified deterministically. This has
been tried out practically with a small example and it is clear that useful, multi-level
verifications can take place simultaneously on an evolving trace. It is expected that
such an enhanced ITL-Monitor will have application in monitoring systems at different
temporal granularities simultaneously.
162 Chapter 7: Conclusion and future work
7.4 Potential impact
The theory of first occurrence extends the body of knowledge relating to ITL, particularly
in respect of fixed length intervals and their combination. The laws have been checked
mechanically by Isabelle/HOL using a translation of ITL into Isabelle/HOL produced by
Antonio Cau.
The ITL-Monitor API has potential use in commercial or industrial applications. As mentioned
above, the intention is to investigate next how to exploit Akka’s distributed actor support
so that the existing model can be used to monitor a distributed system. This is seen as a
significant potential direction for ITL-Monitor.
Bibliography
[AHKY15] C. Artho, K. Havelund, R. Kumar, and Y. Yamagata. Domain-specific languages
with Scala. In Michael Butler, Sylvain Conchon, and Fatiha Zaidi, editors, LNCS:
17th International Conference on Formal Engineering Methods, volume 9407,
pages 1–16. Springer-Verlag, November 2015.
[Akk17] Akka. Akka homepage. online: http://akka.io, 2017.
[AO08] Paul Ammann and Jeff Offutt. Introduction to Software Testing. Cambridge
University Press, 2008.
[Asp17] AspectJ. AspectJ. online: https://eclipse.org/aspectj/, 2017.
[BB08] Joachim Baran and Howard Barringer. Forays into sequential composition and
concatenation in Eagle. In Martin Leucker, editor, Runtime Verification: 8th
International Workshop, pages 69–85. Springer, 2008.
[BBC+02] Jonathan P Bowen, Kirill Bogdanov, John A Clark, Mark Harman, Robert M
Hierons, and Paul Krause. Fortest: Formal methods and testing. In Computer
Software and Applications Conference, 2002. COMPSAC 2002. Proceedings. 26th
Annual International, pages 91–101. IEEE, 2002.
[BGHS04a] Howard Barringer, Allen Goldberg, Klaus Havelund, and Koushik Sen. Program
Monitoring with LTL in Eagle. In IPDPS, 2004.
[BGHS04b] Howard Barringer, Allen Goldberg, Klaus Havelund, and Koushik Sen. Rule-
based runtime verification. In Bernhard Steffen and Giorgio Levi, editors,
VMCAI, pages 44–57, 2004.
[BH11] Howard Barringer and Klaus Havelund. TraceContract: A Scala DSL for Trace
Analysis. In Michael Butler and Wolfram Schulte, editors, FM 2011: Formal
Methods, pages 57–72, Berlin, Heidelberg, 2011. Springer Berlin Heidelberg.
[BH14] Dines Bjørner and Klaus Havelund. 40 years of formal methods. In Proceedings
of the 19th International Symposium on FM 2014: Formal Methods - Volume
8442, pages 42–61, New York, NY, USA, 2014. Springer-Verlag New York, Inc.
164 Chapter 7: Bibliography
[BHK16] Manfred Broy, Klaus Havelund, and Rahul Kumar. Towards a unified view of
modeling and programming. In Leveraging Applications of Formal Methods,
Verification and Validation: Discussion, Dissemination, Applications - 7th
International Symposium, ISoLA 2016, Imperial, Corfu, Greece, October 10-14,
2016, Proceedings, Part II, pages 238–257, 2016.
[BHRG09] Howard Barringer, Klaus Havelund, David Rydeheard, and Alex Groce. Rule
Systems for Runtime Verification: A Short Tutorial. In Saddek Bensalem and
Doron A. Peled, editors, Runtime Verification, volume 5779, pages 1–24, Berlin,
Heidelberg, 06 2009. Springer Berlin Heidelberg.
[BL13] Michael Bevilacqua-Linn. Functional Programming Patterns in Scala and
Clojure. The Pragmatic Programmers, 2013.
[BLS07] Andreas Bauer, Martin Leucker, and Christian Schallhart. The good, the bad,
and the ugly, but how ugly is ugly? In Workshop on Runtime Verification
(RV’07), pages 126–138, 2007.
[BLS11] Andreas Bauer, Martin Leucker, and Christian Schallhart. Runtime Verification
for LTL and TLTL. ACM Trans. Softw. Eng. Methodol., 20(4):14:1–14:64,
September 2011.
[BRH07] Howard Barringer, David Rydeheard, and Klaus Havelund. Rule systems for run-
time monitoring: From Eagle to RuleR. In Oleg Sokolsky and Serdar Tas¸ıran,
editors, Runtime Verification, pages 111–125, Berlin, Heidelberg, 2007. Springer
Berlin Heidelberg.
[BT00] Howard Bowman and Simon J. Thompson. A Complete Axiomatization of
Interval Temporal Logic with Projection. Technical Report 6-00, Computing
Laboratory, University of Kent, Canterbury, Great Britain, January 2000.
[Cau07] A. Cau. AnaTempura. online: http://www.antonio-cau.co.uk/ITL/
itlhomepagesu11.html#x15-140003.1, 2007.
[Cau08] Antonio Cau. Interval Temporal Algebra. online: http://www.antonio-cau.
co.uk/ITL/itl-atp/index.html, 2008.
[CM16] Antonio Cau and Ben Moszkowski. The ITL homepage. online: http://
antonio-cau.co.uk/ITL/, 2016.
[CMS19] Antonio Cau, Ben Moszkowski, and David Smallwood. An encoding of Interval
Temporal Logic in Isabelle/HOL. online: http://antonio-cau.co.uk/ITL/
itlhomepagesu13.html#x17-220003.3, March 2019. (Version 1.9).
7.4 Bibliography 165
[CR03] Feng Chen and Grigore Ros¸u. Towards monitoring-oriented programming: A
paradigm combining specification and implementation. Electronic Notes in
Theoretical Computer Science, 89(2):108–127, 2003.
[CR07] Feng Chen and Grigore Rosu. Mop: An Efficient and Generic Runtime
Verification Framework. In Richard P. Gabriel, David F. Bacon, Cristina Videira
Lopes, and Guy L. Steele Jr., editors, Proceedings of the 22nd Annual ACM
SIGPLAN Conference on Object-Oriented Programming, Systems, Languages,
and Applications, OOPSLA 2007, October 21-25, 2007, Montreal, Quebec,
Canada, pages 569–588. ACM, 2007.
[CZCM96] Antonio Cau, Hussein Zedan, Nick Coleman, and Ben Moszkowski. Using ITL
and TEMPURA for large scale specification and simulation. In Proc. of the
4th Euromicro Workshop on Parallel and Distributed Processing, pages 493–500.
IEEE Computer Society Press, 1996. .
[DFM+15] Philip Daian, Ylie`s Falcone, Patrick O’Neil Meredith, Traian-Florin Serbanuta,
Shinichi Shiraishi, Akihito Iwai, and Grigore Rosu. Rv-android: Efficient
parametric android runtime verification, a brief tutorial. In Runtime Verification
- 6th International Conference, RV 2015 Vienna, Austria, September 22-25,
2015. Proceedings, volume 9333 of Lecture Notes in Computer Science, pages
342–357. Springer, September 2015.
[DGH+16] Philip Daian, Dwight Guth, Chris Hathhorn, Yilong Li, Edgar Pek, Manasvi
Saxena, Traian Florin Serbanuta, and Grigore Rosu. Runtime verification at
work: A tutorial. In Runtime Verification - 16th International Conference,
RV 2016 Madrid, Spain, September 23-30, 2016, Proceedings, volume 10012 of
Lecture Notes in Computer Science, pages 46–67. Springer, September 2016.
[DH05] Marcelo DAmorim and Klaus Havelund. Jeagle: a JAVA Runtime Verification
Tool. Technical Report 20050082002, NASA Ames Research Center, NASA Ames
Research Center; Moffett Field, CA, United States, 2005.
[Dij75] Edsger W. Dijkstra. Guarded Commands, Nondeterminacy and Formal
Derivation of Programs. Commun. ACM, 18(8):453–457, August 1975.
[Dim00] Jordan Dimitrov. Compositional Reasoning about Events in Interval Temporal
Logic. In Proc. of The Fifth International Conference on Computer Science and
Informatics, 2000.
[Dim02] Jordan Dimitrov. Formal Compositional Design of Mixed Hardware/Software
Systems with semantics of Verilog HDL. PhD thesis, De Montfort University,
2002.
166 Chapter 7: Bibliography
[EFH+03] Cindy Eisner, Dana Fisman, John Havlicek, Yoad Lustig, Anthony McIsaac, and
David Van Campenhout. Reasoning with temporal logic on truncated paths. In
Warren A. Hunt and Fabio Somenzi, editors, Computer Aided Verification, pages
27–39, Berlin, Heidelberg, 2003. Springer Berlin Heidelberg.
[Eme90] E. Allen Emerson. Handbook of theoretical computer science (vol. b). chapter
Temporal and Modal Logic, pages 995–1072. MIT Press, Cambridge, MA, USA,
1990.
[FHR13] Ylie`s Falcone, Klaus Havelund, and Giles Reger. A Tutorial on Runtime
Verification. In Manfred Broy, Doron Peled, and Georg Kalus, editors,
Engineering Dependable Software Systems, volume 34 of NATO Science for Peace
and Security Series - D: Information and Communication Security, pages 141–
175. IOS Press, 2013. Summer School Marktoberdorf 2012.
[Fis06] Michael Fisher. Metatem: The story so far. In Rafael H. Bordini, Mehdi M.
Dastani, Ju¨rgen Dix, and Amal El Fallah Seghrouchni, editors, Programming
Multi-Agent Systems: Third International Workshop, ProMAS 2005, Utrecht,
The Netherlands, July 26, 2005, Revised and Invited Papers, pages 3–22, Berlin,
Heidelberg, 2006. Springer Berlin Heidelberg.
[Fis11] M. Fisher. An Introduction to Practical Formal Methods Using Temporal Logic.
Wiley, 2011.
[For82] Charles Forgy. Rete: A fast algorithm for the many pattern/many object pattern
match problem. Artificial Intelligences, 19(1):17–37, 1982.
[Hav11] K. Havelund. Closing the Gap Between Specification and Programming:
VDM++ and Scala. In Andrei Voronkov and Margarita Korovina, editors,
Higher-Order Workshop on Automated Runtime Verification and Debugging,
volume 1 (first edition). EasyChair Proceedings, December 2011.
[Hav13] K. Havelund. A Scala DSL for Rete-based Runtime Verification. In LNCS: The
4th International Conference on Runtime Verification (RV 2013), volume 8174.
Springer Verlag, September 2013.
[Hav14] Klaus Havelund. Monitoring with data automata. In Tiziana Margaria
and Bernhard Steffen, editors, Leveraging Applications of Formal Methods,
Verification and Validation. Specialized Techniques and Applications: 6th
International Symposium, ISoLA 2014, Imperial, Corfu, Greece, October 8-11,
2014, Proceedings, Part II, pages 254–273, Berlin, Heidelberg, 2014. Springer
Berlin Heidelberg.
7.4 Bibliography 167
[Hav15] Klaus Havelund. Rule-based runtime verification revisited. Int. J. Softw. Tools
Technol. Transf., 17(2):143–170, April 2015.
[Hav19] K. Havelund. Trace Contract. online: https://github.com/havelund/
tracecontract, January 2019.
[Hie02] Rob Hierons. Editorial: Formal methods and testing. Software Testing,
Verification and Reliability, 12(2):69–70, 2002.
[Hol04] G. J. Holzmann. The Spin Model Checker. Addison-Wesley, 2004.
[Jan10] Helge Janicke. ITL Tracer: Runtime Verification of Properties expressed in ITL
(unpublished). 2010.
[Jav17] JavaMOP. JavaMOP4. online: http://fsl.cs.illinois.edu/index.php/
JavaMOP, 2017.
[JCS+06] Helge Janicke, Antonio Cau, Franc¸ois Siewe, Hussein Zedan, and Kevin Jones.
A Compositional Event & Time-Based Policy Model. In 7th IEEE International
Workshop on Policies for Distributed Systems and Networks (POLICY 2006),
5-7 June 2006, London, Ontario, Canada, pages 173–182, 2006. .
[JCSZ13] Helge Janicke, Antonio Cau, Franc¸ois Siewe, and Hussein Zedan. Dynamic
Access Control Policies: Specification and Verification. The Computer Journal,
56(4):440–463, 2013. .
[Jin12] Dongyun Jin. Making Runtime Monitoring of Parametric Properties Practical.
PhD thesis, University of Illinois at Urbana-Champaign, August 2012.
[JMLR12] Dongyun Jin, Patrick O’Neil Meredith, Choonghwan Lee, and Grigore Rosu.
JavaMOP: Efficient parametric runtime monitoring framework. In Proceedings
of the 34th International Conference on Software Engineering, pages 1427–1430.
IEEE, 2012.
[JNWC15] Helge Janicke, Andrew Nicholson, Stuart Webber, and Antonio Cau. Runtime-
monitoring for industrial control systems. Electronics, 4(4):995–1017, December
2015. Open Access.
[JZR+16] O. Javed, Y. Zheng, A. Rosa`, H. Sun, and W. Binder. Extended code coverage
for AspectJ-Based Runtime Verification Tools. In Y. Falcone and Sa´nchez
C., editors, Runtime Verification. RV 2016, volume 10012 of Lecture Notes in
Computer Science. Springer, 2016.
168 Chapter 7: Bibliography
[Leu12] Martin Leucker. Teaching runtime verification. In Sarfraz Khurshid and Koushik
Sen, editors, Runtime Verification: Second International Conference, RV 2011,
San Francisco, CA, USA, September 27-30, 2011, Revised Selected Papers, pages
34–48, Berlin, Heidelberg, 2012. Springer Berlin Heidelberg.
[LS09] Martin Leucker and Christian Schallhart. A Brief Account of Runtime
Verification. Journal of Logic and Algebraic Programming (JLAP), (78):293–
303, 2009.
[MG17] Ben Moszkowski and Dimitar Guelev. An application of temporal projection
to interleaving concurrency. Formal Aspects of Computing, 29(4):705–750, July
2017.
[MGL14] Ben Moszkowski, Dimitar Guelev, and Martin Leucker. Guest editors’ preface to
special issue on interval temporal logics. Annals of Mathematics and Artificial
Intelligence, 71(1-3):1–9, July 2014.
[MM84] Ben Moszkowski and Zohar Manna. Reasoning in interval temporal logic. In
Edmund Clarke and Dexter Kozen, editors, Logics of Programs, pages 371–382,
Berlin, Heidelberg, 1984. Springer Berlin Heidelberg.
[Mos82] B. C. Moszkowski. A Temporal Logic for Multi-Level Reasoning About Hardware.
Technical Report ADA324174, Stanford University, December 1982.
[Mos83] Ben Moszkowski. Reasoning about Digital Circuits. PhD thesis, Department of
Computer Science, Stanford University, 1983.
[Mos86] B. C. Moszkowski. Executing Temporal Logic Programs. CUP, 1986.
[Mos94] Ben Moszkowski. Some very compositional temporal properties. In E.-R.
Olderog, editor, Programming Concepts, Methods and Calculi, volume A-56 of
IFIP Transactions, pages 307–326. IFIP, Elsevier Science B.V. (North–Holland),
1994.
[Mos96a] B. C. Moszkowski. Using temporal fixpoints to compositionally reason about
liveness. In He Jifeng, John Cooke, and Peter Wallis, editors, BCS-FACS 7th
Refinement Workshop, electronic Workshops in Computing, London, 1996. BCS-
FACS, Springer-Verlag and British Computer Society.
[Mos96b] Ben Moszkowski. The Programming Language Tempura. J. Symb. Comput.,
22(5-6):730–733, November 1996.
[Mos96c] Ben Moszkowski. Using temporal fixpoints to compositionally reason about
liveness. In He Jifeng, John Cooke, and Peter Wallis, editors, BCS-FACS 7th
7.4 Bibliography 169
Refinement Workshop, electronic Workshops in Computing, London, 1996. BCS-
FACS, Springer Verlag and British Computer Society. .
[Mos98] B. C. Moszkowski. Compositional Reasoning Using Interval Temporal Logic and
Tempura. Lecture Notes in Computer Science, 1536:439–464, 1998.
[Mos13] Ben Moszkowski. Interconnections between classes of sequentially compositional
temporal formulae. Information Processing Letters, 113(9):350 – 353, 2013.
[Mos14a] B. C. Moszkowski. Imperative reasoning in ITL (unpublished). 2014.
[Mos14b] Ben Moszkowski. Compositional reasoning using intervals and time reversal.
Annals of Mathematics and Artificial Intelligence, 71(1-3):175–250, 2014.
[MP87] Z. Manna and A. Pnueli. A hierarchy of temporal properties. In Proceedings
of the Sixth Annual ACM Symposium on Principles of Distributed Computing,
PODC ’87, pages 205–205, New York, NY, USA, 1987. ACM.
[MP92] Z. Manna and A. Pnueli. The Temporal Logic of Temporal and Reactive Systems:
Specification. Springer-Verlag, 1992.
[MP95] Z. Manna and A. Pnueli. Temporal Verification of Reactive Systems: Safety.
Springer-Verlag, 1995.
[oCM18] University of Cambridge and Technische Universita¨t Mu¨nchen. Isabelle. online:
https://isabelle.in.tum.de, 2018.
[OSV16] Martin Odersky, Lex Spoon, and Bill Venners. Programming in Scala. Artima
Inc, 3 edition, 2016.
[Pnu77] Amir Pnueli. The Temporal Logic of Programs. Foundations of Computer
Science, IEEE Annual Symposium on, 0:46–57, 1977.
[RH16] Giles Reger and Klaus Havelund. What is a trace? a runtime verification
perspective. In ISoLA 2016: Leveraging Applications of Formal Methods,
Verification and Validation: Discussion, Dissemination, Applications, Lecture
Notes in Computer Science, pages 339–355, 2016.
[sbt19] sbt. Simple Build Tool. online: https://www.scala-sbt.org/documentation.
html, 2019.
[Sca] Scala. Scala Parser Combinators. online: https://github.com/scala/
scala-parser-combinators.
[Sca17] Scala. The Scala Homepage. online: http://www.scala-lang.org/, 2017.
170 Appendix : Bibliography
[SCZ03a] Franc¸ois Siewe, Antonio Cau, and Hussein Zedan. A compositional framework for
access control policies enforcement. In Proceedings of the 2003 ACM Workshop
on Formal Methods in Security Engineering, FMSE ’03, pages 32–42, New York,
NY, USA, 2003. ACM. .
[SCZ03b] Monika Solanki, Antonio Cau, and Hussein Zedan. Introducing compositionality
in webservice descriptions. In Proceedings of the 3rd International Anwire
Workshop on Adaptable Service Provision. Springer Verlag, 2003. .
[Sie05] Franc¸ois Siewe. A Compositional Framework for the Development of Secure
Access Control Systems. PhD thesis, De Montfort University, 2005.
[Spi01] J. M. Spivey. Z Notation: A Reference Manual, 2001.
[Spi17] Spin. The Spin Homepage. online: http://spinroot.com/spin/whatispin.
html, 2017.
[STE+14] Gerhard Schellhorn, Bogdan Tofan, Gidon Ernst, Jo¨rg Pfa¨hler, and Wolfgang
Reif. RGITL: A temporal logic framework for compositional reasoning about
interleaved programs. Annals of Mathematics and Artificial Intelligence, 71(1-
3):131–174, 2014.
[Wol81] Pierre Wolper. Temporal logic can be more expressive. In Proceedings of the
22Nd Annual Symposium on Foundations of Computer Science, SFCS ’81, pages
340–348, Washington, DC, USA, 1981. IEEE Computer Society.
[Wya13] Derek Wyatt. Akka Concurrency. Artima Inc, 2013.
[YAH+16] Yoriyuki Yamagata, Cyrille Artho, Masami Hagiya, Jun Inoue, Lei Ma, Yoshinori
Tanabe, and Mitsuharu Yamamoto. Runtime monitoring for concurrent systems.
In 16th International Conference on Runtime Verification, RV 2016, volume
10012 of Lecture Notes in Computer Science, pages 386–403, 2016. QC 20170119.
[ZZC05] Shikun Zhou, Hussein Zedan, and Antonio Cau. Run-time Analysis of Time-
critical Systems. Journal of Systems Architecture, 51(5):331–345, 2005.
Appendices

Appendix A
API listings
A.1 ITL API
Listing A.1: ITL.scala
1 package runtime . ana l y s i s
2
3 object ITL {
4 import s c a l a . language . imp l i c i tConve r s i on s
5 import s c a l a . language . e x i s t e n t i a l s
6 import s c a l a . language . post f ixOps
7 import s c a l a . c o l l e c t i o n . immutable
8 import s c a l a . c o l l e c t i o n . immutable . ListMap
9 import s c a l a . c o l l e c t i o n . immutable . SortedMap
10
11 tra it Eq [T] {
12 def EQ(a : T, b : T) : Boolean
13 def NE(a : T, b : T) : Boolean = ! (EQ(a , b ) )
14 }
15
16 tra it Ord [T] extends Eq [T] {
17 def LE( a : T, b : T) : Boolean // minimal complete d e f i n i t i o n
18 def LT(a : T, b : T) : Boolean = LE(a , b) && NE(a , b)
19 def GE(a : T, b : T) : Boolean = LE(b , a )
20 def GT(a : T, b : T) : Boolean = LT(b , a )
21 }
22
23 tra it Num[T] {
24 def Add( a : T, b : T) : T
25 def Sub( a : T, b : T) : T
26 def Mul( a : T, b : T) : T
27 def Neg( a : T) : T
28 def Abs( a : T) : T
29 def Sgn ( a : T) : T
30 }
31
32 tra it I n t e g r a l [T] {
33 def Div ( a : T, b : T) : T
34 def Mod( a : T, b : T) : T
35 }
36
37 tra it Log i ca l [T] {
38 def Ltrue : T
39 def L f a l s e : T
40 def L i s t rue (b : T) : Boolean
41 def L i s f a l s e (b : T) : Boolean
42 def Lnot (b : T) : T = i f ( L i s t ru e (b ) ) L f a l s e else Ltrue
43 def Land( a : T, b : T) : T = i f ( L i s t ru e ( a ) && Li s t ru e (b ) ) Ltrue else L f a l s e
174 Appendix A: API listings
44 def Lor ( a : T, b : T) : T = Lnot (Land( Lnot ( a ) , Lnot (b ) ) )
45 def Limp( a : T, b : T) : T = Lor ( Lnot ( a ) , b)
46 def Leqv ( a : T, b : T) : T = Land(Limp(a , b ) , Limp(b , a ) )
47 def Lxor ( a : T, b : T) : T = Lnot ( Leqv (a , b ) )
48 def Lnand( a : T, b : T) : T = Lnot (Land(a , b ) )
49 def Lnor ( a : T, b : T) : T = Lnot ( Lor (a , b ) )
50 }
51
52 /∗ ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗
53 ∗ Imp l i c i t i n s t anc e s f o r Int
54 ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗/
55
56 implicit object RelInt extends Eq [ Int ] with Ord [ Int ] {
57 override def EQ(a : Int , b : Int ) : Boolean = a==b
58 override def LE( a : Int , b : Int ) : Boolean = a<=b
59 }
60
61 implicit object NumInt extends Num[ Int ] {
62 def Add( a : Int , b : Int ) : Int = a+b
63 def Sub( a : Int , b : Int ) : Int = a−b
64 def Mul( a : Int , b : Int ) : Int = a∗b
65 def Neg( a : Int ) : Int = −a
66 def Abs( a : Int ) : Int = a . abs
67 def Sgn ( a : Int ) : Int = a . signum
68 }
69
70 implicit object I n t e g r a l I n t extends I n t e g r a l [ Int ] {
71 def Div ( a : Int , b : Int ) : Int = a/b
72 def Mod( a : Int , b : Int ) : Int = a%b
73 }
74
75 implicit object Log i c a l I n t extends Log i ca l [ Int ] {
76 def Ltrue : Int = 1
77 def L f a l s e : Int = 0
78 def L i s t rue (b : Int ) : Boolean = b !=0
79 def L i s f a l s e (b : Int ) : Boolean = b==0
80 }
81
82 /∗ ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗
83 ∗ Imp l i c i t i n s t anc e s f o r Long
84 ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗/
85
86 implicit object RelLong extends Eq [ Long ] with Ord [ Long ] {
87 override def EQ(a : Long , b : Long ) : Boolean = a==b
88 override def LE( a : Long , b : Long ) : Boolean = a<=b
89 }
90
91 implicit object NumLong extends Num[ Long ] {
92 def Add( a : Long , b : Long ) : Long = a+b
93 def Sub( a : Long , b : Long ) : Long = a−b
94 def Mul( a : Long , b : Long ) : Long = a∗b
95 def Neg( a : Long ) : Long = −a
96 def Abs( a : Long ) : Long = a . abs
97 def Sgn ( a : Long ) : Long = a . signum
98 }
99
100 implicit object Integra lLong extends I n t e g r a l [ Long ] {
101 def Div ( a : Long , b : Long ) : Long = a/b
102 def Mod( a : Long , b : Long ) : Long = a%b
103 }
104
105 implicit object LogicalLong extends Log i ca l [ Long ] {
106 def Ltrue : Long = 1
107 def L f a l s e : Long = 0
108 def L i s t rue (b : Long ) : Boolean = b !=0
109 def L i s f a l s e (b : Long ) : Boolean = b==0
110 }
111
112 /∗ ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗
113 ∗ Imp l i c i t i n s t anc e s f o r Char
114 ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗/
115
116 implicit object RelChar extends Eq [ Char ] with Ord [ Char ] {
117 override def EQ(a : Char , b : Char ) : Boolean = a==b
A.1 ITL API 175
118 override def LE( a : Char , b : Char ) : Boolean = a<=b
119 }
120
121 implicit object LogicalChar extends Log i ca l [ Char ] {
122 def Ltrue : Char = ’ T ’
123 def L f a l s e : Char = ’ F ’
124 def L i s t rue (b : Char ) : Boolean = b !=’ F ’
125 def L i s f a l s e (b : Char ) : Boolean = b==’ F ’
126 }
127
128 /∗ ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗
129 ∗ Imp l i c i t i n s t anc e s f o r Boolean
130 ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗/
131
132 implicit object RelBoolean extends Eq [ Boolean ] with Ord [ Boolean ] {
133 override def EQ(a : Boolean , b : Boolean ) : Boolean = a==b
134 override def LE( a : Boolean , b : Boolean ) : Boolean = a<=b
135 }
136
137 implicit object Logica lBoolean extends Log i ca l [ Boolean ] {
138 def Ltrue : Boolean = true
139 def L f a l s e : Boolean = false
140 def L i s t rue (b : Boolean ) : Boolean = b
141 def L i s f a l s e (b : Boolean ) : Boolean = ! b
142 }
143
144 /∗ ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗
145 ∗ Imp l i c i t conve r s i ons
146 ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗/
147
148 implicit def impl i c i t T To Val T [T] ( c : T) : Val [T] = Val ( c )
149 implicit def impl ic i t T To Const T [T] ( c : T) : Expr [T] = Const ( c )
150 implicit def implic itVar T ToExpr [T] ( v : Var [T ] ) : Expr [T] = Ref (v )
151 implicit def impl ic i tVal T To T [T] ( va : Val [T ] ) : T = va match { case Val ( a ) => a }
152 implicit def impl ic itVal T ToConst T [T] ( c : Val [T ] ) : Const [T] = Const ( c )
153
154 implicit def implicitExprBoolToFormula (x : Expr [ Boolean ] ) : Formula = Exp(x )
155 implicit def impl ic itBoolToFormula ( a : Boolean ) : Formula = Exp(Const ( a ) )
156 implicit def implicitVarBoolToFormula (v : Var [ Boolean ] ) : Formula = Exp( Ref (v ) )
157
158 /∗ ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗
159 ∗ Abstract Values and Var iab l e s
160 ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗/
161
162 abstract tra it Value
163 abstract tra it Var iab le {
164 override def t oS t r i ng ( ) : S t r ing = this . g e tC la s s . getName
165 }
166
167 abstract class Var [T] extends Var iab le {
168 def <˜ (x : Expr [T] ) ( implicit o :Eq [T] ) = pta s s i gn ( this , x )
169 def <−− ( x : Expr [T] ) ( implicit o :Eq [T] ) = t a s s i gn ( this , x )
170 def := ( x : Expr [T] ) ( implicit o :Eq [T] ) = a s s i gn ( this , x )
171 def ge t s ( x : Expr [T] ) ( implicit o :Eq [T] ) = ITL . ge t s ( this , x )
172 }
173
174 case class Val [T] ( v : T) extends Value {
175 def value : T = v
176 override def t oS t r i ng ( ) : S t r ing = v . t oS t r ing ( )
177 }
178
179 type VarUpdate = (Var [T] ,T) forSome {type T}
180
181 /∗ ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗
182 ∗ I n t e r v a l s
183 ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗/
184
185 type In t e rva lRepr e s en ta t i on = immutable .Map[ Variable , immutable .Map[ Int , Value ] ]
186
187 class I n t e r v a l {
188 val index : Int = −1
189 val sigma : In t e rva lRepr e s en ta t i on = new immutable . HashMap ( )
190
191 def f i r s t I n d e x : Int = 0
176 Appendix A: API listings
192 def l a s t Index : Int = index
193
194 def get [T] ( k : Int , v : Var [T ] ) : Option [ Val [T ] ]
195 = sigma . get (v ) match {
196 case None => None
197 case Some( t ra c e ) => ( k to 0 by −1). toStream . f i nd ( t ra c e . i sDef inedAt ( ) ) match {
198 case None => None
199 case Some( j ) => t r a c e . get ( j ) . as InstanceOf [ Option [ Val [T ] ] ]
200 }//match
201 }//match
202
203 def add ( updates : VarUpdate∗ ) : I n t e r v a l = this . add ( updates . t oL i s t )
204
205 def add ( updates : L i s t [ VarUpdate ] ) : I n t e r v a l = {
206 var s = sigma
207 val i = index+1
208 for ( ( v , a ) <− updates ) {
209 val newtr : immutable .Map[ Int , Value ] = s . get ( v ) match {
210 case None => new immutable . HashMap ( ) + ( ( i −> Val ( a ) ) )
211 case Some( o l d t r ) => o l d t r + ( ( i −> Val ( a ) ) )
212 }//match
213 s = s + ( ( v −> newtr ) )
214 }// f o r
215 MakeInterval ( s , i )
216 }
217
218 def f i n S t a t e : L i s t [ VarUpdate ] = {
219 def f i nVa l [T] ( v : Var [T ] ) : VarUpdate =
220 this . get ( la s t Index , v ) match {
221 case None => sys . e r r o r ( " f i n V a l no m a t c h ! " )
222 case Some(Val ( a ) ) => (v , a ) . as InstanceOf [ VarUpdate ]
223 }//match
224
225 def getFinVal (v : Var iab le ) : VarUpdate =
226 f inVa l ( v . as InstanceOf [ Var [T] forSome {type T} ] )
227
228 ( ( sigma . keys ) map getFinVal ) . t oL i s t
229 }// f i n S t a t e
230
231 def isEmpty ( ) : Boolean = index==0
232
233 def s l i c e [T] ( v : Var [T ] ) : S t r ing = {
234 v . t oS t r ing + " : " + ((0 to index ) .map{k => (k , this . get (k , v ) ) } ) . t oS t r ing
235 }
236
237 override def t oS t r i ng ( ) : S t r ing = {
238 def order (m: immutable .Map[ Int , Value ] ) = m. toSeq . sortWith ( . 1< . 1 )
239 val tau = sigma . mapValues (m => order (m) ) . toSeq . sortWith ( . 1 . t oS t r i ng < . 1 . t oS t r i ng )
240 tau . t oS t r ing
241 }
242 }// I n t e r v a l
243
244 case class MakeInterval ( s : In t e rva lRepre senta t i on , i : Int ) extends I n t e r v a l {
245 override val index : Int = i
246 override val sigma : In t e rva lRepr e s en ta t i on = s
247 }
248
249 /∗ ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗
250 ∗ Temporal Express ions , Values , Var iab les , and Formulae
251 ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗/
252
253 abstract class Expr [T] {
254 def unary − ( implicit o :Num[T ] ) : Expr [T] = Unary ( o . Neg , this )
255 def abs ( implicit o :Num[T ] ) : Expr [T] = Unary ( o . Abs , this )
256 def sgn ( implicit o :Num[T ] ) : Expr [T] = Unary ( o . Sgn , this )
257 def ∗ ( that : Expr [T ] ) ( implicit o :Num[T ] ) : Expr [T] = Binary ( o .Mul , this , that )
258 def / ( that : Expr [T ] ) ( implicit o : I n t e g r a l [T ] ) : Expr [T] = Binary ( o . Div , this , that )
259 def % ( that : Expr [T] ) ( implicit o : I n t e g r a l [T ] ) : Expr [T] = Binary ( o .Mod, this , that )
260 def + ( that : Expr [T ] ) ( implicit o :Num[T ] ) : Expr [T] = Binary ( o .Add , this , that )
261 def − ( that : Expr [T ] ) ( implicit o :Num[T ] ) : Expr [T] = Binary ( o . Sub , this , that )
262 def ‘˜˜ ‘ ( that : Expr [T] ) ( implicit o :Eq [T ] ) : Formula = ITL . tempeq ( this , that )
263 def ‘=‘ ( that : Expr [T ] ) ( implicit o :Eq [T ] ) : Expr [ Boolean ] = Binary ( o .EQ, this , that )
264 def ‘/=‘ ( that : Expr [T ] ) ( implicit o :Eq [T ] ) : Expr [ Boolean ] = Binary ( o .NE, this , that )
265 def < ( that : Expr [T ] ) ( implicit o : Ord [T ] ) : Expr [ Boolean ] = Binary ( o .LT, this , that )
A.1 ITL API 177
266 def > ( that : Expr [T ] ) ( implicit o : Ord [T ] ) : Expr [ Boolean ] = Binary ( o .GT, this , that )
267 def <= ( that : Expr [T ] ) ( implicit o : Ord [T ] ) : Expr [ Boolean ] = Binary ( o .LE, this , that )
268 def >= ( that : Expr [T ] ) ( implicit o : Ord [T ] ) : Expr [ Boolean ] = Binary ( o .GE, this , that )
269 def unary ˜ ( implicit o : Log i ca l [T ] ) : Expr [T] = Unary ( o . Lnot , this )
270 def & ( that : Expr [T ] ) ( implicit o : Log i ca l [T ] ) : Expr [T] = Binary ( o . Land , this , that )
271 def &! ( that : Expr [T ] ) ( implicit o : Log i ca l [T ] ) : Expr [T] = Binary ( o . Lnand , this , that )
272 def | ( that : Expr [T ] ) ( implicit o : Log i ca l [T ] ) : Expr [T] = Binary ( o . Lor , this , that )
273 def | ! ( that : Expr [T] ) ( implicit o : Log i ca l [T ] ) : Expr [T] = Binary ( o . Lnor , this , that )
274 def |ˆ ( that : Expr [T ] ) ( implicit o : Log i ca l [T ] ) : Expr [T] = Binary ( o . Lxor , this , that )
275 def Imp l i e s ( that : Expr [T ] ) ( implicit o : Log i ca l [T ] ) : Expr [T] = Binary ( o . Limp , this , that )
276 def Equiv ( that : Expr [T ] ) ( implicit o : Log i ca l [T ] ) : Expr [T] = Binary ( o . Leqv , this , that )
277 def i n j e c t I n t o [U] ( f : Const [T] => Expr [U] ) ( implicit o :Eq [T] ) = With( this , f )
278 }//Expr
279
280 case class Const [T] ( c : T) extends Expr [T]
281 case class Ref [T] ( v : Var [T] ) extends Expr [T]
282 case class Unary [T,U] ( op : T=>U, x : Expr [T] ) extends Expr [U]
283 case class Binary [T,U,V] ( op : (T,U)=>V, x : Expr [T] , y : Expr [U] ) extends Expr [V]
284 case class With [T,U] ( x : Expr [T] , f : Const [T] => Expr [U] ) extends Expr [U]
285 case class Next [T] ( v : Var [T] ) extends Expr [T]
286 case class Fin [T] ( v : Var [T] ) extends Expr [T]
287 case class IntLen ( ) extends Expr [ Int ]
288
289 /∗ ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗
290 ∗ Express ion eva luat i on
291 ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗/
292
293 def evalExpr [T] ( expr : Expr [T] , sigma : I n t e r v a l ) : Option [ Const [T ] ] =
294 evalExprFromTo ( expr , sigma , sigma . f i r s t I nd ex , sigma . l a s t Index )
295
296 def evalExprFromTo [T] ( expr : Expr [T] ,
297 sigma : In t e rva l , i : Int , j : Int ) : Option [ Const [T ] ] = {
298 expr match {
299 case Ref (v ) => sigma . get ( i , v ) match {
300 case Some(Val ( a ) ) => Some(Const ( a ) )
301 case None => None
302 }
303 case Const ( a ) => Some(Const ( a ) )
304 case Unary (op , x ) => evalExprFromTo (x , sigma , i , j ) match {
305 case None => None // s t r i c t !
306 case Some(Const ( a ) ) => Some(Const ( op ( a ) ) )
307 }
308 case Binary (op , x , y ) => evalExprFromTo (x , sigma , i , j ) match {
309 case None => None // s t r i c t !
310 case Some(Const ( a ) ) =>
311 evalExprFromTo (y , sigma , i , j ) match {
312 case None => None // s t r i c t !
313 case Some(Const (b ) ) => Some(Const ( op (a , b ) ) )
314 }
315 }
316 case With(x , f ) => evalExprFromTo (x , sigma , i , j ) match {
317 case None => None // s t r i c t !
318 case Some(k ) => evalExprFromTo ( f ( k ) , sigma , i , j )
319 }
320 case Next (v ) => i f ( ( i +1) > j )
321 None
322 else
323 sigma . get ( i +1, v ) match {
324 case Some(Val ( a ) ) => Some(Const ( a ) )
325 case None => None
326 }
327 case Fin (v ) => sigma . get ( j , v ) match {
328 case Some(Val ( a ) ) => Some(Const ( a ) )
329 case None => None
330 }
331 case IntLen ( ) => Some(Const ( j−i ) )
332 }//match
333 }//evalExprFromTo
334
335 /∗ ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗
336 ∗ Formulae
337 ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗/
338
339 abstract class Formula {
178 Appendix A: API listings
340 def ‘ ; ‘ ( that : Formula ) = Chop( this , that )
341 def chopstar = Chopstar ( this )
342 def t imes (n : Int ) = Repeat (n , this ) // use f t imes 3 or f . t imes (3)
343 def and ( that : Formula ) = And( this , that )
344 def or ( that : Formula ) = Not (And( not ( this ) , not ( that ) ) )
345 def imp l i e s ( that : Formula ) = not ( this ) or that // does NOT have ITL p r i o r i t y / a s s o c i a t i v i t y
346 def equiv ( that : Formula ) = And( this imp l i e s that , that imp l i e s this )
347 def afb (w: Formula ) = ITL . afb ( this , w)
348 def f i x ed ( ) : Option [ Int ] = this match {
349 case Len (k ) => Some(k ) // f i x ed length
350 case And( f , g ) => f . f i x ed ( ) match {
351 case None => g . f i x ed ( )
352 case Some(k ) => Some(k )
353 }
354 case => None
355 }
356
357 /∗ ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗
358 ∗ Formula eva lua t i on
359 ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗/
360
361 def evalFormulaFromTo [T] ( sigma : In t e rva l , i : Int , j : Int ) : Boolean = {
362 this match {
363 case Label ( s , f ) =>
364 f . evalFormulaFromTo ( sigma , i , j )
365
366 case Exp(x ) =>
367 evalExprFromTo (x , sigma , i , j ) match {
368 case None => fa l se
369 case Some(Const (b ) ) => b
370 }
371
372 case Not ( f ) =>
373 ! ( f . evalFormulaFromTo ( sigma , i , j ) )
374
375 case Fina l (w) =>
376 w. evalFormulaFromTo ( sigma , j , j )
377
378 case And( f , g ) =>
379 f . evalFormulaFromTo ( sigma , i , j ) && g . evalFormulaFromTo ( sigma , i , j )
380
381 case Len (n) =>
382 Exp( IntLen ( ) ‘=‘ Const (n ) ) . evalFormulaFromTo ( sigma , i , j )
383
384 case Chop( f , g ) => ( f . f i x ed ( ) , g . f i x ed ( ) ) match {
385 case (None , None ) => ( i to j ) . toStream .map(k =>
386 i f ( f . evalFormulaFromTo ( sigma , i , k ) )
387 g . evalFormulaFromTo ( sigma , k , j )
388 else
389 fa l se ) . conta ins ( true )
390 case (Some(m) ,None ) => ( i+m >= i && i+m <= j ) &&
391 f . evalFormulaFromTo ( sigma , i , i+m) &&
392 g . evalFormulaFromTo ( sigma , i+m, j )
393 case (None , Some(n ) ) => ( j−n >= i && j−n <= j ) &&
394 f . evalFormulaFromTo ( sigma , i , j−n) &&
395 g . evalFormulaFromTo ( sigma , j−n , j )
396 case (Some(m) , Some(n ) ) => ( i+m >= i && i+m <= j ) &&
397 ( i+m == j−n) &&
398 f . evalFormulaFromTo ( sigma , i , i+m) &&
399 g . evalFormulaFromTo ( sigma , i+m, j )
400 }
401
402 case Chopstar ( f ) => // ChopstarEqv |= f ∗ == ( empty \/ ( ( f /\ more ) ; f ∗ ) )
403 i f ( empty . evalFormulaFromTo ( sigma , i , j ) )
404 true
405 else // not empty imp l i e s more
406 Chop ( ( f and more ) , Chopstar ( f ) ) . evalFormulaFromTo ( sigma , i , j )
407
408 case Repeat (n , f ) =>
409 i f (n==0)
410 empty . evalFormulaFromTo ( sigma , i , j )
411 else
412 Chop( f , Repeat (n−1, f ) ) . evalFormulaFromTo ( sigma , i , j )
413
A.1 ITL API 179
414 case AllOf ( xs , f ) => ( ( xs map f ) . f o l dL e f t (TRUE) ( and ) ) . evalFormulaFromTo ( sigma , i , j )
415 case AnyOf( xs , f ) => ( ( xs map f ) . f o l dL e f t (FALSE) ( or ) ) . evalFormulaFromTo ( sigma , i , j )
416 }//match
417 }//evalFormulaFromTo
418
419 def evalFormula ( sigma : I n t e r v a l ) : Boolean =
420 this . evalFormulaFromTo ( sigma , sigma . f i r s t I nd ex , sigma . l a s t Index )
421 }//Formula
422
423 /∗ ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗
424 ∗ Derived formulae
425 ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗/
426
427 case class Exp (x : Expr [ Boolean ] ) extends Formula
428 case class Not ( f : Formula ) extends Formula
429 case class Fina l ( f : Formula ) extends Formula
430 case class And ( f : Formula , g : Formula ) extends Formula
431 case class Len (n : Int ) extends Formula {
432 override def t oS t r i ng = " Len ( "+n+" ) "
433 }
434 case class Chop ( f1 : Formula , f 2 : Formula ) extends Formula
435 case class Chopstar ( f : Formula ) extends Formula
436 case class Repeat (n : Int , f : Formula ) extends Formula
437 case class AllOf [T] ( xs : L i s t [T] , f : T => Formula ) extends Formula
438 case class AnyOf [T] ( xs : L i s t [T] , f : T => Formula ) extends Formula
439 case class Label ( s : Str ing , f : Formula ) extends Formula {
440 override def t oS t r i ng = " F o r m u l a ( " + s + " ) "
441 }
442 def l a b e l ( s : Str ing , f : Formula ) = Label ( s , f )
443 def anyof [T] ( xs : L i s t [T] , f : T => Formula ) = AnyOf( xs , f )
444 def a l l o f [T] ( xs : L i s t [T] , f : T => Formula ) = AllOf ( xs , f )
445 val TRUE: Formula = Exp(Const ( true ) )
446 val FALSE: Formula = Exp(Const ( fa l se ) )
447 def l en (n : Int ) : Formula = Len (n)
448 val empty : Formula = Len (0)
449 val Empty : Formula = Len (0)
450 val sk ip : Formula = Len (1)
451 def chop ( f1 : Formula , f 2 : Formula ) : Formula = Chop( f1 , f 2 )
452 def repeat (n : Int , f : Formula ) : Formula = Repeat (n , f )
453 def not ( f : Formula ) : Formula = f match { case (Not ( g ) ) => g
454 case => Not ( f ) }
455 def next ( f : Formula ) : Formula = chop ( skip , f )
456 def s t rongnext ( f : Formula ) : Formula = next ( f )
457 def weaknext ( f : Formula ) : Formula = empty or st rongnext ( f )
458 val more : Formula = next (TRUE)
459 def eventua l l y ( f : Formula ) : Formula = chop (TRUE, f )
460 def always ( f : Formula ) : Formula = not ( eventua l l y ( not ( f ) ) )
461 def di ( f : Formula ) : Formula = chop ( f , TRUE)
462 def bi ( f : Formula ) : Formula = not ( d i ( not ( f ) ) )
463 def da ( f : Formula ) : Formula = chop ( chop (TRUE, f ) , TRUE)
464 def ba ( f : Formula ) : Formula = not ( da ( not ( f ) ) )
465 def bs ( f : Formula ) : Formula = empty or chop ( b i ( f ) , sk ip )
466 def ds ( f : Formula ) : Formula = not ( bs ( not ( f ) ) )
467 def bm( f : Formula ) : Formula = always (more imp l i e s f ) // from Ben M
468 def dm( f : Formula ) : Formula = eventua l l y (more and f ) // from Ben M
469 def f s t ( f : Formula ) : Formula = f and bs (Not ( f ) )
470 def f i n ( f : Formula ) : Formula = Fina l ( f )
471 def ha l t ( f : Formula ) : Formula = always ( empty equiv f )
472 def keep ( f : Formula ) : Formula = ba ( sk ip imp l i e s f )
473 def afb ( f : Formula ,
474 w: Formula ) : Formula = bi ( eventua l l y ( f ) imp l i e s f i n (w) ) // f afb g
475 def tempeq [T] ( x : Expr [T] , y : Expr [T] ) //x ‘˜˜ ‘ y
476 ( implicit o :Eq [T] ) = always (Exp( Binary ( o .EQ, x , y ) ) )
477 def t a s s i gn [T] ( v : Var [T] , x : Expr [T] ) // v <−− x
478 ( implicit o :Eq [T] ) = Exp( Binary ( o .EQ, x , Fin (v ) ) )
479 def a s s i gn [T] ( v : Var [T] , x : Expr [T] ) // v := x
480 ( implicit o :Eq [T] ) = Exp( Binary ( o .EQ, x , Next (v ) ) )
481 def ge t s [T] ( v : Var [T] , x : Expr [T] ) //v ge t s x
482 ( implicit o :Eq [T] ) = keep ( t a s s i gn (v , x ) )
483 def s t ab l e [T] ( v : Var [T] )
484 ( implicit o :Eq [T] ) = ge t s (v , Ref ( v ) )
485 def padded [T] ( v : Var [T] )
486 ( implicit o :Eq [T] ) = empty or chop ( s t ab l e (v ) , sk ip )
487 def pta s s i gn [T] ( v : Var [T] , x : Expr [T] ) // v <˜ x
180 Appendix A: API listings
488 ( implicit o :Eq [T] ) = t a s s i gn (v , x ) and padded (v )
489 def i fThenElse ( f : Formula ,
490 g : Formula ,
491 h : Formula ) : Formula = ( f and g ) or ( ( not ( f ) and h ) )
492 def i fThen ( f : Formula ,
493 g : Formula ) : Formula = i fThenElse ( f , g , empty )
494 def forDo (n : Int ,
495 f : Formula ) : Formula = f . t imes (n)
496 def whileDo ( f : Formula ,
497 g : Formula ) : Formula = ( f and g ) . chopstar and f i n ( not ( f ) )
498 def r epea tUnt i l ( f : Formula ,
499 g : Formula ) : Formula = chop ( f , whileDo ( not ( g ) , f ) )
500
501 }//ITL
A.2 Monitor API
Listing A.2: Monitor.scala
1 package runtime . ana l y s i s
2 /∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗/
3 object Monitor {
4 import s c a l a . language . imp l i c i tConve r s i on s
5 import s c a l a . language . post f ixOps
6 import s c a l a . concurrent . Await
7 import s c a l a . concurrent . durat ion .
8 import akka . ac tor .
9 import akka . event . Logging
10 import akka . u t i l . Timeout
11 import s c a l a . concurrent . Future
12 import akka . pattern . ask
13 import akka . ac tor . Status . Fa i l u r e
14 import runtime . ana l y s i s . ITL . // {Formula , Final , In t e rva l , VarUpdate}
15
16 implicit val timeout : Timeout = Timeout (600 seconds )
17
18 object Protoco l { /∗ Communication pro toco l between monitors and c l i e n t s ∗/
19
20 abstract class Request
21
22 case class Step ( updates : L i s t [ VarUpdate ] ) extends Request
23 case class Show( indent : Int ) extends Request
24
25 abstract class Reply { def isDone : Boolean = false
26 def isMore : Boolean = false
27 def i s F a i l : Boolean = false }
28
29 case object Fa i l extends Reply { override def i s F a i l : Boolean = true }
30 case object More extends Reply { override def isMore : Boolean = true }
31 case class Done( updates : L i s t [ VarUpdate ] ) extends Reply {
32 override def isDone : Boolean = true }
33
34 case object Tick // i n t e r n a l acknowledgement only
35 }// Protoco l
36
37 object Optimisat ionFlags {
38 class OpTy
39 case object ANY STATE extends OpTy
40 case object ALL STATES extends OpTy
41 case object ANY PREFIX extends OpTy
42 case object ALL PREFIXES extends OpTy
43 case object CHECKONCE extends OpTy
44 }//Opt imisat ionFlags
45
46 /∗ ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗
47 ∗ Abstract monitors l i n k to the c l i e n t and are expr e s s i on t r e e s .
48 ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗/
49
A.2 Monitor API 181
50 object Abstr {
51 import Optimisat ionFlags .
52
53 class Monitor {
54 /∗ ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗
55 ∗ PUBLIC INTERFACE i n f i x binary opera to r s
56 ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗/
57
58 def : : ( name : St r ing ) : Monitor = Name(name , this )
59 def UPTO( that : Monitor ) : Monitor = Upto ( this , that )
60 def THRU( that : Monitor ) : Monitor = Thru ( this , that )
61 def THEN( that : Monitor ) : Monitor = Then( this , that )
62 def AND( that : Monitor ) : Monitor = And( this , that )
63 def ITERATE( that : Monitor ) : I t e r a t e = I t e r a t e ( this , that )
64 def WITH( opt : OpTy, f : Formula ) : Monitor = With( this , opt , f )
65 def WITH( f : Formula ) : Monitor = With( this ,CHECKONCE, f )
66 def TIMES(k : Int ) : Monitor = i f ( k==0) EMPTY
67 else this THEN ( this TIMES (k−1))
68 def ALWAYS(w: Formula ) : Monitor = With( this ,ALL STATES,w)
69 def SOMETIME(w: Formula ) : Monitor = With( this ,ANY STATE,w)
70 def WITHIN( f : Formula ) : Monitor = With( this ,ALL PREFIXES ,
71 more imp l i e s ( not ( f ) ‘ ; ‘ sk ip ) )
72 // Expir imental
73
74 def INTERRUPT( i : Var [ Int ] , bs : L i s t [ Monitor ] ) : Monitor = {
75 val i n t e r r up t s : L i s t [ Monitor ] =
76 (EMPTY: : bs ) . zipWithIndex .map( t => GUARD( i ‘=‘ t . 2 ) THEN t . 1 )
77 this UPTO (FIRST( Fin ( i )>0)) THEN in t e r r up t s . r educeLe f t ( (m, n) => m.UPTO(n ) )
78 }
79 }//Abstr . Monitor
80
81 /∗ ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗
82 ∗ PUBLIC INTERFACE p r e f i x ope ra to r s
83 ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗/
84
85 def FIRST( f : Formula ) = F i r s t (ANY PREFIX, f )
86 def LEN(k : Int ) = FIRST( l en (k ) )
87 def SKIP = LEN(1)
88 def EMPTY = FIRST( empty )
89 def FAIL = FIRST( fa l se ) WITHIN ( empty )
90 def HALT(w: Formula ) = F i r s t (ANY STATE, w)
91 def SKIPTO(w: Formula ) = SKIP THEN HALT(w)
92 def GUARD(w: Formula ) = EMPTY WITH (w)
93 def UNTIL (w1 : Formula , w2 : Formula ) = HALT(w2) WITH (bm(w1) )
94
95 /∗ ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗
96 ∗ Abstract monitor r ep r e s en t a t i on
97 ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗/
98
99 case class Name (name : Str ing , a : Monitor ) extends Monitor
100 case class F i r s t ( opt : OpTy, f : Formula ) extends Monitor
101 case class Upto ( a : Monitor , b : Monitor ) extends Monitor
102 case class Thru ( a : Monitor , b : Monitor ) extends Monitor
103 case class Then ( a : Monitor , b : Monitor ) extends Monitor
104 case class And ( a : Monitor , b : Monitor ) extends Monitor
105 case class I t e r a t e ( a : Monitor , b : Monitor ) extends Monitor {
106 def PROJECT(p : Monitor ) = Pro jec t ( this . a , this . b , p)
107 }
108 case class Pro jec t ( a : Monitor , b : Monitor , p : Monitor ) extends Monitor
109 case class With ( a : Monitor , opt : OpTy, f : Formula ) extends Monitor
110 }//Abstr
111
112 /∗ ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗
113 ∗ Concrete monitors are Akka ac to r s . Each one i s an autonomous agent with i t s own
114 ∗ s t a t e sequence ( i n t e r v a l ) . A concre t e monitor r e a c t s to s t a t e updates . A cover
115 ∗ funct ion , step , i s provided in the API which enab le s the concre t e a c to r s to be
116 ∗ hidden from the ex t e rna l program . The user s upp l i e s an abs t rac t monitor to
117 ∗ API . Monitor which , in turn , c r e a t e s the under ly ing concre t e monitors on a
118 ∗ by−needs ba s i s . The use o f Akka ac to r s enab le s the concre t e monitors to be
119 ∗ d i s t r i bu t ed ac ro s s co r e s /nodes . Synchronous message alreadyPassed i s nece s sa ry
120 ∗ to maintain the i n t e r a c t i o n with the program being v e r i f i e d − i . e . the main
121 ∗ program needs to check the r e s u l t o f the l a s t s t a t e change be f o r e moving on .
122 ∗ ( Future work may be ab le to r e l ax t h i s − r e tu rn ing f u tu r e s f o r eg ) .
123 ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗/
182 Appendix A: API listings
124
125 private object Concr {
126 import Protoco l .
127 import Optimisat ionFlags .
128
129 abstract class Monitor extends Actor with ActorLogging {
130 def indent ( i : Int ) : Int = i + 4
131 def tab ( i : Int ) { for ( <− 1 to i ) p r in t ( ’ ’ ) }
132
133 override def preStar t ( ) { l og . debug ( " \ n S t a r t i n g " + this ) }
134 override def postStop ( ) { l og . debug ( " \ n S t o p p i n g " + this ) }
135
136 /∗ ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗
137 ∗ zombie r ep r e s en t s the s t a t e o f a monitor that can only be stopped . The
138 ∗ stop message comes from a c a l l to context stop . . . thus sending an Akka stop
139 ∗ message . The zombie proce s s w i l l r e a c t to a Show message by s t a t i n g
140 ∗ that t h i s monitor has been c l o s ed down ( await ing stop ) and to any other
141 ∗ message − that i t should not r e c e i v e − by p r i n t i ng an alarm on the termina l .
142 ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗/
143
144 def zombie : Receive = {
145 case Show( ) => l og . e r r o r ( " T r y i n g to S h o w a z o m b i e p r o c e s s " ) ; sender ! Tick
146 case msg => l og . e r r o r ( " z o m b i e m o n i t o r " + this + " r e c e i v e d " + msg ) ; sender ! Tick
147 }// zombie
148
149 /∗ ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗
150 ∗ rogue r ep r e s en t s the s t a t e o f a monitor that has r e c e i v ed a message that i s
151 ∗ out s ide the known pro toco l . The monitor does not know how to handle the
152 ∗ message and i t i s unsafe to r eac t to i t in any way . The monitor ing p ro toco l
153 ∗ has detected a s e r i o u s e r r o r and cannot cont inue . The rogue proce s s w i l l
154 ∗ r ea c t to a Show message by s t a t i n g that t h i s monitor has ”gone rogue ” and
155 ∗ to any other message by p r i n t i ng an alarm on the termina l . Need less to say ,
156 ∗ we don ’ t expect to get in to t h i s s tate , but i t w i l l he lp to l o c a t e a s e r i o u s
157 ∗ problem i f i t ever occurs .
158 ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗/
159
160 def rogue : Receive = {
161 case Show( ) =>l og . e r r o r ( " T r y i n g to S h o w a r o g u e p r o c e s s " ) ; sender ! Tick
162 case msg => l og . e r r o r ( " r o g u e m o n i t o r " + this + " r e c e i v e d " + msg ) ; sender ! Tick
163 }// rogue
164 }//Concr . Monitor
165
166 /∗ ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗
167 ∗ Every abs t rac t monitor has a concre t e counterpart . The abs t ra c t monitors form
168 ∗ an expre s s i on t r e e and t h i s t r e e forms the s p e c i f i c a t i o n ( top l e v e l monitor )
169 ∗ that the c l i e n t prov ides . When an abs t rac t monitor i s c a l l e d upon then i t s
170 ∗ concre t e counterpart ( an actor ) has to be i n i t i a t e d . Note that subt r e e s ( i . e .
171 ∗ subord inate abs t rac t monitors ) are passed as parameters to the ac to r s and they
172 ∗ are , in turn , i n i t i a t e d on a by−needs ba s i s . I t i s not p o s s i b l e f o r an e n t i r e
173 ∗ abs t rac t expr e s s i on t r e e to be repre s ented as a c to r s i n i t i a l l y because the t r e e
174 ∗ ‘ evo lve s ’ over time ( i . e . the THEN operator ) so i t i s appropr ia te that the
175 ∗ f u tu r e eva lua t i on i s passed in abs t ra c t form ready to be i n t e rp r e t ed whenever
176 ∗ r equ i r ed .
177 ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗/
178
179 def startUp (mu: Abstr . Monitor , context : ActorContext ) : ActorRef = mu match {
180 case Abstr .Name(n , Abstr .Name(m, a ) ) => startUp ( Abstr .Name(n+" :: "+m, a ) , context )
181 case Abstr .Name(n , a ) => startUp1 (n , a , context )
182 case => startUp1 ( " a n o n " , mu, context )
183 }// star tup
184
185 def startUp1 (name : Str ing , mu: Abstr . Monitor , context : ActorContext ) : ActorRef = mu match {
186 case Abstr . F i r s t ( o , f ) => context . actorOf ( Props ( c l a s sO f [ Concr . F i r s t ] , name , o , f ) )
187 case Abstr . Upto (a , b) => context . actorOf ( Props ( c l a s sO f [ Concr . Upto ] , name , a , b ) )
188 case Abstr . Thru (a , b) => context . actorOf ( Props ( c l a s sO f [ Concr . Thru ] , name , a , b ) )
189 case Abstr . Then(a , b) => context . actorOf ( Props ( c l a s sO f [ Concr . Then ] , name , a , b ) )
190 case Abstr .With (a , o , f ) => context . actorOf ( Props ( c l a s sO f [ Concr .With ] , name , a , o , f ) )
191 case Abstr .And(a , b) => context . actorOf ( Props ( c l a s sO f [ Concr .And ] , name , a , b ) )
192 case Abstr . I t e r a t e (a , b) => context . actorOf ( Props ( c l a s sO f [ Concr . I t e r a t e ] , name , a , b ) )
193 case Abstr . Pro j ec t ( a , b , p)=> context . actorOf ( Props ( c l a s sO f [ Concr . Pro j ec t ] , name , a , b , p ) )
194 }// star tup1
195
196 /∗ ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗
197 ∗ Monitor c l a s s : FIRST
A.2 Monitor API 183
198 ∗ This monitor c on t i nua l l y checks to see i f the formula i s s a t i s f i e d . As soon
199 ∗ as i t i s then t h i s i s the f i r s t occurrence o f an i n t e r v a l that s a t i s f i e s the
200 ∗ formula and DONE i s returned . For a l l the preced ing i n i t i a l s ub i n t e r v a l s the
201 ∗ monitor r e tu rns MORE ind i c a t i n g that more s t a t e s are r equ i r ed . This monitor
202 ∗ cannot FAIL because i t e i t h e r f i nd s the f i r s t i n i t a l s ub in t e r va l s a t i s f y i n g
203 ∗ the formula or i t keeps l ook ing . I t i s p o s s i b l e f o r t h i s monitor NOT to
204 ∗ terminate i f the formula i s never s a t i s f i e d . This monitor w i l l be shut down
205 ∗ by i t s parent .
206 ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗/
207
208 case class F i r s t (name : Str ing , opt : OpTy, f : Formula ) extends Monitor {
209 // Extend the i n t e r v a l u n t i l the f i r s t time that sigma |= f
210
211 var sigma : I n t e r v a l = new I n t e r v a l // The i n t e r v a l so f a r
212
213 override def preStar t ( ) { l og . debug ( " \ n S t a r t i n g " + this ) }
214
215 override def r e c e i v e = {
216
217 case Show( i ) => tab ( i )
218 p r i n t l n ( " F I R S T ( " + f + " ) " + " s i g m a = " + sigma )
219 sender ! Tick
220
221 case Step (u) => opt match {
222 case ANY STATE => sigma = (new I n t e r v a l ) . add ( sigma . f i n S t a t e++u)
223 case ANY PREFIX => sigma = sigma . add (u)
224 }
225 i f ( f . evalFormula ( sigma ) ) {
226 F i r s t . update ( log , f , sigma . l a s t Index+1)
227 sender ! Done( sigma . f i n S t a t e )
228 context . become ( this . zombie )
229 }
230 else
231 sender ! More
232
233 case => sender ! Fa i l ;
234 log . e r r o r ( " U n k n o w n r e q u e s t - a c t o r : " + this . t oS t r i ng )
235 context . become ( this . rogue )
236 }// r e c e i v e
237 }// F i r s t
238
239 /∗ ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗
240 ∗ This companion ob j e c t maintains s t a t e common to a l l F i r s t occur r ence s ( l i k e s t a t i c
241 ∗ a t t r i b u t e s and methods in Java ) . Each time a f i r s t occurrence terminate s u c c e s s f u l l y
242 ∗ t h i s i s recorded along with the number o f s t a t e s in the ( sub ) i n t e r v a l so that average
243 ∗ i n t e r v a l l ength data can be accumulated an reported .
244 ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗/
245
246 object F i r s t {
247 import s c a l a . math .
248 var t o tS t a t e s : Int = 0
249 var t o tF i r s t s : Int = 0
250 var minLen : Int = Int . MaxValue
251 var maxLen : Int = 0
252 var avgLen : Int = 0
253 def update ( log : akka . event . LoggingAdapter , f : Formula , numStates : Int ) {
254 t o tS t a t e s += numStates
255 t o tF i r s t s += 1
256 minLen = min( numStates , minLen )
257 maxLen = max( numStates , maxLen)
258 i f ( t o tF i r s t s > 0) avgLen = round ( t o tS t a t e s . toFloat / t o tF i r s t s . toFloat )
259 log . debug ( s " LOG FST D O N E $ t o t F i r s t s : t h i s i n t e r v a l has $ n u m S t a t e s s t a t e s : $ { f . t o S t r i n g } " )
260 log . debug ( s " LOG FST S T A T E S : AVG ( $ a v g L e n ) , TOT ( $ t o t S t a t e s ) , MIN ( $ m i n L e n ) , MAX ( $ m a x L e n ) " )
261 }//update
262 }// F i r s t
263
264 /∗ ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗
265 ∗ Monitor c l a s s : a WITH f
266 ∗ This monitor runs monitor a a l ong s id e checking f . However , depending upon the
267 ∗ supp l i ed opt im i sa t i on parameter var i ous op t im i sa t i on s may occur . This i n c l ude s
268 ∗ two ca s e s in which prev ious s t a t e s don ’ t need to be s to red e x p l i c i t l y . Some
269 ∗ formulae b en e f i t from being eva luated a l ong s id e monitor a whereas o the r s do
270 ∗ not . In the l a t t e r case the eva luat i on o f f takes p lace once when a has
271 ∗ completed . The ana l y s i s with f adapts f o r each o f the f o l l ow ing pat te rns :
184 Appendix A: API listings
272 ∗ (ALL STATES, w) ==> Only needs l a s t s t a t e . I f ˜w holds return FAIL
273 ∗ (ANY STATE, w) ==> Only needs l a s t s t a t e . I f w holds return PASS always
274 ∗ (ALL PREFIXES , f ) ==> Needs whole i n t e r v a l . I f ˜ f ho lds return FAIL
275 ∗ (ANY PREFIX, f ) ==> Needs whole i n t e r v a l . I f f ho lds return PASS always
276 ∗ (CHECKONCE, f ) ==> Needs whole i n t e r v a l . Only check f i f /when a i s DONE
277 ∗ Mathematical ly :
278 ∗ (ALL STATES, w) == sigma |= [ i ] ( f i n (w) ) or sigma |= [ ] w
279 ∗ (ANY STATE, w) == sigma |= <i> ( f i n (w) ) or sigma |= <> w
280 ∗ (ALL PREFIXES , f ) == sigma |= [ i ] f
281 ∗ (ANY PREFIX, f ) == sigma |= <i> f
282 ∗ (CHECKONCE, f ) == sigma |= f
283 ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗/
284
285 case class With(name : Str ing , a : Abstr . Monitor , opt : OpTy, f : Formula ) extends Monitor {
286
287 var c : ActorRef = // c i s concre t e counterpart to a
288 var sigma : I n t e r v a l = new I n t e r v a l // The i n t e r v a l so f a r
289 var alreadyDone = false
290 var s i gmaSa t i s f i e sF = false
291
292 override def preStar t ( ) {
293 log . debug ( " \ n S t a r t i n g " + this )
294 c = Concr . startUp (a , context )
295 }
296
297 override def r e c e i v e = {
298
299 case Show( i ) => tab ( i )
300 p r i n t l n ( " W I T H " )
301 Await . r e s u l t ( ask ( c , Show( indent ( i ) ) ) , t imeout . durat ion )
302 sender ! Tick
303
304 case Step (u) => i f ( ! alreadyDone ) opt match {
305 case ALL STATES
306 | ANY STATE => sigma = (new I n t e r v a l ) . add ( sigma . f i n S t a t e++u)
307 case => sigma = sigma . add (u)
308 }//match
309 val c f = ask ( c , Step (u ) ) // copy new s t a t e to c
310 Await . r e s u l t ( cf , t imeout . durat ion ) . as InstanceOf [ Reply ] match {
311 case Done( s ) => i f ( alreadyDone | | f . evalFormula ( sigma ) ) {
312 sender ! Done ( s )
313 context stop c
314 context . become ( this . zombie )
315 }
316 else {
317 sender ! Fa i l
318 log . warning ( s " ( $ n a m e ) W I T H : RHS f a i l e d " )
319 context stop c
320 context . become ( this . zombie )
321 }
322
323 case More => opt match {
324 case ALL STATES
325 | ALL PREFIXES => i f ( f . evalFormula ( sigma ) )
326 sender ! More
327 else {
328 sender ! Fa i l
329 log . warning ( s " ( $ n a m e ) W I T H ( in ): P r e f i x v i o l a t i o n " )
330 context stop c
331 context . become ( this . zombie )
332 }
333 case ANY STATE
334 | ANY PREFIX => i f ( ! alreadyDone ) {
335 alreadyDone = f . evalFormula ( sigma )
336 sender ! More
337 }
338
339 case CHECKONCE => sender ! More
340 }//match
341
342 case Fa i l => sender ! Fa i l
343 log . warning ( s " ( $ n a m e ) W I T H : LHS f a i l e d " )
344 context stop c
345 context . become ( this . zombie )
A.2 Monitor API 185
346 }//match
347
348 case => sender ! Fa i l ;
349 log . e r r o r ( " U n k n o w n r e q u e s t - a c t o r : " + this . t oS t r i ng )
350 context . become ( this . rogue )
351 }// r e c e i v e
352 }//With
353
354
355 /∗ ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗
356 ∗ Monitor c l a s s : a UPTO b
357 ∗ Either a or b must be s a t i s f i e d . The length o f the i n t e r v a l consumed i s the
358 ∗ s h o r t e s t i n t e r v a l that s a t i s f i e s a or b ( or both ) .
359 ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗/
360
361 case class Upto (name : Str ing , a : Abstr . Monitor , b : Abstr . Monitor ) extends Monitor {
362 var c : ActorRef = // c i s concre t e counterpart to a
363 var d : ActorRef = // d i s conc re t e counterpart to b
364
365 override def preStar t ( ) {
366 log . debug ( " \ n S t a r t i n g " + this )
367 c = Concr . startUp (a , context )
368 d = Concr . startUp (b , context )
369 }
370
371 override def r e c e i v e =
372 {
373 case Show( i ) => tab ( i )
374 p r i n t l n ( " U P T O " )
375 Await . r e s u l t ( ask ( c , Show( indent ( i ) ) ) , t imeout . durat ion )
376 Await . r e s u l t ( ask (d , Show( indent ( i ) ) ) , t imeout . durat ion )
377 sender ! Tick
378
379 case Step (u) =>
380 val c f = ask ( c , Step (u ) ) // copy new s t a t e to c
381 val df = ask (d , Step (u ) ) // copy new s t a t e to d
382 Await . r e s u l t ( cf , t imeout . durat ion ) . as InstanceOf [ Reply ]
383 match {
384 case Done( s )
385 => Await . r e s u l t ( df , t imeout . durat ion ) . as InstanceOf [ Reply ] // redundant ??? Why
386 sender ! Done( s )
387 context stop c
388 context stop d
389 context . become ( this . zombie )
390
391 case More
392 => Await . r e s u l t ( df , t imeout . durat ion ) . as InstanceOf [ Reply ]
393 match {
394 case Done( s ) => sender ! Done ( s )
395 context stop c
396 context stop d
397 context . become ( this . zombie )
398
399 case More => sender ! More
400
401 case Fa i l => sender ! More
402 log . warning ( s " ( $ n a m e ) U P T O : RHS f a i l e d " )
403 context stop d
404 context . become ( singleBranchC )
405 }
406
407 case Fa i l
408 => Await . r e s u l t ( df , t imeout . durat ion ) . as InstanceOf [ Reply ]
409 match {
410 case Done( s ) => sender ! Done ( s )
411 context stop c
412 context stop d
413 context . become ( this . zombie )
414
415 case More => sender ! More
416 context stop c
417 context . become ( singleBranchD )
418
419 case Fa i l => sender ! Fa i l
186 Appendix A: API listings
420 log . warning ( s " ( $ n a m e ) U P T O : LHS & RHS f a i l e d " )
421 context stop c
422 context stop d
423 context . become ( this . zombie )
424 }//match
425 }//match
426
427 case => sender ! Fa i l
428 log . e r r o r ( " U n k n o w n r e q u e s t - a c t o r : " + this . t oS t r i ng )
429 context . become ( this . rogue )
430 }// r e c e i v e
431
432 def s ingleBranchC : Receive = {
433 case Show( i ) => tab ( i )
434 p r i n t l n ( " UPTO - l " )
435 Await . r e s u l t ( ask ( c , Show( indent ( i ) ) ) , t imeout . durat ion )
436 sender ! Tick
437
438 case Step (u) =>
439 val c f = ask ( c , Step (u ) )
440 Await . r e s u l t ( cf , t imeout . durat ion ) . as InstanceOf [ Reply ]
441 match {
442 case Done( s ) => sender ! Done ( s )
443 context stop c
444 context . become ( this . zombie )
445
446 case More => sender ! More
447
448 case Fa i l => sender ! Fa i l
449 log . warning ( s " ( $ n a m e ) U P T O : LHS f a i l e d " )
450 context stop c
451 context . become ( this . zombie )
452 }//match
453
454 case => sender !
455 Fa i l ; l og . e r r o r ( " U n k n o w n r e q u e s t - a c t o r : " + this . t oS t r i ng )
456 context . become ( this . rogue )
457 }// singleBranchC
458
459 def singleBranchD : Receive = {
460 case Show( i ) => tab ( i )
461 p r i n t l n ( " UPTO - r " )
462 Await . r e s u l t ( ask (d , Show( indent ( i ) ) ) , t imeout . durat ion )
463 sender ! Tick
464
465 case Step (u) =>
466 val df = ask (d , Step (u ) )
467 Await . r e s u l t ( df , t imeout . durat ion ) . as InstanceOf [ Reply ]
468 match {
469 case Done( s ) => sender ! Done ( s )
470 context stop d
471 context . become ( this . zombie )
472
473 case More => sender ! More
474
475 case Fa i l => sender ! Fa i l
476 log . warning ( s " ( $ n a m e ) U P T O : RHS f a i l e d " )
477 context stop d
478 context . become ( this . zombie )
479 }//match
480
481 case => sender ! Fa i l ;
482 log . e r r o r ( " U n k n o w n r e q u e s t - a c t o r : " + this . t oS t r i ng )
483 context . become ( this . rogue )
484
485 }// singleBranchD
486 }//Upto
487
488 /∗ ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗
489 ∗ Monitor c l a s s : a THRU b
490 ∗ Both a and b must be s a t i s f i e d f o r some p r e f i x i n t e r v a l . The length o f the
491 ∗ i n t e r v a l consumed i s the sho r t e s t i n t e r v a l that conta in s both p r e f i x e s .
492 ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗/
493
A.2 Monitor API 187
494 case class Thru (name : Str ing , a : Abstr . Monitor , b : Abstr . Monitor ) extends Monitor {
495 var c : ActorRef = // c i s concre t e counterpart to a
496 var d : ActorRef = // d i s conc re t e counterpart to b
497
498 override def preStar t ( ) {
499 log . debug ( " \ n S t a r t i n g " + this )
500 c = Concr . startUp (a , context )
501 d = Concr . startUp (b , context )
502 }
503
504 override def r e c e i v e = {
505 case Show( i ) => tab ( i )
506 p r i n t l n ( " T H R U " )
507 Await . r e s u l t ( ask ( c , Show( indent ( i ) ) ) , t imeout . durat ion )
508 Await . r e s u l t ( ask (d , Show( indent ( i ) ) ) , t imeout . durat ion )
509 sender ! Tick
510
511 case Step (u) =>
512 val c f = ask ( c , Step (u ) ) // copy new s t a t e to c
513 val df = ask (d , Step (u ) ) // copy new s t a t e to d
514 (Await . r e s u l t ( cf , t imeout . durat ion ) . as InstanceOf [ Reply ] ,
515 Await . r e s u l t ( df , t imeout . durat ion ) . as InstanceOf [ Reply ] )
516 match {
517 case (Done( s ) , Done ( ) ) => sender ! Done ( s )
518 context stop c
519 context stop d
520 context . become ( this . zombie )
521
522 case (More , More ) => sender ! More
523
524 case (More , Done ( ) ) => sender ! More
525 context stop d
526 context . become ( singleBranchC )
527
528 case (Done( ) , More ) => sender ! More
529 context stop c
530 context . become ( singleBranchD )
531
532 case ( Fai l , Fa i l ) => sender ! Fa i l
533 log . warning ( s " ( $ n a m e ) T H R U : LHS & RHS f a i l e d " )
534 context stop c
535 context stop d
536 context . become ( this . zombie )
537
538 case ( Fa i l , ) => sender ! Fa i l
539 log . warning ( s " ( $ n a m e ) T H R U : LHS f a i l e d " )
540 context stop c
541 context stop d
542 context . become ( this . zombie )
543
544 case ( , Fa i l ) => sender ! Fa i l
545 log . warning ( s " ( $ n a m e ) T H R U : RHS f a i l e d " )
546 context stop c
547 context stop d
548 context . become ( this . zombie )
549
550 case ( r1 , r2 ) => l og . e r r o r ( s " ( $ n a m e ) T H R U : u n e x p e c t e d ( $r1 , $r2 ) " )
551 }
552
553 case => sender ! Fa i l ;
554 log . e r r o r ( " U n k n o w n r e q u e s t - a c t o r : " + this . t oS t r i ng )
555 context . become ( this . rogue )
556 }// r e c e i v e
557
558 def s ingleBranchC : Receive =
559 {
560 case Show( i ) => tab ( i )
561 p r i n t l n ( " THRU - l " )
562 Await . r e s u l t ( ask ( c , Show( indent ( i ) ) ) , t imeout . durat ion )
563 sender ! Tick
564
565 case Step (u) =>
566 val c f = ask ( c , Step (u ) )
567 Await . r e s u l t ( cf , t imeout . durat ion ) . as InstanceOf [ Reply ]
188 Appendix A: API listings
568 match {
569 case Done( s ) => sender ! Done ( s )
570 context stop c
571 context . become ( this . zombie )
572
573 case More => sender ! More
574
575 case Fa i l => sender ! Fa i l
576 log . warning ( s " ( $ n a m e ) T H R U : LHS f a i l e d " )
577 context stop c
578 context . become ( this . zombie )
579 }//match
580
581 case => sender ! Fa i l ;
582 log . e r r o r ( " U n k n o w n r e q u e s t - a c t o r : " + this . t oS t r i ng )
583 context . become ( this . rogue )
584 }// singleBranchC
585
586 def singleBranchD : Receive = {
587 case Show( i ) => tab ( i )
588 p r i n t l n ( " THRU - r " )
589 Await . r e s u l t ( ask (d , Show( indent ( i ) ) ) , t imeout . durat ion )
590 sender ! Tick
591
592 case Step (u) =>
593 val df = ask (d , Step (u ) )
594 Await . r e s u l t ( df , t imeout . durat ion ) . as InstanceOf [ Reply ]
595 match {
596 case Done( s ) => sender ! Done ( s )
597 context stop d
598 context . become ( this . zombie )
599
600 case More => sender ! More
601
602 case Fa i l => sender ! Fa i l
603 log . warning ( s " ( $ n a m e ) T H R U : RHS f a i l e d " )
604 context stop d
605 context . become ( this . zombie )
606
607 }//match
608
609 case => sender ! Fa i l ;
610 log . e r r o r ( " U n k n o w n r e q u e s t - a c t o r : " + this . t oS t r i ng )
611 context . become ( this . rogue )
612 }// singleBranchD
613 }//Thru
614
615 /∗ ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗
616 ∗ Monitor c l a s s : a AND b
617 ∗ Both a and b must be s a t i s f i e d by the same i n t e r v a l .
618 ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗/
619
620 case class And(name : Str ing , a : Abstr . Monitor , b : Abstr . Monitor ) extends Monitor {
621 var c : ActorRef = // c i s concre t e counterpart to a
622 var d : ActorRef = // d i s conc re t e counterpart to b
623
624 override def preStar t ( ) {
625 log . debug ( " \ n S t a r t i n g " + this )
626 c = Concr . startUp (a , context )
627 d = Concr . startUp (b , context )
628 }
629
630 override def r e c e i v e = {
631 case Show( i ) => tab ( i )
632 p r i n t l n ( " AND " )
633 Await . r e s u l t ( ask ( c , Show( indent ( i ) ) ) , t imeout . durat ion )
634 Await . r e s u l t ( ask (d , Show( indent ( i ) ) ) , t imeout . durat ion )
635 sender ! Tick
636
637 case Step (u) =>
638 val c f = ask ( c , Step (u ) ) // copy new s t a t e to c
639 val df = ask (d , Step (u ) ) // copy new s t a t e to d
640 (Await . r e s u l t ( cf , t imeout . durat ion ) . as InstanceOf [ Reply ] ,
641 Await . r e s u l t ( df , t imeout . durat ion ) . as InstanceOf [ Reply ] )
A.2 Monitor API 189
642 match {
643 case (Done( s ) ,
644 Done( ) ) => sender ! Done ( s )
645 context stop c
646 context stop d
647 context . become ( this . zombie )
648
649 case (More ,
650 More ) => sender ! More
651
652 case (More ,
653 Done( ) ) => sender ! Fa i l
654 log . warning ( s " ( $ n a m e ) AND : RHS p r e m a t u r e " )
655 context stop c
656 context stop d
657 context . become ( this . zombie )
658
659 case (Done( ) ,
660 More ) => sender ! Fa i l
661 log . warning ( s " ( $ n a m e ) AND : LHS p r e m a t u r e " )
662 context stop c
663 context stop d
664 context . become ( this . zombie )
665
666 case ( r1 ,
667 r2 ) => sender ! Fa i l
668 ( r1 , r2 ) match {
669 case ( Fai l , Fa i l ) => l og . warning ( s " ( $ n a m e ) AND : LHS & RHS f a i l e d " )
670 case ( Fai l , ) => l og . warning ( s " ( $ n a m e ) AND : LHS f a i l e d " )
671 case ( , Fa i l ) => l og . warning ( s " ( $ n a m e ) AND : RHS f a i l e d " )
672 case ( , ) => l og . e r r o r ( s " ( $ n a m e ) AND : u n e x p e c t e d ( $r1 , $r2 ) " )
673 }
674 context stop c
675 context stop d
676 context . become ( this . zombie )
677 }//match
678
679 case => sender ! Fa i l ;
680 log . e r r o r ( " U n k n o w n r e q u e s t - a c t o r : " + this . t oS t r i ng )
681 context . become ( this . rogue )
682 }// r e c e i v e
683 }//And
684
685 /∗ ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗
686 ∗ Monitor c l a s s : a THEN b
687 ∗ Once a i s s a t i s f i e d con t r o l immediately sw i t ches to b . The shared s t a t e must
688 ∗ be checked ( end o f a , s t a r t o f b) when the change over occurs .
689 ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗/
690
691 case class Then(name : Str ing , a : Abstr . Monitor , b : Abstr . Monitor ) extends Monitor {
692 var c : ActorRef = // c i s concre t e counterpart to a ( i n i t i a l l y ) − i t may
693 // become the concre t e counterpart to b ( l a t e r )
694
695 override def preStar t ( ) {
696 log . debug ( " \ n S t a r t i n g " + this )
697 c = Concr . startUp (a , context )
698 }
699
700 override def r e c e i v e = {
701 case Show( i ) => tab ( i )
702 p r i n t l n ( " T H E N " )
703 Await . r e s u l t ( ask ( c , Show( indent ( i ) ) ) , t imeout . durat ion )
704 sender ! Tick
705
706 case Step (u) =>
707 val c f = ask ( c , Step (u ) ) // copy new s t a t e to c
708 Await . r e s u l t ( cf , t imeout . durat ion ) . as InstanceOf [ Reply ]
709 match {
710 case Fa i l => sender ! Fa i l
711 log . warning ( s " ( $ n a m e ) T H E N : LHS f a i l e d " )
712 context stop c
713 context . become ( this . zombie )
714
715 case More => sender ! More
190 Appendix A: API listings
716
717 case Done( s ) => context stop c
718 c = Concr . startUp (b , context ) // r ep l a c e c with concr (b)
719 val c f = ask ( c , Step ( s ) ) // copy shared s t a t e to c
720 Await . r e s u l t ( cf , t imeout . durat ion ) . as InstanceOf [ Reply ]
721 match {
722 case Done( s ) => sender ! Done ( s )
723 context stop c
724 context . become ( this . zombie )
725
726 case More => sender ! More
727 context . become ( r e c e i v e 2 )
728
729 case Fa i l => sender ! Fa i l
730 log . warning ( s " ( $ n a m e ) T H E N : RHS f a i l e d in 1 st s t a t e " )
731 context stop c
732 context . become ( this . zombie )
733 }//match
734 }//match
735
736 case => sender ! Fa i l ;
737 log . e r r o r ( " U n k n o w n r e q u e s t - a c t o r : " + this . t oS t r i ng )
738 context . become ( this . rogue )
739 }// r e c e i v e
740
741 def r e c e i v e 2 : Receive = {
742 case Show( i ) => tab ( i )
743 p r i n t l n ( " T H E N 2 " )
744 Await . r e s u l t ( ask ( c , Show( indent ( i ) ) ) , t imeout . durat ion )
745 sender ! Tick
746
747 case Step (u) => val c f = ask ( c , Step (u ) ) // copy new s t a t e to c
748 Await . r e s u l t ( cf , t imeout . durat ion ) . as InstanceOf [ Reply ]
749 match {
750 case Done( s ) => sender ! Done ( s )
751 context stop c
752 context . become ( this . zombie )
753
754 case More => sender ! More
755
756 case Fa i l => sender ! Fa i l
757 log . warning ( s " ( $ n a m e ) T H E N : RHS f a i l e d " )
758 context stop c
759 context . become ( this . zombie )
760 }//match
761
762 case => sender ! Fa i l ;
763 log . e r r o r ( " U n k n o w n r e q u e s t - a c t o r : " + this . t oS t r i ng )
764 context . become ( this . rogue )
765 }// r e c e i v e 2
766 }//Then
767
768 /∗ ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗
769 ∗ Monitor c l a s s : a ITERATE b
770 ∗ Performs a WITH (M(b ) ) ∗ . However , both a and b are executed as monitors .
771 ∗ When a i s done then b must a l s o be done − i . e . a f i n i t e number o f i t e r a t i o n s
772 ∗ o f b must a l i g n with a .
773 ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗/
774
775 case class I t e r a t e (name : Str ing , a : Abstr . Monitor , b : Abstr . Monitor ) extends Monitor {
776 var c : ActorRef = // c i s concre t e counterpart to a
777 var d : ActorRef = // d i s conc re t e counterpart to b
778
779 override def preStar t ( ) {
780 log . debug ( " \ n S t a r t i n g " + this )
781 c = Concr . startUp (a , context )
782 d = Concr . startUp (b , context )
783 }
784
785 override def r e c e i v e = {
786 case Show( i ) => tab ( i )
787 p r i n t l n ( " I T E R A T E " )
788 Await . r e s u l t ( ask ( c , Show( indent ( i ) ) ) , t imeout . durat ion )
789 Await . r e s u l t ( ask (d , Show( indent ( i ) ) ) , t imeout . durat ion )
A.2 Monitor API 191
790 sender ! Tick
791
792 case Step (u) =>
793 val c f = ask ( c , Step (u ) ) // copy new s t a t e to c
794 val df = ask (d , Step (u ) ) // copy new s t a t e to d
795 (Await . r e s u l t ( cf , t imeout . durat ion ) . as InstanceOf [ Reply ] ,
796 Await . r e s u l t ( df , t imeout . durat ion ) . as InstanceOf [ Reply ] )
797 match {
798 case (Done( s ) ,
799 Done( ) ) => sender ! Done ( s )
800 context stop c
801 context stop d
802 context . become ( this . zombie )
803
804 case (Done( s ) ,
805 More ) => sender ! Fa i l
806 // e r r o r because a i s the c o n t r o l l i n g monitor
807 log . warning ( s " ( $ n a m e ) I T E R A T E : LHS p r e m a t u r e " )
808 context stop c
809 context stop d
810 context . become ( this . zombie )
811
812 case (More ,
813 Done( s ) ) => // send b round again . . .
814 context stop d
815 d = Concr . startUp (b , context )
816 val df = ask (d , Step ( s ) ) // copy shared s t a t e to d
817 Await . r e s u l t ( df , t imeout . durat ion ) . as InstanceOf [ Reply ]
818 match {
819 case Done( ) => // No fu r th e r p rog r e s s can be made
820 // with b , but a hasn ’ t f i n i sh ed , so
821 sender ! Fa i l
822 log . warning ( s " ( $ n a m e ) I T E R A T E : RHS e m p t y l o o p " )
823 context stop c
824 context stop d
825 context . become ( this . zombie )
826
827 case More => sender ! More
828
829 case Fa i l => sender ! Fa i l
830 log . warning ( s " ( $ n a m e ) I T E R A T E : RHS f a i l e d " )
831 context stop c
832 context stop d
833 context . become ( this . zombie )
834 }//match
835
836 case (More ,
837 More ) => sender ! More
838
839 case ( r1 ,
840 r2 ) => sender ! Fa i l
841 ( r1 , r2 ) match {
842 case ( Fai l , Fa i l ) => l og . warning ( s " ( $ n a m e ) I T E R A T E : LHS & RHS f a i l e d " )
843 case ( Fai l , ) => l og . warning ( s " ( $ n a m e ) I T E R A T E : LHS f a i l e d " )
844 case ( , Fa i l ) => l og . warning ( s " ( $ n a m e ) I T E R A T E : RHS f a i l e d " )
845 case ( ,
) => l og . e r r o r ( s " ( $ n a m e ) I T E R A T E : u n e x p e c t e d ( $r1 , $r2 ) " )
846 }
847 context stop c
848 context stop d
849 context . become ( this . zombie )
850 }//match
851
852 case => sender ! Fa i l ;
853 log . e r r o r ( " U n k n o w n r e q u e s t - a c t o r : " + this . t oS t r i ng )
854 context . become ( this . rogue )
855 }// r e c e i v e
856 }// I t e r a t e
857
858 /∗ ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗
859 ∗ Monitor c l a s s : a ITERATE b PROJ c
860 ∗ Performs a WITH (M(b ) ) ∗ . However , both a and b are executed as monitors .
861 ∗ When a i s done then b must a l s o be done − i . e . a f i n i t e number o f i t e r a t i o n s
862 ∗ o f b must a l i g n with a .
192 Appendix A: API listings
863 ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗/
864
865 case class Pro jec t (name : Str ing , a : Abstr . Monitor , b : Abstr . Monitor , p : Abstr . Monitor )
866 extends Monitor {
867 var c : ActorRef = // c i s concre t e counterpart to a
868 var d : ActorRef = // d i s conc re t e counterpart to b
869 var q : ActorRef = // q i s concre t e counterpart to p
870
871 override def preStar t ( ) {
872 log . debug ( " \ n S t a r t i n g " + this )
873 c = Concr . startUp (a , context )
874 d = Concr . startUp (b , context )
875 q = Concr . startUp (p , context )
876 }
877
878 override def r e c e i v e = {
879 case Show( i ) => tab ( i )
880 p r i n t l n ( " P R O J E C T " )
881 Await . r e s u l t ( ask ( c , Show( indent ( i ) ) ) , t imeout . durat ion )
882 Await . r e s u l t ( ask (d , Show( indent ( i ) ) ) , t imeout . durat ion )
883 Await . r e s u l t ( ask (q , Show( indent ( i ) ) ) , t imeout . durat ion )
884 sender ! Tick
885
886 case Step (u) =>
887 val c f = ask ( c , Step (u ) ) // copy new s t a t e to c
888 val df = ask (d , Step (u ) ) // copy new s t a t e to d
889 val qf = ask (q , Step (u ) ) // copy new s t a t e to d
890 (Await . r e s u l t ( cf , t imeout . durat ion ) . as InstanceOf [ Reply ] ,
891 Await . r e s u l t ( df , t imeout . durat ion ) . as InstanceOf [ Reply ] ,
892 Await . r e s u l t ( qf , t imeout . durat ion ) . as InstanceOf [ Reply ] )
893 match {
894 case (Done( s ) ,
895 Done( ) ,
896 Done( ) ) => // Al l three monitors are s a t i s f i e d by the f i r s t s t a t e
897 sender ! Done ( s )
898 context stop c
899 context stop d
900 context stop q
901 context . become ( this . zombie )
902 case (More ,
903 More ,
904 More ) => // Al l three monitors need to cont inue
905 sender ! More
906 context . become ( r e c e i v e 2 )
907
908 case ( r1 ,
909 r2 ,
910 r3 ) => sender ! Fa i l
911 ( r1 , r2 , r3 ) match {
912 case ( Fai l , Fai l , Fa i l ) => l og . warning ( s " ( $ n a m e ) P R O J E C T : 1 st s t a t e all f a i l e d " )
913 case ( Fai l , Fai l ,
) => l og . warning ( s " ( $ n a m e ) P R O J E C T : 1 st s t a t e 1&2 f a i l e d " )
914 case ( Fai l , ,
Fa i l ) => l og . warning ( s " ( $ n a m e ) P R O J E C T : 1 st s t a t e 1&3 f a i l e d " )
915 case ( ,
Fai l , Fa i l ) => l og . warning ( s " ( $ n a m e ) P R O J E C T : 1 st s t a t e 2&3 f a i l e d " )
916 case ( Fai l , ,
) => l og . warning ( s " ( $ n a m e ) P R O J E C T : 1 st s t a t e 1 f a i l e d " )
917 case ( , Fai l ,
) => l og . warning ( s " ( $ n a m e ) P R O J E C T : 1 st s t a t e 2 f a i l e d " )
918 case ( , ,
Fa i l ) => l og . warning ( s " ( $ n a m e ) P R O J E C T : 1 st s t a t e 3 f a i l e d " )
919 case ( , ,
) => l og . e r r o r ( s " ( $ n a m e ) P R O J E C T : u n e x p e c t e d ( $r1 , $r2 , $r3 ) " )
920 }
921 context stop c
922 context stop d
923 context stop q
924 context . become ( this . zombie )
925 }//match
926
927 case => sender ! Fa i l ;
928 log . e r r o r ( " U n k n o w n r e q u e s t - a c t o r : " + this . t oS t r i ng )
929 context . become ( this . rogue )
A.2 Monitor API 193
930 }// r e c e i v e
931
932 def r e c e i v e 2 : Receive = {
933 case Show( i ) => tab ( i )
934 p r i n t l n ( " P R O J E C T " )
935 Await . r e s u l t ( ask ( c , Show( indent ( i ) ) ) , t imeout . durat ion )
936 Await . r e s u l t ( ask (d , Show( indent ( i ) ) ) , t imeout . durat ion )
937 Await . r e s u l t ( ask (q , Show( indent ( i ) ) ) , t imeout . durat ion )
938 sender ! Tick
939
940 case Step (u) =>
941 val c f = ask ( c , Step (u ) ) // copy new s t a t e to c
942 val df = ask (d , Step (u ) ) // copy new s t a t e to d
943 (Await . r e s u l t ( cf , t imeout . durat ion ) . as InstanceOf [ Reply ] ,
944 Await . r e s u l t ( df , t imeout . durat ion ) . as InstanceOf [ Reply ] )
945 match {
946 case (Done( s ) ,
947 Done( ) ) => val qf = ask (q , Step ( s ) ) // send s to p r o j e c t i on
948 Await . r e s u l t ( qf , t imeout . durat ion ) . as InstanceOf [ Reply ]
949 match {
950 case Done( ) => sender ! Done ( s )
951 case More => sender ! Fa i l
952 log . warning ( s " ( $ n a m e ) P R O J E C T : 1&2 p r e m a t u r e " )
953 case Fa i l => sender ! Fa i l
954 log . warning ( s " ( $ n a m e ) P R O J E C T : 1 p r e m a t u r e ; 2 f a i l e d " )
955 }//match
956 context stop c
957 context stop d
958 context stop q
959 context . become ( this . zombie )
960
961 case (Done( s ) ,
962 More ) => sender ! Fa i l
963 log . warning ( s " ( $ n a m e ) P R O J E C T : 1 p r e m a t u r e " )
964 context stop c
965 context stop d
966 context stop q
967 context . become ( this . zombie )
968
969 case (More ,
970 Done( s ) ) => // send b round again . . .
971 context stop d
972 d = Concr . startUp (b , context )
973 val df = ask (d , Step ( s ) ) // copy shared s t a t e to d
974 Await . r e s u l t ( df , t imeout . durat ion ) . as InstanceOf [ Reply ]
975 match {
976 case Done( ) => // No fu r th e r p rog r e s s can be made
977 // with b , but a hasn ’ t f i n i sh ed , so
978 sender ! Fa i l
979 log . warning ( s " ( $ n a m e ) P R O J E C T : 2 e m p t y l o o p " )
980 context stop c
981 context stop d
982 context stop q
983 context . become ( this . zombie )
984
985 case More => // Send s to p r o j e c t i on
986 val qf = ask (q , Step ( s ) )
987 Await . r e s u l t ( qf , t imeout . durat ion ) . as InstanceOf [ Reply ]
988 match {
989 case More => sender ! More
990 case Done( ) => sender ! Fa i l
991 log . warning ( s " ( $ n a m e ) P R O J E C T : 3 p r e m a t u r e " )
992 context stop c
993 context stop d
994 context stop q
995 context . become ( this . zombie )
996 case Fa i l => sender ! Fa i l
997 log . warning ( s " ( $ n a m e ) P R O J E C T : 3 f a i l e d " )
998 context stop c
999 context stop d
1000 context stop q
1001 context . become ( this . zombie )
1002 }//match
1003
194 Appendix A: API listings
1004 case Fa i l => sender ! Fa i l
1005 log . warning ( s " ( $ n a m e ) P R O J E C T : 2 f a i l e d " )
1006 context stop c
1007 context stop d
1008 context stop q
1009 context . become ( this . zombie )
1010 }//match
1011
1012 case (More ,
1013 More ) => sender ! More
1014
1015 case ( r1 , r2 ) => sender ! Fa i l
1016 ( r1 , r2 ) match {
1017 case ( Fai l , Fa i l ) => l og . warning ( s " ( $ n a m e ) P R O J E C T : 1&2 f a i l e d " )
1018 case ( Fai l , ) => l og . warning ( s " ( $ n a m e ) P R O J E C T : 1 f a i l e d " )
1019 case ( , Fa i l ) => l og . warning ( s " ( $ n a m e ) P R O J E C T : 2 f a i l e d " )
1020 case ( ,
) => l og . e r r o r ( s " ( $ n a m e ) P R O J E C T : u n e x p e c t e d ( $r1 , $r2 ) " )
1021 }//match
1022 context stop c
1023 context stop d
1024 context stop q
1025 context . become ( this . zombie )
1026 }//match
1027
1028 case => sender ! Fa i l ;
1029 log . e r r o r ( " U n k n o w n r e q u e s t - a c t o r : " + this . t oS t r i ng )
1030 context . become ( this . rogue )
1031 }// r e c e i v e 2
1032 }// Pro j ec t
1033
1034 }//Concr
1035
1036 /∗ ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗
1037 ∗ Object Runtime encapsu la t e s the runtime monitor ing d e f i n i t i o n s that are exported f o r pub l i c
1038 ∗ use . I t imports and re−exports everyth ing in Protoco l . which makes the e r r o r messages and
1039 ∗ other r e l a t ed r epo r t i ng ob j e c t s v i s i b l e . The key c l a s s that t h i s i n t e r f a c e export s i s RTM.
1040 ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗/
1041
1042 object Runtime {
1043 import s c a l a . c o l l e c t i o n . immutable
1044 import s c a l a . c o l l e c t i o n . immutable .Map
1045 import Protoco l .
1046 // va l system = ActorSystem (”MonitorSystem ”) // An Akka Actor system with a name
1047 // de f s topAl lMonitors = system . shutdown // Shut down the Actor system when done
1048
1049 /∗ ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗
1050 ∗ RTMActor . This p r i va t e actor implements the ac tua l runtime monitor . . . sending updated
1051 ∗ s t a t e s to , and r e c e i v i n g r e p l i e s from , the concre t e monitor t r e e . A pub l i c i n t e r f a c e to
1052 ∗ i t i s provided by the RTM c l a s s − below .
1053 ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗/
1054
1055 private case class RTMActor( a : Abstr . Monitor ) extends Actor with ActorLogging {
1056 var c : ActorRef = // c i s concre t e counterpart to a
1057
1058 override def preStar t ( ) {
1059 log . debug ( " R u n n i n g " + this + " : a n a l y s i n g a b s t r a c t m o n i t o r " )
1060 c = Concr . startUp (a , context )
1061 }
1062
1063 override def postStop ( ) {
1064 log . debug ( " S t o p p i n g " + this )
1065 }
1066
1067 override def r e c e i v e = {
1068 case rq s t => sender ! ask ( c , r q s t )
1069 }
1070 }//RTMActor
1071
1072 /∗ ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗
1073 ∗ RTM: The mutable monitored s t a t e takes r e s p o n s i b i l i t y f o r managing the i n t e r n a l ac tor
1074 ∗ system as s o c i a t ed with the abs t rac t monitor . The c l i e n t simply has to de f i n e t h e i r
1075 ∗ abs t rac t s p e c i f i c a t i o n , spec , and pass i t to an in s tance o f RTM. For example :
1076 ∗
A.2 Monitor API 195
1077 ∗ va l spec : Abstract . Monitor = . . .
1078 ∗ va l mu = RTM( spec , ” Simulat ion ”)
1079 ∗
1080 ∗ Once the monitor ing i s complete the c l i e n t should c a l l :
1081 ∗ mu. stop
1082 ∗
1083 ∗ External c l i e n t s can use the MonitoredState . . . f o r example :
1084 ∗ ob j e c t I extends Var [ Int ] { ove r r i d e de f t oS t r ing = ” I ” }
1085 ∗ ob j e c t J extends Var [ Int ] { ove r r i d e de f t oS t r ing = ”J” }
1086 ∗ mu. s e t ( I , i )
1087 ∗ mu. s e t (J , mu. get ( I )+1)
1088 ∗ mu. v e r i f y
1089 ∗ mu. checkWhile { . . . s tatements . . . }
1090 ∗
1091 ∗ Known i s s u e : The s t a t e i s not f u l l y s p e c i f i e d . The va r i a b l e s are , o f course , typed s i n c e
1092 ∗ they extend Var [T] , but there i s not a way , cur rent ly , o f d e c l a r i n g the names and types
1093 ∗ o f a l l the v a r i a b l e s in the s t a t e . The s t a t e i s s imply a c o l l e c t i o n o f (Var [T] ,T) )
1094 ∗ forSome { type T} pa i r s . This uses e x i s t e n t i a l types .
1095 ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗/
1096 case class RTM(a : Abstr . Monitor , name : Str ing , system : ActorSystem ) {
1097 private val m: ActorRef = system . actorOf ( Props ( c l a s sO f [RTMActor ] , a ) , name)
1098 private var s t o r e : immutable .Map[ Variable , Value ] = new immutable . HashMap ( )
1099 private var s t a t e : Int = 0
1100 private var updates : L i s t [ VarUpdate ] = L i s t ( )
1101 private var r ep ly : Reply = Done( L i s t ( ) )
1102 private var printEachCheckPoint : Boolean = false
1103 private var logEachCheckPoint : Boolean = false
1104 private var stopped : Boolean = false
1105 private val l o ck : Object = new Object
1106 private var t imer : Long = 0
1107 private val l og = Logging . getLogger ( system , this )
1108 private var except ion : RTM. RTVException = new RTM. RTVException ( f " F a i l u r e $ n a m e " )
1109
1110 /∗ ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗
1111 ∗ Methods to manage the s t o r e / s t a t e
1112 ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗/
1113
1114 def s e t [T] ( v : Var [T] , a : T) : RTM = l o ck . synchronized {
1115 s t o r e = s t o r e + ( ( v −> Val ( a ) ) )
1116 updates = updates : : : L i s t ( ( v , a ) )
1117 this
1118 }// lock
1119
1120 def get [T] ( v : Var [T ] ) : T = l o ck . synchronized {
1121 s t o r e (v ) . as InstanceOf [ Val [T ] ]
1122 match {
1123 case Val ( a ) => a
1124 }
1125 }// lock
1126
1127 def getSto re = l o ck . synchronized {
1128 s t o r e . toSeq . sortWith ( . 1 . t oS t r ing < . 1 . t oS t r ing )
1129 }// lock
1130
1131 def getUpdates = l o ck . synchronized {
1132 updates // return the l a t e s t updates that were app l i ed
1133 }// lock
1134
1135 /∗ ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗
1136 ∗ To stop a monitor
1137 ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗/
1138
1139 def stop = l o ck . synchronized {
1140 i f ( stopped ) {
1141 log . i n f o ( " S t o p : M o n i t o r " + name + " has b e e n s t o p p e d . " )
1142 }
1143 else {
1144 system stop m
1145 }
1146 rep ly // always return the l a s t r ep ly
1147 }// lock
1148
1149 /∗ ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗
1150 ∗ To pr in t a monitor
196 Appendix A: API listings
1151 ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗/
1152
1153 def showStore = l o ck . synchronized {
1154 f " $ s t a t e %4 d " +
1155 getSto re . f o ldRight ( " " ){ case ( ( i , v ) , s ) => f " $ { i . t o S t r i n g } - > $ { v . t o S t r i n g } $s "}
1156 }// lock
1157
1158 override def t oS t r i ng = l o ck . synchronized {
1159 " RTM ( " + name + " ) " +
1160 ( i f ( hasFa i l ed ) " F a i l e d " else i f ( hasStopped ) " D o n e ! " else " M o r e " ) + showStore
1161 }// lock
1162
1163 /∗ ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗
1164 ∗ To show a s i n g l e monitor ’ s conc re t e s t a t e
1165 ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗/
1166
1167 def show : Unit = l o ck . synchronized {
1168 i f ( stopped ) p r i n t l n ( " S h o w : M o n i t o r " + name + " has b e e n s t o p p e d . " )
1169 else Await . r e s u l t ( ask (m, Show (0 ) ) , t imeout . durat ion )
1170 }// lock
1171
1172 /∗ ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗
1173 ∗ To se t / unset the checkpoint p r i n t i ng f l a g
1174 ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗/
1175
1176 def printOn : RTM = l o ck . synchronized { printEachCheckPoint = true ; this }// lock
1177 def pr in tOf f : RTM = l o ck . synchronized { printEachCheckPoint = false ; this }// lock
1178
1179 /∗ ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗
1180 ∗ To se t / unset the checkpoint l ogg ing f l a g
1181 ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗/
1182
1183 def logOn : RTM = l o ck . synchronized { logEachCheckPoint = true ; this }// lock
1184 def l ogOf f : RTM = l o ck . synchronized { logEachCheckPoint = false ; this }// lock
1185
1186 /∗ ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗
1187 ∗ To se t the d e f au l t except ion handler
1188 ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗/
1189
1190 def setExcept ion ( e : RTM. RTVException ) : RTM = l o ck . synchronized {
1191 except ion = e
1192 this
1193 }// lock
1194
1195 /∗ ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗
1196 ∗ To run a v e r i f i c a t i o n
1197 ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗/
1198
1199 def v e r i f y : Reply = l o ck . synchronized {
1200 var r f : Future [ Reply ] = null
1201 i f ( stopped ) {
1202 getReply
1203 }
1204 else {
1205 val t0 : Long = java . lang . System . nanoTime ( )
1206 r f = Await . r e s u l t ( ask (m, Step ( updates ) ) , t imeout . durat ion ) . as InstanceOf [ Future [ Reply ] ]
1207 updates = L i s t ( ) // re−s e t f o r next time
1208 rep ly = Await . r e s u l t ( r f , t imeout . durat ion ) . as InstanceOf [ Reply ]
1209 val t1 : Long = java . lang . System . nanoTime ( )
1210 timer = t imer + ( t1 − t0 )
1211 i f ( r ep ly . isDone | | r ep ly . i s F a i l ) {
1212 system stop m
1213 stopped = true
1214 }
1215 i f ( printEachCheckPoint ) {
1216 p r i n t l n ( f " ( $ { t i m e r . t o D o u b l e / 1 0 0 0 0 0 0 0 0 0 } % 6 . 3 f sec ): $ t h i s " )
1217 }
1218 i f ( logEachCheckPoint ) {
1219 log . debug ( f " ( $ { t i m e r . t o D o u b l e / 1 0 0 0 0 0 0 0 0 0 } % 6 . 3 f sec ): $ t h i s " )
1220 }
1221 s t a t e = s t a t e + 1
1222 rep ly
1223 }
1224 }// lock
A.2 Monitor API 197
1225
1226 def ! = this . v e r i f y
1227
1228 def ! ! : Reply = this . ! ! ( this . except ion )
1229
1230 def ! ! ( e : Exception ) : Reply = this . v e r i f y match {
1231 case Fa i l => throw e
1232 case r => r
1233 }//match
1234
1235 /∗ ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗
1236 ∗ To ana lyse r e p l i e s
1237 ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗/
1238
1239 def getNbrOfStates = l o ck . synchronized { this . s t a t e }
1240 def getTimer = l o ck . synchronized { this . t imer }
1241 def getReply = l o ck . synchronized { this . r ep ly }
1242 def hasStopped = l o ck . synchronized { this . r ep ly . isDone }
1243 def hasFa i l ed = l o ck . synchronized { this . r ep ly . i s F a i l }
1244
1245 }//RTM
1246
1247 object RTM {
1248 class RTVException (msg : S t r ing ) extends RuntimeException {
1249 override def t oS t r i ng ( ) = f " R T V E x c e p t i o n $ m s g "
1250 }
1251 }//companion ob j e c t RTM
1252
1253 /∗ ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗
1254 ∗ RTMRef Runtime Monitor Reference − f o r use with RTMC
1255 ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗/
1256
1257 case class RTMRef(name : St r ing ) { override def t oS t r i ng = " R T M R e f ( "+name+" ) " }
1258
1259 /∗ ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗
1260 ∗ RTMC Runtime Monitor Clus te r : [M0, M1, M2, . . . ]
1261 ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗/
1262
1263 class RTMC(name : Str ing , system : ActorSystem ) {
1264 private var monitors : immutable .Map[RTMRef, ActorRef ] = new immutable . HashMap ( )
1265 private var r e p l i e s : immutable .Map[RTMRef, Reply ] = new immutable . HashMap ( )
1266 private var stopped : immutable . L i s t [RTMRef ] = L i s t ( )
1267 private var f a i l e d : immutable . L i s t [RTMRef ] = L i s t ( )
1268 private var s t o r e : immutable .Map[ Variable , Value ] = new immutable . HashMap ( )
1269 private var s t a t e : Int = 0
1270 private var updates : L i s t [ VarUpdate ] = L i s t ( )
1271 private val l o ck : Object = new Object // f o r synchron i za t i on
1272 private var printEachCheckPoint : Boolean = false
1273 private var logEachCheckPoint : Boolean = false
1274 private var t imer : Long = 0
1275 val l og = Logging . getLogger ( system , this )
1276
1277 /∗ ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗
1278 ∗ Methods to manage the s t o r e / s t a t e
1279 ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗/
1280
1281 def s e t [T] ( v : Var [T] , a : T) : RTMC = l o ck . synchronized {
1282 s t o r e = s t o r e + ( ( v −> Val ( a ) ) )
1283 updates = updates : : : L i s t ( ( v , a ) )
1284 this
1285 }// lock
1286
1287 def get [T] ( v : Var [T ] ) : T = l o ck . synchronized {
1288 s t o r e (v ) . as InstanceOf [ Val [T ] ]
1289 match { case Val ( a ) => a }
1290 }// lock
1291
1292 def getSto re = l o ck . synchronized {
1293 s t o r e . toSeq . sortWith ( . 1 . t oS t r ing < . 1 . t oS t r ing )
1294 }// lock
1295
1296 def getUpdates = l o ck . synchronized {
1297 updates // return the l a t e s t updates that were app l i ed
1298 }// lock
198 Appendix A: API listings
1299
1300 /∗ ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗
1301 ∗ Methods to add/remove/ stop monitors to / from the c l u s t e r
1302 ∗ add : s e t s up a new RTMActor and a s s o c i a t e s i t with a r e f e r e n c e . This pa i r i s then
1303 ∗ added to the ’ c l u s t e r ’
1304 ∗ remove : s tops the monitor i d e n t i f i e d by i t s r e f e r e n c e and then removes a l l
1305 ∗ r e f e r e n c e s
1306 ∗ removeAll : removes a l l monitors from the c l u s t e r
1307 ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗/
1308
1309 def add ( a : Abstr . Monitor , name : St r ing ) : RTMRef = l o ck . synchronized {
1310 val mr = RTMRef(name)
1311 monitors = monitors + (mr −> system . actorOf ( Props ( c l a s sO f [RTMActor ] , a ) , name ) )
1312 mr
1313 }// lock
1314
1315 // Completely remove a monitor from the c l u s t e r
1316 def remove (mr : RTMRef ) : RTMC = l o ck . synchronized {
1317 i f ( monitors conta in s mr)
1318 system . stop ( monitors (mr) )
1319 monitors = monitors − mr
1320 r e p l i e s = r e p l i e s − mr
1321 stopped = stopped . f i l t e rN o t ( == mr)
1322 f a i l e d = f a i l e d . f i l t e rN o t ( == mr)
1323 this
1324 }// lock
1325
1326 // Remove a l l monitors from the c l u s t e r
1327 def removeAll : RTMC = l o ck . synchronized { monitors . keys . f o r each ( remove ( ) ) ; this }// lock
1328
1329 /∗ ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗
1330 ∗ To pr in t out the monitors in the c l u s t e r
1331 ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗/
1332
1333 def showStore = l o ck . synchronized {
1334 " < " + sta t e + " > " +
1335 getSto re . f o ldRight ( " " ){ case ( ( i , v ) , s ) => i . t oS t r ing + " - > " + v . toS t r i ng + " " + s}
1336 }// lock
1337
1338 override def t oS t r i ng = l o ck . synchronized {
1339 def show ( a : RTMRef , s : S t r ing ) : S t r ing = a . name + " " + s
1340 " R T M C l u s t e r ( " + name +
1341 " ) { L i v e : " + monitors . keys . f o ldRight ( " " ) ( show ( , ) ) +
1342 " } { S t o p p e d : " + stopped . fo ldRight ( " " ) ( show ( , ) ) +
1343 " } { F a i l e d : " + f a i l e d . f o ldRight ( " " ) ( show ( , ) ) +
1344 " } { S t o r e : " + showStore +
1345 " } "
1346
1347 }// lock
1348
1349 /∗ ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗
1350 ∗ To show a s i n g l e monitor ’ s conc re t e s t a t e
1351 ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗/
1352
1353 def show (mr : RTMRef ) : Unit = l o ck . synchronized {
1354 i f ( monitors conta in s mr) Await . r e s u l t ( ask ( monitors (mr) , Show (0 ) ) , t imeout . durat ion )
1355 }// lock
1356
1357 /∗ ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗
1358 ∗ To se t / unset the checkpoint p r i n t i ng f l a g
1359 ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗/
1360
1361 def printOn : RTMC = l o ck . synchronized { printEachCheckPoint = true ; this }// lock
1362 def pr in tOf f : RTMC = l o ck . synchronized { printEachCheckPoint = false ; this }// lock
1363
1364 /∗ ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗
1365 ∗ To se t / unset the checkpoint l ogg ing f l a g
1366 ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗/
1367
1368 def logOn : RTMC = l o ck . synchronized { logEachCheckPoint = true ; this }// lock
1369 def l ogOf f : RTMC = l o ck . synchronized { logEachCheckPoint = false ; this }// lock
1370
1371 /∗ ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗
1372 ∗ To run a v e r i f i c a t i o n
A.2 Monitor API 199
1373 ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗/
1374
1375 def v e r i f y : Unit = l o ck . synchronized {
1376 var ns : immutable .Map[RTMRef, Future [ Reply ] ] = new immutable . HashMap ( )
1377
1378 val t0 : Long = java . lang . System . nanoTime ( )
1379 monitors . f o r each {
1380 case (mr : RTMRef, m: ActorRef ) =>
1381 ns = ns + ( (mr , Await . r e s u l t ( ask (m, Step ( updates ) ) ,
1382 timeout . durat ion ) . as InstanceOf [ Future [ Reply ] ] ) )
1383 }// fo reach
1384 updates = L i s t ( ) // re−s e t f o r next time
1385 val ps = ns . mapValues{ r f => Await . r e s u l t ( r f , t imeout . durat ion ) . as InstanceOf [ Reply ]}
1386 val t1 : Long = java . lang . System . nanoTime ( )
1387 timer = t imer + ( t1 − t0 )
1388 val (more , no more ) = ps . p a r t i t i o n { case (mr , r ) => r . isMore }
1389 val ( done , f a i l ) = no more . p a r t i t i o n { case (mr , r ) => r . isDone }
1390 stopped = stopped ++ ( done . keys )
1391 f a i l e d = f a i l e d ++ ( f a i l . keys )
1392 monitors = monitors −− ( no more . keys )
1393 r e p l i e s = r e p l i e s ++ ps
1394 i f ( printEachCheckPoint ) {
1395 p r i n t l n ( f " ( $ { t i m e r . t o D o u b l e / 1 0 0 0 0 0 0 0 0 0 } % 6 . 3 f sec ): $ t h i s " )
1396 }
1397 i f ( logEachCheckPoint ) {
1398 log . i n f o ( s " ( $ { t i m e r . t o D o u b l e / 1 0 0 0 0 0 0 0 0 0 } % 6 . 3 f sec ): $ t h i s " )
1399 }
1400 s t a t e = s t a t e + 1
1401 }// lock
1402
1403 /∗ ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗
1404 ∗ To ana lyse r e p l i e s
1405 ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗/
1406
1407 def getStoppedMonitors : L i s t [RTMRef ] = l o ck . synchronized { stopped }
1408 def getFa i l edMonitors : L i s t [RTMRef ] = l o ck . synchronized { f a i l e d }
1409 def getLiveMonitors : L i s t [RTMRef ] = l o ck . synchronized { monitors . keys . t oL i s t }
1410 def ge tRep l i e s : immutable .Map[RTMRef, Reply ] = l o ck . synchronized { r e p l i e s }
1411 def getReply (mr : RTMRef ) : Option [ Reply ] =
1412 lock . synchronized { i f ( r e p l i e s conta in s mr) Some( r e p l i e s (mr) ) else None }// lock
1413 def hasStopped (mr : RTMRef ) : Boolean = l o ck . synchronized { stopped conta ins mr }
1414 def hasFa i l ed (mr : RTMRef ) : Boolean = l o ck . synchronized { f a i l e d conta ins mr }
1415 def i s L i v e (mr : RTMRef ) : Boolean = l o ck . synchronized { monitors conta ins mr }
1416 def noneFai led : Boolean = l o ck . synchronized { r e p l i e s . va lues . f o r a l l ( r => ! ( r . i s F a i l ) ) }
1417 }//RTMC
1418 }//Runtime ob j e c t
1419 }//Monitor ob j e c t
200 Appendix A: API listings
Appendix B
Practical examples
B.1 Tennis example
The code listings in this section relate to the tennis example in Chapter 4.5. The three files
comprise:
1. The definitions for the simulation including the monitored and non-monitored variables;
2. The ITL-Monitor specifications
3. The main simulation itself
Listing B.1: Tennis example: definitions
1 package demo . t enn i s
2
3 object Defs {
4 import runtime . ana l y s i s . ITL . // Needed f o r Var d e f i n i t i o n s
5
6 /∗ ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗
7 ∗ Data types used by the s imula t i on and the s p e c i f i c a t i o n
8 ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗/
9 class Player {
10 def other = i f ( this==P1) P2 else P1
11 }
12 case object P1 extends Player
13 case object P2 extends Player
14 class Score
15 case object Love extends Score
16 case object Fi f t e en extends Score
17 case object Thirty extends Score
18 case object Forty extends Score
19 case object Advantage extends Score
20 case object Game extends Score
21 implicit object RelScore extends Eq [ Score ] with Ord [ Score ] {
22 override def EQ(a : Score , b : Score ) : Boolean = a==b
23 override def LE( a : Score , b : Score ) : Boolean = a match {
24 case Love => true
25 case Fi f t e en => b != Love
26 case Thirty => b != Love && b != Fi f t e en
27 case Forty => b == Forty | | b == Advantage | | b == Game
28 case Advantage => b == Advantage | | b == Game
202 Appendix B: Practical examples
29 case Game => b == Game
30 }
31 }
32
33 /∗ ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗
34 ∗ Monitored va r i a b l e s
35 ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗/
36 case class Points (p : Player ) extends Var [ Score ] { override def t oS t r i ng = " P o i n t s ( "+p+" ) " }
37 case class Games(p : Player ) extends Var [ Int ] { override def t oS t r i ng = " G a m e s ( "+p+" ) " }
38 case class Sets (p : Player ) extends Var [ Int ] { override def t oS t r i ng = " S e t s ( "+p+" ) " }
39 }
Listing B.2: Tennis example: specification
1 package demo . t enn i s
2
3 object Spec {
4 import runtime . ana l y s i s . ITL . // ITL d e f i n i t i o n s and opera to r s
5 import runtime . ana l y s i s . Monitor . Abstr . // Runtime Monitor components
6 import Defs . // Var iab le d e f i n i t i o n s
7
8 /∗ ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗
9 ∗ ITL/monitor s p e c i f i c a t i o n
10 ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗/
11
12 def nextPoint (p : Player ) = ( ( Points (p ) ‘=‘ Love ) and (Next ( Points (p ) ) ‘=‘ F i f t e en ) ) or
13 ( ( Points (p ) ‘=‘ F i f t e en ) and (Next ( Points (p ) ) ‘=‘ Thirty ) ) or
14 ( ( Points (p ) ‘=‘ Thirty ) and (Next ( Points (p ) ) ‘=‘ Forty ) ) or
15 ( ( Points (p ) ‘=‘ Forty ) and (Next ( Points (p ) ) ‘=‘Game) ) or
16 ( ( Points (p ) ‘=‘ Forty ) and (Next ( Points (p ) ) ‘=‘ Advantage ) ) or
17 ( ( Points (p ) ‘=‘ Advantage ) and (Next ( Points (p ) ) ‘=‘ Forty ) ) or
18 ( ( Points (p ) ‘=‘ Advantage ) and (Next ( Points (p ) ) ‘=‘Game) )
19
20 def winPoint = sk ip and ( ( ( s t ab l e ( Points (P1 ) ) and nextPoint (P2 ) ) ) or
21 ( ( s t ab l e ( Points (P2 ) ) and nextPoint (P1 ) ) ) )
22
23 def validGame = l a b e l ( " V A L I D G A M E " ,
24 ( Points (P1 ) ‘=‘ Love ) and ( Points (P2 ) ‘=‘ Love ) and
25 ( winPoint ) . chopstar and
26 ( ( (Games(P1) <˜ Games(P1) + 1) and s t ab l e (Games(P2 ) ) ) or
27 ( (Games(P2) <˜ Games(P2) + 1) and s t ab l e (Games(P1 ) ) ) )
28 )
29
30 def gameOver = l a b e l ( " G A M E O V E R " , ( ( Points (P1 ) ) ‘=‘Game) or ( ( Points (P2 ) ) ‘=‘Game) )
31
32 def va l i dSe t = l a b e l ( " V A L I D SET " ,
33 ( (Games(P1 ) ‘= ‘ 0 ) and (Games(P2 ) ‘= ‘ 0 ) ) and
34 ( ( ( Sets (P1) <˜ Sets (P1) + 1) and s t ab l e ( Sets (P2 ) ) ) or
35 ( ( Sets (P2) <˜ Sets (P2) + 1) and s t ab l e ( Sets (P1 ) ) ) )
36 )
37
38 def setOver = l a b e l ( " SET O V E R " , ( (Games(P1)>=6) and (Games(P2)+1 < Games(P1 ) ) ) or
39 ( (Games(P2)>=6) and (Games(P1)+1 < Games(P2 ) ) ) )
40
41 def matchOver = l a b e l ( " M A T C H O V E R " , ( Sets (P1 ) ‘= ‘ 3 ) or ( Sets (P2 ) ‘= ‘ 3 ) )
42
43 def startMatch = l a b e l ( " S T A R T M A T C H " , ( Points (P1) ‘=‘ Love ) and ( Points (P2) ‘=‘ Love ) and
44 (Games(P1) ‘=‘ 0) and (Games(P2) ‘=‘ 0 ) and
45 ( Sets (P1) ‘=‘ 0) and ( Sets (P2) ‘=‘ 0 ) )
46
47 /∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗
48 ∗ Analys i s g r anu l a r i t y = one game
49 ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗/
50
51 def bygame = GUARD( startMatch ) THEN HALT(matchOver ) ITERATE (
52 (SKIP THEN HALT( setOver ) ITERATE (
53 SKIP THEN HALT(gameOver ) WITH ( sk ip ‘ ; ‘ validGame )
54 )
55 ) WITH ( sk ip ‘ ; ‘ v a l i dSe t )
56 )
57
58 /∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗
B.1 Tennis example 203
59 ∗ Analys i s g r anu l a r i t y = one s e t
60 ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗/
61
62 def byset = GUARD( startMatch ) THEN HALT(matchOver ) ITERATE (
63 (SKIP THEN HALT( setOver ) ) WITH
64 ( ( sk ip ‘ ; ‘ ( ha l t ( gameOver ) and validGame ) ) . chopstar and
65 ( sk ip ‘ ; ‘ v a l i dSe t ) )
66 )
67
68 /∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗
69 ∗ Analys i s g r anu l a r i t y = one match − i . e . the whole i n t e r v a l checked once at the end
70 ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗/
71
72 def validMatch = ( ( sk ip ‘ ; ‘ ( ha l t ( gameOver ) and validGame ) ) . chopstar and
73 ( sk ip ‘ ; ‘ ( ha l t ( setOver ) and va l i dSe t ) )
74 ) . chopstar
75
76 def bymatch = GUARD( startMatch ) THEN HALT(matchOver ) WITH validMatch
77
78 /∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗
79 ∗ Analys i s g r anu l a r i t y = one game / adding p r o j e c t i on
80 ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗/
81
82 def s e t s I n c r (p : Player ) = ( keep ( ( Next ( Sets (p ) ) − Sets (p ) ) <= 1) )
83
84 def bygamep= GUARD( startMatch ) THEN HALT(matchOver ) ITERATE (
85 (SKIP THEN HALT( setOver ) ITERATE (
86 SKIP THEN HALT(gameOver ) WITH ( sk ip ‘ ; ‘ validGame )
87 )
88 ) WITH ( sk ip ‘ ; ‘ v a l i dSe t )
89 ) PROJECT
90 ( SKIP THEN
91 HALT(matchOver ) WITH ( s e t s I n c r (P1 ) ) WITH ( s e t s I n c r (P2 ) )
92 )
93 }
Listing B.3: Tennis example: simulation
1 package demo . t enn i s
2 /∗
3 Example o f ’ Tennis Score ’ pattern
4 s c a l a c demo/ t enn i s / Simulat ion . s c a l a
5
6 s c a l a demo . t enn i s . S imulat ion bygame
7 s c a l a demo . t enn i s . S imulat ion bygameproj
8 s c a l a demo . t enn i s . S imulat ion bysafegame
9 s c a l a demo . t enn i s . S imulat ion byset
10 s c a l a demo . t enn i s . S imulat ion bymatch
11 ∗/
12
13 object Simulat ion {
14 import akka . ac tor . ActorSystem
15 import runtime . ana l y s i s . Monitor . Runtime .
16 import Defs . // Var iab le d e f i n i t i o n s
17 import Spec . // ITL and Runtime Monitor s p e c i f c a t i o n
18
19 /∗ ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗
20 ∗ Simulat ion / Program to be monitored
21 ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗/
22
23 def playMatch (mu: RTM)
24 {
25 def matchOver (p : Player ) = mu. get ( Sets (p ) ) == 3
26 def setOver (p : Player ) = (mu. get (Games(p ) ) >= 6) &&
27 ( (mu. get (Games(p . other ))+1) < mu. get (Games(p ) ) )
28 def gameOver = (mu. get ( Points (P1 ) ) == Game) | | (mu. get ( Points (P2 ) ) == Game)
29
30 val r = s c a l a . u t i l .Random
31 var winner : Player = P1 //P1 i s a p l a c eho lde r i n i t i a l va lue only
32
33 /∗ ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗
34 ∗ Play a match
204 Appendix B: Practical examples
35 ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗/
36
37 mu. s e t ( Points (P1 ) , Love ) . s e t ( Points (P2 ) , Love )
38 . s e t (Games(P1 ) , 0) . s e t (Games(P2 ) , 0)
39 . s e t ( Sets (P1 ) , 0) . s e t ( Sets (P2 ) , 0)
40 . v e r i f y
41 do
42 {
43 /∗ ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗
44 ∗ Play a s e t
45 ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗/
46 // p r i n t l n (”New Set ”)
47 mu. s e t (Games(P1 ) , 0)
48 . s e t (Games(P2 ) , 0)
49
50 do
51 {
52 /∗ ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗
53 ∗ Play a game
54 ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗/
55 // p r i n t l n (”New Game − i n i t ”)
56 mu. s e t ( Points (P1 ) , Love )
57 . s e t ( Points (P2 ) , Love )
58 . v e r i f y
59 // p r i n t l n (”New Game − s t a r t ”)
60 do
61 {
62 winner = i f ( r . next Int (2 )==0) P1 else P2 // random : 0==P1 win , 1==P2 win
63 mu. get ( Points ( winner ) )
64 match
65 {
66 case Love => mu. s e t ( Points ( winner ) , F i f t e en ) . v e r i f y
67 case Fi f t e en => mu. s e t ( Points ( winner ) , Thirty ) . v e r i f y
68 case Thirty => mu. s e t ( Points ( winner ) , Forty ) . v e r i f y // the c o r r e c t l i n e
69 // case Thirty => mu. s e t ( Points ( winner ) , Game ) . v e r i f y // i n s e r t a bug
70 case Forty => i f (mu. get ( Points ( winner . other ) ) == Forty )
71 mu. s e t ( Points ( winner ) , Advantage ) . v e r i f y
72 else i f (mu. get ( Points ( winner . other ) ) == Advantage )
73 mu. s e t ( Points ( winner . other ) , Forty ) . v e r i f y
74 else
75 mu. s e t ( Points ( winner ) , Game)
76 case Advantage => mu. s e t ( Points ( winner ) , Game)
77 }
78 // p r i n t l n (”Winner : ” + winner + ” , (P1 , P2) = ” +
79 // (mu. get ( Points (P1 ) ) , mu. get ( Points (P2 ) ) ) )
80 }
81 while ( ! gameOver ) /∗ ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗/
82
83 mu. s e t (Games( winner ) , mu. get (Games( winner ) ) + 1)
84 i f ( setOver ( winner ) )
85 mu. s e t ( Sets ( winner ) , mu. get ( Sets ( winner ) ) + 1)
86 mu. v e r i f y
87
88 }
89 while ( ! setOver ( winner ) ) /∗ ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗/
90
91 }
92 while ( ! matchOver ( winner ) ) /∗ ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗/
93
94 p r i n t l n ( " M a t c h o v e r . W i n n e r is " + winner )
95 }
96
97 /∗ ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗
98 ∗ Simulat ion thread − s t a r t i ng , and then await ing , the s imu lat i on and run−time monitor
99 ∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗∗/
100 def runSimulat ion ( args : Array [ S t r ing ] )
101 {
102 val system = ActorSystem ( " E x 3 A c t o r S y s t e m " )
103 val mu = RTM( args (0 ) match
104 {
105 case " b y g a m e " => bygame
106 case " b y g a m e p " => bygamep
107 case " b y s e t " => byset
108 case " b y m a t c h " => bymatch
B.2 Latch example 205
109 } ,
110 " T e n n i s " ,
111 system ) . printOn
112
113 playMatch (mu)
114 mu. stop
115 Thread s l e ep 2000
116 system . terminate
117 }
118
119 def main ( args : Array [ S t r ing ] ) {
120 runSimulat ion ( args )
121 }
122
123 }
B.2 Latch example
The Scala code for the latch example is separated into two objects. One is TC into which the
TraceContract specifications have been placed. The second is Simulation which contains
the ITL-Monitor specification and the program that generates sample execution traces for
analysis. The latter distinguishes between the the monitored and non-monitored variables,
both of which are used within the simulation irrespective of whether or not any monitoring
is carried out. The integration of monitored variables into the program under test performs
the instrumentation used by ITL-Monitor.
Listing B.4: TraceContract definitions for the latch example
1 package demo . l a t ch
2
3 object TC {
4 import t r a c e c on t r a c t .
5
6 /∗
7 ∗ An event i s the cons t ruc t i on o f a new s t a t e c on s i s t i n g o f the three
8 ∗ f l a g s : a , b , and s . A t rac e i s a sequence o f events ( s t a t e s )
9 ∗/
10 case class Event ( a : Boolean , b : Boolean , s : Boolean )
11
12 def aHi : Part ia lFunct ion [ Event , Boolean ] = { case Event ( true , , ) => true }
13 def aLo : Par t ia lFunct ion [ Event , Boolean ] = { case Event ( false , , ) => true }
14 def bHi : Par t ia lFunct ion [ Event , Boolean ] = { case Event ( , true , ) => true }
15 def bLo : Part ia lFunct ion [ Event , Boolean ] = { case Event ( , false , ) => true }
16 def sHi : Par t ia lFunct ion [ Event , Boolean ] = { case Event ( , , true ) => true }
17 def sLo : Part ia lFunct ion [ Event , Boolean ] = { case Event ( , , fa l se ) => true }
18
19 class R1 extends Monitor [ Event ] {
20 /∗
21 ∗ I f B i s s t ab l e a c ro s s two adjacent s t a t e s then S i s low in the 2nd s t a t e
22 ∗
23 ∗ 2((B ⇔©w (B))⇒©w (¬ S))
24 ∗/
25
26 def bStable = ( ( matches{bHi}) and weaknext (matches{bHi } ) ) or
27 ( ( matches{bLo}) and weaknext (matches{bLo} ) )
28
29 property (’R1) {
30 g l o b a l l y {
31 bStable imp l i e s ( weaknext (matches{sLo } ) )
32 }
33 }
34 }//R1
206 Appendix B: Practical examples
35
36 class R2 extends Monitor [ Event ] {
37 /∗
38 ∗ I f B i s unstab le a c ro s s two adjacent s t a t e s then S i s high in the 2nd s t a t e
39 ∗
40 ∗ 2(¬ (B ⇔©w (B))⇒©w (S))
41 ∗/
42
43 def bStable = ( ( matches{bHi}) and weaknext (matches{bHi } ) ) or
44 ( ( matches{bLo}) and weaknext (matches{bLo} ) )
45
46 def bUnstable = ( ( matches{bHi}) and weaknext (matches{bLo} ) ) or
47 ( ( matches{bLo}) and weaknext (matches{bHi } ) )
48
49 property (’R2) {
50 g l o b a l l y {
51 bUnstable imp l i e s ( weaknext (matches{ sHi } ) )
52 }
53 }
54 }//R2
55
56 class R3 R4 extends Monitor [ Event ] {
57 /∗
58 ∗ R3 Whenever A i s s t ab l e a c ro s s two adjacent s t a t e s then B i s s t ab l e
59 ∗
60 ∗ 2((¬ A ∧©w (¬ A))⇒ (B ⇔©w (B))
61 ∗
62 ∗ R4 Whenever A i s low ac ro s s two adjacent s t a t e s then B i s s t ab l e
63 ∗
64 ∗ 2((¬ A ∧©w (A))⇒ (B ⇔©w (B)))
65 ∗/
66
67 def bStable = ( ( matches{bHi}) and weaknext (matches{bHi } ) ) or
68 ( ( matches{bLo}) and weaknext (matches{bLo} ) )
69
70 def aStableLo = ( matches{aLo}) and weaknext (matches{aLo})
71
72 def aRises = ( matches{aLo}) and weaknext (matches{aHi })
73
74 property (’R3 R4) {
75 g l o b a l l y { ( aStableLo imp l i e s bStable ) and ( aRises imp l i e s bStable ) }
76 }
77 }//R3 R4
78
79 class R5 extends Monitor [ Event ] {
80 /∗
81 ∗ A s ta t e machine r ep r e s en t i ng the l a t ch behaviour
82 ∗ Event State ABS ==> va l i d moves :
83 ∗ Event ( f a l s e , f a l s e , f a l s e ) S0 ==> S0 , S4
84 ∗ Event ( f a l s e , f a l s e , t rue ) S1 − ==> S0 , S4
85 ∗ Event ( f a l s e , t rue , f a l s e ) S2 − ==> S2 , S6
86 ∗ Event ( f a l s e , t rue , t rue ) S3 −− ==> S2 , S6
87 ∗ Event ( t rue , f a l s e , f a l s e ) S4 − ==> S0 , S3 , S4 , S7
88 ∗ Event ( t rue , f a l s e , t rue ) S5 − − ==> S0 , S3 , S4 , S7
89 ∗ Event ( t rue , t rue , f a l s e ) S6 −− ==> S1 , S2 , S5 , S6
90 ∗ Event ( t rue , t rue , t rue ) S7 −−− ==> S1 , S2 , S5 , S6
91 ∗/
92
93 property (’R5) { S0 }
94
95 def S0 : Formula = s t a t e {
96 case Event ( true , false , fa l se ) => S4
97 case Event ( false , false , fa l se ) => S0
98 case => e r r o r
99 }
100
101 def S2 : Formula = s t a t e {
102 case Event ( true , true , fa l se ) => S6
103 case Event ( false , true , fa l se ) => S2
104 case => e r r o r
105 }
106
107 def S4 : Formula = s t a t e {
108 case Event ( false , false , fa l se ) => S0
B.2 Latch example 207
109 case Event ( false , true , true ) => S3
110 case Event ( true , true , true ) => S7
111 case Event ( true , false , fa l se ) => S4
112 case => e r r o r
113 }
114
115 def S6 : Formula = s t a t e {
116 case Event ( false , true , fa l se ) => S2
117 case Event ( false , false , true ) => S1
118 case Event ( true , false , true ) => S5
119 case Event ( true , true , fa l se ) => S6
120 case => e r r o r
121 }
122
123 def S3 : Formula = s t a t e {
124 case Event ( false , true , fa l se ) => S2
125 case Event ( true , true , fa l se ) => S6
126 case => e r r o r
127 }
128
129 def S1 : Formula = s t a t e {
130 case Event ( false , false , fa l se ) => S0
131 case Event ( true , false , fa l se ) => S4
132 case => e r r o r
133 }
134
135 def S7 : Formula = s t a t e {
136 case Event ( true , true , fa l se ) => S6
137 case Event ( true , false , true ) => S5
138 case Event ( false , true , fa l se ) => S2
139 case Event ( false , false , true ) => S1
140 case => e r r o r
141 }
142
143 def S5 : Formula = s t a t e {
144 case Event ( true , false , fa l se ) => S4
145 case Event ( true , true , true ) => S7
146 case Event ( false , false , fa l se ) => S0
147 case Event ( false , true , true ) => S3
148 case => e r r o r
149 }
150 }//R5
151
152 class LTLRequirements extends Monitor [ Event ] {
153 /∗
154 ∗ Al l the LTL requirements are con jo ined in the f o l l ow ing monitor
155 ∗/
156
157 monitor ( new R1 , new R2 , new R3 R4 )
158 }
159
160 class StMRequirements extends Monitor [ Event ] {
161 /∗
162 ∗ The s t a t e machine requirement becomes a monitor
163 ∗/
164 monitor ( new R5 )
165 }
166
167 class AllRequirements extends Monitor [ Event ] {
168 /∗
169 ∗ A monitor r ep r e s en t i ng the con junct ion o f the LTL and s t a t e machine
170 ∗/
171 monitor ( new LTLRequirements , new StMRequirements )
172 }
173
174 /∗
175 ∗ Convenient cover s f o r export ing each o f the combinations
176 ∗/
177 def monitorLTL = new LTLRequirements
178 def monitorStM = new StMRequirements
179 def monitorAl l = new AllRequirements
180 def monitorNi l = new Monitor [ Event ]
181
182 }//TC
208 Appendix B: Practical examples
Listing B.5: Latch example simulation
1 package demo . l a t ch
2
3 /∗
4 ∗ Simulat ion o f the l a t ch example in which runtime v e r i f i c a t i o n may use any
5 ∗ combination o f ITM(ITL ) , TraceContract (LTL) , and TraceContract ( s t a t e machine ) .
6 ∗/
7 object Simulat ion {
8 import akka . ac tor . ActorSystem
9 import runtime . ana l y s i s . ITL .
10 import runtime . ana l y s i s . Monitor . Runtime .
11 import runtime . ana l y s i s . Monitor . Abstr .
12
13 var as : ActorSystem =
14
15 /∗
16 ∗ ITM−monitored va r i a b l e s are i n t e g r a l to the s imu lat i on i r r e s p e c t i v e
17 ∗ o f whether or not ITM monitor ing i s performed .
18 ∗/
19 object S extends Var [ Boolean ] { override def t oS t r ing = " S " }
20 object A extends Var [ Boolean ] { override def t oS t r ing = " A " }
21 object B extends Var [ Boolean ] { override def t oS t r ing = " B " }
22 object STOP extends Var [ Boolean ] { override def t oS t r ing = " S T O P " }
23
24 /∗
25 ∗ The ITM (ITL) s p e c i f i c a t i o n :
26 ∗
27 ∗ i n i t i a l : The i n i t i a l s t a t e cond i t i on in which a l l the f l a g s are low .
28 ∗
29 ∗ c l ause2 : S a t i s f i e d by a sub in t e rva l from th i s po int up to the f i r s t
30 ∗ s t a t e in which B changes value . Throughout t h i s i n t e r v a l S can be
31 ∗ high or low in the f i r s t s t a t e ; then S must stay low un t i l the f i n a l
32 ∗ s t a t e when S must be high . ( In an extreme case i t i s p o s s i b l e f o r t h i s
33 ∗ sub in t e r va l to c on s i s t o f only two s t a t e s in which (B != O(B) ) & O(S)
34 ∗ holds .
35 ∗
36 ∗ c l ause3 : S a t i s f i e d by a sub in t e rva l from th i s po int up to the f i r s t
37 ∗ s t a t e in which A i s r a i s e d fo l l owed by the f i r s t s t a t e in which A i s
38 ∗ lowered . Within the f i r s t part o f t h i s sub in t e rva l B must remain
39 ∗ s t ab l e .
40 ∗
41 ∗ spec : The i n i t i a l s t a t e must be fused with an i n t e r v a l that cont inues
42 ∗ un t i l the f i r s t s t a t e in which HALT holds . Over t h i s i n t e r v a l the
43 ∗ c y c l e s r epre s ented by c l ause2 and c lause3 are repeated .
44 ∗/
45 val i n i t i a l = (∼A and ∼B and ∼S)
46
47 val c l ause2 = FIRST(B <∼ ∼B) WITH ( sk ip ‘ ; ‘ ha l t (S ) )
48
49 val c l ause3 = (HALT(A) WITH ( s t ab l e (B) ) ) THEN (HALT(∼A))
50
51 val spec = (GUARD( i n i t i a l )
52 THEN (HALT(STOP)
53 ITERATE c lause2 ITERATE c lause3 ) )
54
55 /∗
56 ∗ The purpose o f the s imu la t ion i s to demonstrate and compare the d i f f e r e n t
57 ∗ runtime v e r i f i c a t i o n approaches . Flags to the s imula t i on con t r o l which o f
58 ∗ these i s s e t / unset . The length o f the s imu la t i on ( the number o f v e r i f i e d
59 ∗ s t a t e s ) i s returned .
60 ∗/
61 def runSimulat ion ( i t e r : Int , // I t e r a t i o n number ( f o r mul t ip l e runs )
62 aCycles : Int , // Number o f A cy c l e s to s imulate
63 runITM : Boolean , // ITM monitor ing on/ o f f
64 runLTL : Boolean , // LTL monitor ing on/ o f f
65 runStM : Boolean , // State Machine monitor ing on/ o f f
66 runAna : Boolean , // AnaTempura monitor ing on/ o f f
67 printOn : Boolean , // Stdout cont inuous commentary on/ o f f
68 errorOn : Int // Error on given cyc l e (0 = o f f )
69 ) : Int = {
70 /∗
71 ∗ A number o f constants c on t r o l the s imu la t ion :
72 ∗ rand : A random number generator
73 ∗ aStayLow : Generates a random number o f s t a t e s (1−20) f o r A to stay low
B.2 Latch example 209
74 ∗ bFl ips : Randomly determines i f B f l i p s s t a t e (50%)
75 ∗ aIsLowered : Randomly determines i f A i s lowered (5%)
76 ∗/
77 val rand = s c a l a . u t i l .Random
78 def aStaysLow = 1+rand . next Int (20)
79 def bFl ips = rand . next Int (100)<50
80 def aIsLowered = rand . next Int (100)<5
81
82 /∗
83 ∗ mu i s the ITM monitor .
84 ∗ −− a s s o c i a t ed with an Akka actor system and an ITL s p e c i f i c a t i o n
85 ∗
86 ∗ nu i s the TraceContract monitor .
87 ∗ −− runs LTL and/or s t a t e machine monitor combinations as r equ i r ed
88 ∗/
89 val mu = RTM( spec , " L a t c h "+i t e r , as )
90 val nu = i f ( runLTL && runStM) TC. monitorAl l
91 else i f ( runLTL) TC. monitorLTL
92 else i f ( runStM) TC. monitorStM
93 else TC. monitorNi l
94
95 // I n i t i a l i s e l ogg ing and p r i n t i ng
96 i f ( printOn ) { mu. printOn ; nu . s e tSucc e s s ( true ) }
97 nu . setEventLog ( " log / L a t c h . log " )
98
99 /∗
100 ∗ A counter to measure the length o f a s imu lat i on run
101 ∗/
102 var numOfStates = 0
103
104 /∗
105 ∗ v e r i f y ( ) i s invoked at each a s s e r t i o n point with in the s imula t ion .
106 ∗ This performs the inst rumentat ion connect ing the program to the
107 ∗ monitors .
108 ∗
109 ∗ The monitored va r i a b l e s are maintainted with in the monitor (mu)
110 ∗ i r r e s p e c t i v e o f whether or not ITM v e r i f i c a t i o n i s invoked . Al l o f
111 ∗ the monitor ing systems used by the s imu lat i on use the same va lues
112 ∗ taken from these s t a t e v a r i a b l e s . This f a c i l i t a t e s a f a i r comparison
113 ∗ o f the d i f f e r e n t monitor ing systems to be made .
114 ∗
115 ∗ The AnaTempura inst rumentat ion i s handled v ia an output on stdout .
116 ∗
117 ∗ The TraceContract inst rumentat ion r e qu i r e s the combination o f the
118 ∗ monitored va r i a b l e s in to a TC. Event . This event i s t ransmitted to
119 ∗ the TC monitor (nu ) .
120 ∗
121 ∗ The ITM va r i a b l e s are maintainted within the monitor (mu) i t s e l f . The
122 ∗ i n s t r u c t i o n mu . ! ! i n s t r u c t s the monitor to proce s s the cur rent s t a t e .
123 ∗ Any v i o l a t i o n w i l l r e s u l t in an except ion being thrown .
124 ∗/
125 def v e r i f y ( ) {
126 i f ( runAna )
127 p r i n t l n ( " ! P R O G : a s s e r t E v e n t : "+
128 mu. get (A)+" : "+mu. get (B)+" : "+mu. get (S)+" : "+mu. get (STOP)+" :! " )
129 i f ( runLTL | | runStM) nu . v e r i f y (TC. Event (mu. get (A) , mu. get (B) , mu. get (S ) ) )
130 i f ( runITM) mu . ! !
131 numOfStates = numOfStates + 1
132 }
133
134 /∗
135 ∗ I n i t i a l i s e the monitored s t a t e v a r i a b l e s .
136 ∗ This i s not an a s s e r t i o n point .
137 ∗/
138 mu. s e t (STOP, fa l se ) . s e t (A, fa l se ) . s e t (B, fa l se ) . s e t (S , fa l se )
139
140 /∗
141 ∗ The ITM monitor mu r a i s e s an except ion i f v i o l a t i o n i s encountered .
142 ∗ This r ep r e s en t s a react−at−runtime behaviour . The a l t e r n a t i v e
143 ∗ behaviour i s p laced with in the corresponding catch block .
144 ∗/
145 try {
146 for ( i <− 1 to aCycles ) { // Simulate t h i s many A cy c l e s
147
210 Appendix B: Practical examples
148 v e r i f y ( )
149
150 i f (mu. get (S ) ) // A has been lowered ( at s t a r t
151 mu. s e t (S , fa l se ) // o f cy c l e ) − ensure S i s low
152
153 for ( j <− 1 to aStaysLow ) // Generate s t a t e s f o r ana l y s i s
154 v e r i f y ( ) // whi le A remains low
155
156 mu. s e t (A, true ) // A i s now ra i s ed
157
158 while (mu. get (A) ) { // While A i s r a i s e d . . .
159
160 v e r i f y ( ) // Asse r t i on point
161
162 i f ( bFl ips ) // Randomly , B may f l i p
163 mu. s e t (B , !mu. get (B) ) . s e t (S , true ) // I f so , r a i s e S
164 else
165 mu. s e t (S , fa l se ) // I f not , lower S
166
167 i f ( i==errorOn ) // The s imula t i on a l l ows f o r a
168 mu. s e t (B , !mu. get (B) ) // d e l i b e r a t e e r r o r to occur
169 // at the i−th i t e r a t i o n
170
171 i f ( aIsLowered ) // Randomly , A may be lowered
172 mu. s e t (A, fa l se )
173
174 }// whi le
175 }// for−i
176
177 i f ( !mu. get (S ) ) // Ensure that the s imu la t i on
178 mu. s e t (B , !mu. get (B) ) . s e t (S , true ) // ends with a B−t r a n s i t i o n
179
180 mu. s e t (STOP, true ) // Set STOP in the f i n a l s t a t e
181 v e r i f y ( )
182
183 } catch {
184 case e : RTM. RTVException =>
185 p r i n t l n ( e ) // ITM detected a v i o l a t i o n
186 p r i n t l n ( " R e a c t at R u n t i m e ... " ) // A l t e rna t i v e ac t i on goes here
187
188 } f ina l ly {
189 p r i n t l n (mu. getReply ) // Pr int f i n a l ITM judgement .
190 nu . end ( ) // nu p r i n t s f i n a l summary by
191 mu. stop // de f au l t . Close both monitors
192 }
193 numOfStates // Return the sumulation length
194 }// runSimulat ion
195
196 /∗
197 ∗ The main program ana ly se s the command l i n e arguments to determine
198 ∗ how to c a l l run the s imula t i on . I f the s imula t i on type ( args ( 1 ) )
199 ∗ conta ins ’ a ’ then the s imu la t ion w i l l be repeated ten times and an
200 ∗ average t iming ana l y s i s pr inted . Otherwise the s imu lat i on runs once .
201 ∗ AnaTempura i s only run once so the i n c l u s i o n o f f l a g ’ t ’ suppre s s e s
202 ∗ f l a g ’ a ’ .
203 ∗/
204 def main ( args : Array [ S t r ing ] ) {
205 // args (0 ) Number o f A cy c l e s to run the s imu lat i on
206 // args (1 ) A s t r i n g i=ITM l=LTL s=StM t=AnaTempura ( a=run averages )
207 // args (2 ) A s t r i n g : ”on” means p r i n t i ng i s on ( anything e l s e i s ” o f f ”)
208 // args (3 ) A number i nd i c a t i n g which A−cy c l e to int roduce an e r r o r
209 val aCycles : Int = args ( 0 ) . t o In t
210 val runITM : Boolean = ( args . l ength > 1) && args ( 1 ) . conta ins ( ’ i ’ )
211 val runLTL : Boolean = ( args . l ength > 1) && args ( 1 ) . conta ins ( ’ l ’ )
212 val runStM : Boolean = ( args . l ength > 1) && args ( 1 ) . conta ins ( ’ s ’ )
213 val runAna : Boolean = ( args . l ength > 1) && args ( 1 ) . conta ins ( ’ t ’ )
214 val average : Boolean = ! runAna &&
215 ( args . l ength > 1) && args ( 1 ) . conta ins ( ’ a ’ )
216 val printOn : Boolean = ( args . l ength > 2) && args (2)==" on "
217 val errorOn : Int = i f ( args . l ength > 3) args ( 3 ) . t o In t else 0
218
219 as = ActorSystem ( " L a t c h A c t o r S y s t e m " )
220
221 i f ( average ) {
B.2 Latch example 211
222 var t imes : L i s t [ Long ] = L i s t ( )
223 var s t a t e s : L i s t [ Int ] = L i s t ( )
224 val N = 10 // Run N exper iments
225 (1 to N) fo r each { i =>
226 val t0 : Long = java . lang . System . nanoTime ( )
227 val s = runSimulat ion ( i , aCycles ,
228 runITM , runLTL , runStM , runAna , printOn , errorOn )
229 val t1 : Long = java . lang . System . nanoTime ( )
230 t imes = ( t1 − t0 ) : : t imes
231 s t a t e s = s : : s t a t e s
232 }
233 val min : Double = t imes . min . toDouble /1000000000
234 val max : Double = t imes .max . toDouble /1000000000
235 val avg : Double = t imes . sum . toDouble/N/1000000000
236 val avs : Double = s t a t e s . sum . toDouble /N
237 pr in t ( f " A - c y c l e s : $ a C y c l e s , sim : $ { a r g s (1)} , " )
238 p r i n t l n ( f " T i m e s : min : $ m i n%6.3 f , max : $ m a x%6.3 f , " )
239 p r i n t l n ( f " avg : $ a v g%6.3 f , avg : $ a v g%6.3 f , avs : $ { M a t h . r o u n d ( avs )} " )
240 }
241 else // run once
242 runSimulat ion (1 , aCycles , runITM , runLTL , runStM , runAna , printOn , errorOn )
243
244 as . terminate // Close down the actor system
245 }
246 }
B.2.1 Latch example - derived formula
In Section 6.2.1 the following ITL formula was presented.
(empty ∧ ¬ A ∧ ¬ B ∧ ¬ S ) ; Initial state
( halt(STOP) Termination condition
∧ ( (B <∼ ¬ B) ∧ (skip ; halt(S )) )∗ (1)∗
∧ ( (halt(A) ∧ stable(B)) ; (halt(¬ A)) )∗ (2)∗
)
From this specification, four requirements and one further derivation were calculated. The
analysis is presented below.
Firstly consider formula (1). B <∼ ¬ B is equivalent to keep(©(B) ≡ B) ; (skip ∧ (©(B) 6≡
B)) and skip ; halt(S ) is equivalent to keep(©(¬ S )) ; (skip ∧ ©(S )). Thus:
(B <∼ ¬ B) ∧ (skip ; halt(S )) from (1)
≡ ( keep(©(B) ≡ B) ; (skip ∧ (©(B) 6≡ B)) ) ∧ ( keep(©(¬ S )) ; (skip ∧ ©(S )) )
≡ ( keep((©(B) ≡ B) ∧ ©(¬ S )) ) ; ( skip ∧ (©(B) 6≡ B) ∧ ©(S ) )
RFixedAndDistr (C .152)
⊃ ( keep((©(B) ≡ B) ≡ ©(¬ S )) ) ; ( skip ∧ (©(B) 6≡ B) ≡ ©(S ) ) logic
≡ ( keep((©(B) ≡ B) 6≡ ©(S )) ) ; ( skip ∧ (©(B) 6≡ B) ≡ ©(S ) ) logic
≡ keep( (©(B) 6≡ B) ≡ ©(S ) ) logic, ITL (keep) (3)
212 Appendix B: Practical examples
Secondly, consider formula (2).
(halt(A) ∧ stable(B)) ; halt(¬ A) from (2)
≡ keep((¬ A ∧ ©¬ A) ∧ (B = ©B)) ; (skip ∧ ¬ A ∧ ©(A) ∧ ©(B)) ; keep(A) ITL (4)
Then
(4) ⊃ keep((¬ A ∧ ©(¬ A) ⊃ (B = ©(B))) (5)
and
(4) ⊃ keep((¬ A ∧ ©(A) ⊃ (B = ©B)) (6)
Finally, the four requirements can be presented in ITL.
R1 : keep( (©(B) ≡ B) ⊃ ©(¬ S ) ) from (3)
R2 : keep( (©(B) 6≡ B) ⊃ ©(S ) ) from (3), contrapositive
R3 : keep((¬ A ∧ ©(¬ A) ⊃ (B = ©(B))) from (5)
R4 : keep((¬ A ∧ ©(A) ⊃ (B = ©B)) from (6)
D5 : keep((¬ A ∧ ©(¬ A) ⊃ ©(¬ S )) from R3 and R1, transitivity
B.3 Checkout example - experiments
The results of running each of the checkout experiments (6.3.3) are listed below. The runs
generate a large volume of output, so only the concluding lines, containing the statistical
data, are included for each run.
B.3.1 Experiment 1
Experiment 1 R1-R5, ITM only, one monitor, 100 intervals
runMain demo.marvin.Simulation 100 1 10
******** LOG FST STATES: AVG(80), TOT(40344), MIN(1), MAX(131)
=======> Monitor T_1 completes with success. 8009 states, 100 custs, in 6.376 sec.
=======> Customers[100], Items[1 x 10 = 10], Terminals(1)
runMain demo.marvin.Simulation 100 1 10
******** LOG FST STATES: AVG(76), TOT(38554), MIN(1), MAX(139)
=======> Monitor T_1 completes with success. 7671 states, 100 custs, in 5.189 sec.
=======> Customers[100], Items[1 x 10 = 10], Terminals(1)
runMain demo.marvin.Simulation 100 1 10
******** LOG FST STATES: AVG(79), TOT(40195), MIN(1), MAX(136)
=======> Monitor T_1 completes with success. 7938 states, 100 custs, in 5.064 sec.
B.3 Checkout example - experiments 213
=======> Customers[100], Items[1 x 10 = 10], Terminals(1)
runMain demo.marvin.Simulation 100 1 10
******** LOG FST STATES: AVG(80), TOT(40606), MIN(1), MAX(121)
=======> Monitor T_1 completes with success. 8033 states, 100 custs, in 5.751 sec.
=======> Customers[100], Items[1 x 10 = 10], Terminals(1)
runMain demo.marvin.Simulation 100 1 10
******** LOG FST STATES: AVG(82), TOT(41598), MIN(1), MAX(146)
=======> Monitor T_1 completes with success. 8251 states, 100 custs, in 6.378 sec.
=======> Customers[100], Items[1 x 10 = 10], Terminals(1)
runMain demo.marvin.Simulation 100 5 10
******** LOG FST STATES: AVG(206), TOT(104911), MIN(1), MAX(479)
=======> Monitor T_1 completes with success. 20963 states, 100 custs, in 36.151 sec.
=======> Customers[100], Items[5 x 10 = 50], Terminals(1)
runMain demo.marvin.Simulation 100 5 10
******** LOG FST STATES: AVG(233), TOT(118185), MIN(1), MAX(485)
=======> Monitor T_1 completes with success. 23655 states, 100 custs, in 20.313 sec.
=======> Customers[100], Items[5 x 10 = 50], Terminals(1)
runMain demo.marvin.Simulation 100 5 10
******** LOG FST STATES: AVG(229), TOT(116130), MIN(1), MAX(468)
=======> Monitor T_1 completes with success. 23135 states, 100 custs, in 28.982 sec.
=======> Customers[100], Items[5 x 10 = 50], Terminals(1)
runMain demo.marvin.Simulation 100 5 10
******** LOG FST STATES: AVG(233), TOT(117976), MIN(1), MAX(474)
=======> Monitor T_1 completes with success. 23565 states, 100 custs, in 18.660 sec.
=======> Customers[100], Items[5 x 10 = 50], Terminals(1)
runMain demo.marvin.Simulation 100 5 10
******** LOG FST STATES: AVG(211), TOT(106984), MIN(1), MAX(476)
=======> Monitor T_1 completes with success. 21398 states, 100 custs, in 20.352 sec.
=======> Customers[100], Items[5 x 10 = 50], Terminals(1)
runMain demo.marvin.Simulation 100 10 10
******** LOG FST STATES: AVG(321), TOT(163026), MIN(1), MAX(900)
=======> Monitor T_1 completes with success. 32651 states, 100 custs, in 26.267 sec.
=======> Customers[100], Items[10 x 10 = 100], Terminals(1)
runMain demo.marvin.Simulation 100 10 10
214 Appendix B: Practical examples
******** LOG FST STATES: AVG(261), TOT(132332), MIN(1), MAX(879)
=======> Monitor T_1 completes with success. 26427 states, 100 custs, in 19.728 sec.
=======> Customers[100], Items[10 x 10 = 100], Terminals(1)
runMain demo.marvin.Simulation 100 10 10
******** LOG FST STATES: AVG(268), TOT(135805), MIN(1), MAX(854)
=======> Monitor T_1 completes with success. 27148 states, 100 custs, in 19.856 sec.
=======> Customers[100], Items[10 x 10 = 100], Terminals(1)
runMain demo.marvin.Simulation 100 10 10
******** LOG FST STATES: AVG(312), TOT(158715), MIN(1), MAX(892)
=======> Monitor T_1 completes with success. 31672 states, 100 custs, in 25.150 sec.
=======> Customers[100], Items[10 x 10 = 100], Terminals(1)
runMain demo.marvin.Simulation 100 10 10
******** LOG FST STATES: AVG(285), TOT(144695), MIN(1), MAX(889)
=======> Monitor T_1 completes with success. 28906 states, 100 custs, in 23.289 sec.
=======> Customers[100], Items[10 x 10 = 100], Terminals(1)
runMain demo.marvin.Simulation 100 20 10
******** LOG FST STATES: AVG(327), TOT(166220), MIN(1), MAX(1655)
=======> Monitor T_1 completes with success. 33155 states, 100 custs, in 24.453 sec.
=======> Customers[100], Items[20 x 10 = 200], Terminals(1)
runMain demo.marvin.Simulation 100 20 10
******** LOG FST STATES: AVG(314), TOT(159699), MIN(1), MAX(1673)
=======> Monitor T_1 completes with success. 31916 states, 100 custs, in 28.308 sec.
=======> Customers[100], Items[20 x 10 = 200], Terminals(1)
runMain demo.marvin.Simulation 100 20 10
******** LOG FST STATES: AVG(339), TOT(172323), MIN(1), MAX(1492)
=======> Monitor T_1 completes with success. 34595 states, 100 custs, in 29.392 sec.
=======> Customers[100], Items[20 x 10 = 200], Terminals(1)
runMain demo.marvin.Simulation 100 20 10
******** LOG FST STATES: AVG(323), TOT(164205), MIN(1), MAX(1553)
=======> Monitor T_1 completes with success. 32798 states, 100 custs, in 27.699 sec.
=======> Customers[100], Items[20 x 10 = 200], Terminals(1)
runMain demo.marvin.Simulation 100 20 10
******** LOG FST STATES: AVG(342), TOT(173893), MIN(1), MAX(1644)
=======> Monitor T_1 completes with success. 34772 states, 100 custs, in 31.943 sec.
=======> Customers[100], Items[20 x 10 = 200], Terminals(1)
B.3 Checkout example - experiments 215
B.3.2 Experiment 2
Experiment 2 true, ITM only, one monitor, 100 intervals
runMain demo.marvin.Simulation 100 1 10
ByCust(always(always(eventually(empty)))) // n^3
******** LOG FST STATES: AVG(77), TOT(7896), MIN(1), MAX(121)
=======> Monitor T_1 completes with success. 7795 states, 100 custs, in 2.298 sec.
=======> Customers[100], Items[1 x 10 = 10], Terminals(1)
runMain demo.marvin.Simulation 100 4 10
ByCust(always(always(eventually(empty)))) // n^3
******** LOG FST STATES: AVG(208), TOT(21266), MIN(1), MAX(383)
=======> Monitor T_1 completes with success. 21165 states, 100 custs, in 6.118 sec.
=======> Customers[100], Items[4 x 10 = 40], Terminals(1)
runMain demo.marvin.Simulation 100 7 10
ByCust(always(always(eventually(empty)))) // n^3
******** LOG FST STATES: AVG(243), TOT(24804), MIN(1), MAX(628)
=======> Monitor T_1 completes with success. 24703 states, 100 custs, in 8.565 sec.
=======> Customers[100], Items[7 x 10 = 70], Terminals(1)
runMain demo.marvin.Simulation 100 10 10
ByCust(always(always(eventually(empty)))) // n^3
******** LOG FST STATES: AVG(286), TOT(29139), MIN(1), MAX(872)
=======> Monitor T_1 completes with success. 29038 states, 100 custs, in 9.795 sec.
=======> Customers[100], Items[10 x 10 = 100], Terminals(1)
runMain demo.marvin.Simulation 100 100 10
******** LOG FST STATES: AVG(373), TOT(38014), MIN(1), MAX(1758)
=======> Monitor T_1 completes with success. 37913 states, 100 custs, in 12.844 sec.
=======> Customers[100], Items[100 x 10 = 1000], Terminals(1)
runMain demo.marvin.Simulation 100 1 10
ByCust(always(always(always(eventually(empty))))) // n^4
******** LOG FST STATES: AVG(84), TOT(8604), MIN(1), MAX(132)
=======> Monitor T_1 completes with success. 8503 states, 100 custs, in 7.051 sec.
=======> Customers[100], Items[1 x 10 = 10], Terminals(1)
runMain demo.marvin.Simulation 100 4 10
ByCust(always(always(always(eventually(empty))))) // n^4
******** LOG FST STATES: AVG(203), TOT(20729), MIN(1), MAX(379)
=======> Monitor T_1 completes with success. 20628 states, 100 custs, in 78.349 sec.
=======> Customers[100], Items[4 x 10 = 40], Terminals(1)
216 Appendix B: Practical examples
runMain demo.marvin.Simulation 100 7 10
ByCust(always(always(always(eventually(empty))))) // n^4
******** LOG FST STATES: AVG(237), TOT(24126), MIN(1), MAX(610)
=======> Monitor T_1 completes with success. 24025 states, 100 custs, in 200.102 sec.
=======> Customers[100], Items[7 x 10 = 70], Terminals(1)
runMain demo.marvin.Simulation 100 10 10
ByCust(always(always(always(eventually(empty))))) // n^4
******** LOG FST STATES: AVG(280), TOT(28562), MIN(1), MAX(824)
=======> Monitor T_1 completes with success. 28461 states, 100 custs, in 367.922 sec.
=======> Customers[100], Items[10 x 10 = 100], Terminals(1)
B.3.3 Experiment 3
Experiment 3 R1-R5, ITM only, one monitor, 1000 intervals
runMain demo.marvin.Simulation 1000 1 10
******** LOG FST STATES: AVG(81), TOT(403722), MIN(1), MAX(162)
=======> Monitor T_1 completes with success. 79949 states, 1000 custs, in 41.575 sec.
=======> Customers[1000], Items[1 x 10 = 10], Terminals(1)
runMain demo.marvin.Simulation 2000 1 10
******** LOG FST STATES: AVG(81), TOT(807671), MIN(1), MAX(157)
=======> Monitor T_1 completes with success. 159838 states, 2000 custs, in 80.466 sec.
=======> Customers[2000], Items[1 x 10 = 10], Terminals(1)
runMain demo.marvin.Simulation 3000 1 10
******** LOG FST STATES: AVG(80), TOT(1205241), MIN(1), MAX(154)
=======> Monitor T_1 completes with success. 238610 states, 3000 custs, in 112.501 sec.
=======> Customers[3000], Items[1 x 10 = 10], Terminals(1)
runMain demo.marvin.Simulation 12000 1 10
******** LOG FST STATES: AVG(81), TOT(4827361), MIN(1), MAX(176)
=======> Monitor T_1 completes with success. 955706 states, 12000 custs, in 468.546 sec.
=======> Customers[12000], Items[1 x 10 = 10], Terminals(1)
Appendix C
List of laws
All of the laws relating to ITL and ITL-Monitor along with their mechanically checked proofs in
Isabelle/HOL appear in [CMS19]. Please refer to page vii for information on how to download
a copy of that report.
This appendix contains a list of the laws used in this thesis. The laws are annotated as
follows:
[CAU] Law from Antonio Cau.
[DRS] An existing ITL law (from Cau or Moszkowski) for which a proof was constructed as
part of this thesis, or an original law developed as part of this thesis.
[ITL] Law from [CM16].
[MOS] Law from Ben Moszkowski.
C.1 First order ITL
C.1.1 ITL definitions, derived constructs, axioms and rules
C.1.1.1 Semantic exists
SemanticExists [DRS ]
F [[∃ v • f ]](σ) = tt iff existsσ′ s.t. σ ∼v σ′, F [[f ]](σ′) = tt (C.1)
218 Appendix C: List of laws
C.1.1.2 Frequently-used non-temporal derived constructs
FalseDef [ITL]
false =̂ ¬ true (C.2)
OrDef [ITL]
f1 ∨ f2 =̂ ¬ (¬ f1 ∧ ¬ f2) (C.3)
ImpDef [ITL]
f1 ⊃ f2 =̂ ¬ f1 ∨ f2 (C.4)
EqvDef [ITL]
f1 ≡ f2 =̂ (f1 ⊃ f2) ∧ (f2 ⊃ f1) (C.5)
ExistsDef [ITL]
∃ v • f =̂ ¬ ∀ v • ¬ f (C.6)
C.1.1.3 Frequently-used temporal derived constructs
StrongNextDef [ITL]
©f =̂ skip ; f (C.7)
C.1 First order ITL 219
MoreDef [ITL]
more =̂ © true (C.8)
EmptyDef [ITL]
empty =̂ ¬ more (C.9)
DiamondDef [ITL]
3f =̂ true ; f (C.10)
BoxDef [ITL]
2f =̂ ¬ 3¬ f (C.11)
WeakNextDef [ITL]
©w f =̂ ¬ ©¬ f (C.12)
DiDef [ITL]
3i f =̂ f ; true (C.13)
BiDef [ITL]
2i f =̂ ¬ 3i ¬ f (C.14)
220 Appendix C: List of laws
DaDef [ITL]
3a f =̂ true ; f ; true (C.15)
BaDef [ITL]
2a f =̂ ¬ 3a ¬ f (C.16)
C.1.1.4 Frequently-used concrete derived constructs
IfThenElseDef [ITL]
if f0 then f1 else f2 =̂ (f0 ∧ f1) ∨ (¬ f0 ∧ f2) (C.17)
IfThenDef [ITL]
if f0 then f1 =̂ if f0 then f1 else empty (C.18)
FinDef [ITL]
fin f =̂ 2(empty ⊃ f ) (C.19)
HaltDef [ITL]
halt f =̂ 2(empty ≡ f ) (C.20)
KeepDef [ITL]
keep f =̂ 2a (skip ⊃ f ) (C.21)
C.1 First order ITL 221
KeepNowDef [ITL]
keepnow f =̂ 3i (skip ∧ f ) (C.22)
IterZeroDef [ITL]
f 0 =̂ empty (C.23)
IterDef [ITL]
f n+1 =̂ f ; f n , [n ≥ 0] (C.24)
ForDef [ITL]
for n do f =̂ f n (C.25)
WhileDef [ITL]
while f0 do f1 =̂ (f0 ∧ f1)∗ ∧ fin(¬ f0) (C.26)
RepeatDef [ITL]
repeat f0 until f1 =̂ f0 ; while(¬ f1) do f0 (C.27)
C.1.1.5 Frequently-used derived constructs relating to expressions
AssignDef [ITL]
A := e =̂ (©A) = e (C.28)
222 Appendix C: List of laws
TemporalEqualityDef [ITL]
A ≈ e =̂ 2(A = e) (C.29)
TemporalAssignDef [ITL]
A← e =̂ fin A = e (C.30)
GetsDef [ITL]
A gets e =̂ keep(A← e) (C.31)
StableDef [ITL]
stable A =̂ A gets A (C.32)
PaddedDef [ITL]
padded A =̂ (stable A ; skip) ∨ empty (C.33)
PaddedTemporalAssignDef [ITL]
A<∼ e =̂ (A← e) ∧ padded A (C.34)
LenDef [ITL]
len(n) =̂ skipn (C.35)
C.1 First order ITL 223
C.1.1.6 Propositional axioms and rules for ITL
ChopAssoc [ITL]
` (f0 ; f1) ; f2 ≡ f0 ; (f1 ; f2) (C.36)
OrChopImp [ITL]
` (f0 ∨ f1) ; f2 ⊃ (f0 ; f2) ∨ (f1 ; f2) (C.37)
ChopOrImp [ITL]
` f0 ; (f1 ∨ f2) ⊃ (f0 ; f1) ∨ (f0 ; f2) (C.38)
EmptyChop [ITL]
` empty ; f ≡ f (C.39)
ChopEmpty [ITL]
` f ; empty ≡ f (C.40)
BiBoxChopImpChop [ITL]
` (2i (f0 ⊃ f1) ∧ 2(f2 ⊃ f3)) ⊃ ((f0 ; f2) ⊃ (f1 ; f3)) (C.41)
StateImpBi [ITL]
` w ⊃ 2i w (C.42)
224 Appendix C: List of laws
NextImpNotNextNot [ITL]
` ©f ⊃ ¬ ©¬ f (C.43)
KeepnowImpNotKeepnowNot [ITL]
` keepnow(f ) ⊃ ¬ keepnow(¬ f ) (C.44)
BoxInduct [ITL]
` f ∧ 2(f ⊃ ©w f ) ⊃ 2f (C.45)
ChopStarEqv [ITL]
` f ∗ ≡ (empty ∨ ((f ∧ more) ; f ∗)) (C.46)
MP [ITL]
` f0 ⊃ f1, ` f0
` f1
(C.47)
BoxGen [ITL]
` f
` 2f
(C.48)
BiGen [ITL]
` f
` 2i f
(C.49)
C.1 First order ITL 225
C.1.1.7 First order axioms and rules for ITL
ExistsChopRight [ITL]
(∃ v • (f1 ; f2)) ⊃ (∃ v • f1) ; f2 [where v not free in f2] (C.50)
ExistsChopLeft [ITL]
(∃ v • (f1 ; f2)) ⊃ f1 ; (∃ v • f2) [where v not free in f1] (C.51)
ForallGen [ITL]
` f
` ∀ v • f [for any variable v ] (C.52)
C.1.2 Time reversal
C.1.2.1 Time reversal definitions and laws
ReflectionRule [MOS ]
|= f iff |= f r (C.53)
TRTrue [MOS ]
` truer ≡ true (C.54)
TRSkip [MOS ]
` skipr ≡ skip (C.55)
226 Appendix C: List of laws
TRState [MOS ]
` w r ≡ fin w (C.56)
TRNot [MOS ]
` (¬ f )r ≡ ¬ f r (C.57)
TROr [MOS ]
` (f ∨ g)r ≡ f r ∨ gr (C.58)
TRChop [MOS ]
` (f ; g)r ≡ gr ; f r (C.59)
TRChopstar [MOS ]
` (f ∗)r ≡ (f r )∗ (C.60)
TRAnd [DRS ]
` (f ∧ g)r ≡ f r ∧ gr (C.61)
TRImp [DRS ]
` (f ⊃ g)r ≡ f r ⊃ gr (C.62)
C.1 First order ITL 227
TREqv [DRS ]
` (f ≡ g)r ≡ (f r ≡ gr ) (C.63)
TRMore [MOS ]
` morer ≡ more (C.64)
TREmpty [DRS ]
` emptyr ≡ empty (C.65)
TRDi [DRS ]
` (3i f )r ≡ 3f r (C.66)
TRBi [MOS ]
` (2i f )r ≡ 2f r (C.67)
TRDiamond [DRS ]
` (3f )r ≡ 3i f r (C.68)
TRBox [DRS ]
` (2f )r ≡ 2i f r (C.69)
228 Appendix C: List of laws
C.1.3 Definitions and laws related to exportable commitments
BmDef [MOS ]
2m f =̂ 2(more ⊃ f ) (C.70)
DmDef [MOS ]
3m f =̂ ¬ 2m ¬ f (C.71)
BaEqvBmAndFin [MOS ]
` 2a f ≡ 2m f ∧ fin f (C.72)
BmDiFixCS [MOS ]
` 2m 3i f ≡ (2m 3i f )∗ (C.73)
FixDiInfBmDIFixCS [MOS ]
DI ≡ 3i DI ` 2m DI ≡ (2m DI )∗ (C.74)
FixDaInfBmDAFixCS [MOS ]
DA ≡ 3a DA ` 2m DA ≡ (2m DA)∗ (C.75)
StateImpDiamondStateFixDi [MOS ]
` (w ⊃ 3w ′) ≡ 3i (w ⊃ 3w ′) (C.76)
C.1 First order ITL 229
BmStateImpDiamondStateFixCS [MOS ]
` 2m (w ⊃ 3w ′) ≡ (2m (w ⊃ 3w ′))∗ (C.77)
StateImpDAFixDi [MOS ]
DA ≡ 3a DA ` (w ⊃ DA) ≡ 3i (w ⊃ DA) (C.78)
BmStateImpDAFixCS [MOS ]
DA ≡ 3a DA ` 2m (w ⊃ DA) ≡ (2m (w ⊃ DA))∗ (C.79)
C.1.4 Always-followed-by
AfbDef [ITL]
f 7→ w =̂ 2a (f ⊃ fin w) (C.80)
SafbDef [ITL]
f ↔ w =̂ 2a (f ≡ fin w) (C.81)
AltAfbDef [ITL]
f 7→ w =̂ 2a (f ⊃ fin w) (C.82)
AltSafbDef [ITL]
f ↔ w =̂ 2a (f ≡ fin w) (C.83)
230 Appendix C: List of laws
C.1.5 Commonly used ITL laws
C.1.5.1 Box, Diamond, Now
NowImpDiamond [MOS ]
` f ⊃ 3f (C.84)
BoxImpNow [DRS ]
` 2f ⊃ f (C.85)
C.1.5.2 State, skip, true, false, empty, more with chop
StateAndChop [MOS ]
` (w ∧ f ) ; g ≡ w ∧ (f ; g) (C.86)
MoreEqvTrueChopSkip [DRS ]
` more ≡ true ; skip (C.87)
SkipTrueEqvTrueSkip [DRS ]
` skip ; true ≡ true ; skip (C.88)
BiChopImpChop [MOS ]
` 2i (f ⊃ f ′) ⊃ ((f ; g) ⊃ (f ′ ; g)) (C.89)
C.1 First order ITL 231
BoxChopImpChop [MOS ]
` 2(g ⊃ g ′) ⊃ ((f ; g) ⊃ (f ; g ′)) (C.90)
DiIntro [MOS ]
` f ⊃ 3i f (C.91)
BiElim [MOS ]
` 2i f ⊃ f (C.92)
StateEqvBi [MOS ]
` 2i w ≡ w (C.93)
TrueEqvTrueChopTrue [MOS ]
` true ≡ true ; true (C.94)
MoreEqvSkipChopTrue [MOS ]
` more ≡ skip ; true (C.95)
MoreEqvNotEmpty [CAU ]
` more ≡ ¬ empty (C.96)
232 Appendix C: List of laws
MoreEqvMoreChopTrue [CAU ]
` more ≡ more ; true (C.97)
ChopFalseEqvFalse [DRS ]
` f ; false ≡ false (C.98)
FalseChopEqvFalse [DRS ]
` false ; f ≡ false (C.99)
BoxImpFinImpDiamondImpFin [DRS ]
2(f ⊃ fin w) ⊃ (3f ⊃ fin w) (C.100)
C.1.5.3 Implication and equivalence through chop
LeftChopImpChop [MOS ]
` f ⊃ f ′ ⇒ ` (f ; g) ⊃ (f ′ ; g) (C.101)
RightChopImpChop [MOS ]
` g ⊃ g ′ ⇒ ` (f ; g) ⊃ (f ; g ′) (C.102)
LeftChopEqvChop [DRS ]
` f ≡ f ′ ⇒ ` (f ; g) ≡ (f ′ ; g) (C.103)
C.1 First order ITL 233
RightChopEqvChop [MOS ]
` g ≡ g ′ ⇒ ` (f ; g) ≡ (f ; g ′) (C.104)
LeftAndChopImp [DRS ]
` (f ∧ f ′) ; g ⊃ f ; g ∧ f ′ ; g (C.105)
RightAndChopImp [DRS ]
` f ; (g ∧ g ′) ⊃ f ; g ∧ f ; g ′ (C.106)
ChopOrEqv [MOS ]
` f ; (g ∨ g ′) ≡ f ; g ∨ f ; g ′ (C.107)
OrChopEqv [MOS ]
` (f ∨ f ′) ; g ≡ f ; g ∨ f ′ ; g (C.108)
C.1.5.4 Initial intervals
DiImpDi [MOS ]
` f ⊃ g ⇒ ` 3i f ⊃ 3i g (C.109)
DiEqvDi [MOS ]
` f ⊃ g ⇒ ` 3i f ⊃ 3i g (C.110)
234 Appendix C: List of laws
BiImpBiRule [MOS ]
` f ⊃ g ⇒ ` 2i f ⊃ 2i g (C.111)
DiState [MOS ]
` 3i w ≡ w (C.112)
DiNotEqvNotBi [MOS ]
` 3i ¬ f ≡ ¬ 2i f (C.113)
NotDiEqvBiNot [MOS ]
` ¬ 3i f ≡ 2i ¬ f (C.114)
DiEqvNotBiNot [MOS ]
` 3i f ≡ ¬ 2i ¬ f (C.115)
ChopImpDi [MOS ]
` f ; g ⊃ 3i f (C.116)
DiEqvDiDi [MOS ]
` 3i f ≡ 3i 3i f (C.117)
C.1 First order ITL 235
BiEqvBiBi [MOS ]
` 2i f ≡ 2i 2i f (C.118)
DiEmpty [MOS ]
` 3i empty (C.119)
NotBiMore [DRS ]
` ¬ 2i more (C.120)
DiOrEqv [MOS ]
` 3i (f ∨ g) ≡ 3i f ∨ 3i g (C.121)
BiAndEqv [DRS ]
` 2i (f ∧ g) ≡ 2i f ∧ 2i g (C.122)
AndChopA [MOS ]
` (f ∧ f ′) ; g ⊃ f ; g (C.123)
DiAndImpAnd [MOS ]
` 3i (f ∧ g) ⊃ 3i f ∧ 3i g (C.124)
236 Appendix C: List of laws
BoxStateEqvBiFinState [DRS ]
` 2w ≡ 2i (fin w) (C.125)
DiamondStateEqvDiFinState [DRS ]
` 3w ≡ 3i (fin w) (C.126)
C.1.5.5 Induction
EmptyNextInductA [MOS ]
` empty ⊃ f , ` ©f ⊃ f ⇒ ` f (C.127)
EmptyChopSkipInduct [DRS ]
` empty ⊃ f , ` (f ; skip) ⊃ f ⇒ ` f (C.128)
C.1.5.6 Chop and negation
NotSkipNotChop [DRS ]
` ¬ (skip ; ¬ g) ≡ empty ∨ (skip ; g) (C.129)
NotNotChopSkip [CAU ]
` ¬ (¬ f ; skip) ≡ empty ∨ (f ; skip) (C.130)
C.1 First order ITL 237
ChopAndNotChopImp [MOS ]
` f ; g ∧ ¬ (f ; h) ⊃ f ; (g ∧ ¬ h) (C.131)
RightChopAndNot [CAU ]
` f ; g ∧ ¬ (h ; g) ⊃ (f ∧ ¬ h) ; g (C.132)
ChopAndNotNotChop [CAU ]
` f ; h ∧ ¬ (¬ g ; h) ⊃ (f ∧ g) ; true (C.133)
SkipNotEmptyOrMoreMore [CAU ]
` skip ≡ ¬ (empty ∨ more ; more) (C.134)
C.1.5.7 Strong and weak next
NextEqvMoreAndWeakNext [MOS ]
` ©f ≡ more ∧ ©w f (C.135)
NotWeakNextNotEqvNext [DRS ]
` ¬ ©w ¬ f ≡ ©f (C.136)
WeakNextEqvMoreImpStrongNext [DRS ]
` ©w f ≡ more ⊃ ©f (C.137)
238 Appendix C: List of laws
C.1.5.8 Existential quantifcation through chop
ExistsChopLeftEqv [DRS ]
` (∃ v • (f1 ; f2)) ≡ f1 ; (∃ v • f2) [where v not free in f1] (C.138)
C.1.5.9 Chop with empty and more
ChopEmptyAndEmpty [DRS ]
` f ; g ∧ empty ≡ f ∧ g ∧ empty (C.139)
ChopSkipAndEmptyEqvFalse [DRS ]
` f ; skip ∧ empty ≡ false (C.140)
ChopSkipImpMore [DRS ]
` (f ; skip) ⊃ more (C.141)
MoreImpImpChopSkipEqv [DRS ]
` more ⊃ ((f ⊃ g) ; skip ≡ ((f ; skip) ⊃ (g ; skip))) (C.142)
C.1 First order ITL 239
C.1.6 Fixed length intervals
C.1.6.1 Properties of interval length
LenZeroEqvEmpty [DRS ]
` len(0) ≡ empty (C.143)
LenOneEqvSkip [DRS ]
` len(1) ≡ skip (C.144)
LenNPlusOneA [DRS ]
` len(n + 1) ≡ skip ; len(n) (C.145)
LenEqvLenChopLen [DRS ]
` len(i + j ) ≡ len(i) ; len(j ) (C.146)
LenNPlusOneB [DRS ]
` len(n + 1) ≡ len(n) ; skip (C.147)
ExistsLen [DRS ]
` ∃ k • len(k) (C.148)
240 Appendix C: List of laws
AndExistsLen [DRS ]
` f ≡ f ∧ ∃ k • len(k) (C.149)
LenIffModSig [DRS ]
F [[len(k)]](σ) = tt iff |σ| = k (C.150)
LFixedAndDistr [DRS ]
` (f ∧ len(k)) ; p ∧ (g ∧ len(k)) ; q ≡ (f ∧ g ∧ len(k)) ; (p ∧ q) (C.151)
RFixedAndDistr [DRS ]
` p ; (f ∧ len(k)) ∧ q ; (g ∧ len(k)) ≡ (p ∧ q) ; (f ∧ g ∧ len(k)) (C.152)
LFixedAndDistrA [DRS ]
` (f ∧ len(k)) ; p ∧ (g ∧ len(k)) ; p ≡ (f ∧ g ∧ len(k)) ; p (C.153)
LFixedAndDistrB [DRS ]
` (f ∧ len(k)) ; p ∧ (f ∧ len(k)) ; q ≡ (f ∧ len(k)) ; (p ∧ q) (C.154)
RFixedAndDistrA [DRS ]
` p ; (f ∧ len(k)) ∧ p ; (g ∧ len(k)) ≡ p ; (f ∧ g ∧ len(k)) (C.155)
C.1 First order ITL 241
RFixedAndDistrB [DRS ]
` p ; (f ∧ len(k)) ∧ q ; (f ∧ len(k)) ≡ (p ∧ q) ; (f ∧ len(k)) (C.156)
ChopSkipAndChopSkip [DRS ]
` f ; skip ∧ g ; skip ≡ (f ∧ g) ; skip (C.157)
BiAndChopSkipEqv [DRS ]
` 2i (f ∧ g) ; skip ≡ 2i f ; skip ∧ 2i g ; skip (C.158)
DiAndChopSkipImp [DRS ]
` 3i (f ∧ g) ; skip ⊃ 3i f ; skip ∧ 3i g ; skip (C.159)
NotChopFixed [DRS ]
` ¬ (f ; h) ≡ ¬ 3h ∨ (¬ f ; h) where h ≡ g ∧ len(k) (C.160)
NotFixedChop [DRS ]
` ¬ (h ; f ) ≡ ¬ 3i h ∨ (h ; ¬ f ) where h ≡ g ∧ len(k) (C.161)
C.1.7 Further laws with initial intervals
ImpEqvDi [DRS ]
` f ⊃ (f ≡ 3i f ) (C.162)
242 Appendix C: List of laws
AndDiEqv [DRS ]
` f ∧ 3i f ≡ f (C.163)
OrDiEqvDi [DRS ]
` f ∨ 3i f ≡ 3i f (C.164)
AndDiOrEqv [DRS ]
` f ∧ (3i f ∨ g) ≡ f (C.165)
DiChopImpDiA [DRS ]
` 3i f ; g ⊃ 3i f (C.166)
DiChopImpDiB [DRS ]
` 3i (f ; g) ⊃ 3i f (C.167)
BiNotImpNotBiChop [DRS ]
` 2i ¬ f ⊃ 2i ¬ (f ; g) (C.168)
DiDiAndDiEqvDiAndDi [DRS ]
` 3i (3i f ∧ 3i g) ≡ 3i f ∧ 3i g (C.169)
C.1 First order ITL 243
AndDiAndDiEqvAndDi [DRS ]
` f ∧ 3i (f ∧ 3i g) ≡ f ∧ 3i g (C.170)
DiAndDiEqvDiAndDiOrDiAndDi [DRS ]
` 3i f ∧ 3i g ≡ 3i (f ∧ 3i g) ∨ 3i (g ∧ 3i f ) (C.171)
BiOrBiImpBiOr [DRS ]
` 2i f ∨ 2i g ⊃ 2i (f ∨ g) (C.172)
BiOrBiEqvBiBiOrBi [DRS ]
` 2i f ∨ 2i g ≡ 2i (2i f ∨ 2i g) (C.173)
MoreAndBiImpBiChopSkip [DRS ]
` more ∧ 2i f ⊃ 2i f ; skip (C.174)
DiEqvOrDiChopSkipA [DRS ]
` 3i f ≡ f ∨ 3i (f ; skip) (C.175)
DiEqvOrDiChopSkipB [DRS ]
` 3i f ≡ f ∨ (3i f ; skip) (C.176)
244 Appendix C: List of laws
BiEqvAndEmptyOrBiChopSkip [DRS ]
` 2i f ≡ f ∧ (empty ∨ (2i f ; skip)) (C.177)
DiamondEqvOrStrongNextDiamond [DRS ]
` 3f ≡ f ∨ ©3f (C.178)
BoxEqvAndWeakNextBox [DRS ]
` 2f ≡ f ∧ ©w 2f (C.179)
BiAndDiEqvBiAndDiAndBi [DRS ]
` 2i f ∧ 3i g ≡ 2i f ∧ 3i (g ∧ 2i f ) (C.180)
DiAndBiImpDiAndBi [DRS ]
` 3i f ∧ 2i g ⊃ 3i (f ∧ 2i g) (C.181)
BiAndEmptyEqvAndEmpty [DRS ]
` 2i f ∧ empty ≡ f ∧ empty (C.182)
DiAndEmptyEqvAndEmpty [DRS ]
` 3i f ∧ empty ≡ f ∧ empty (C.183)
C.1 First order ITL 245
BiEmptyEqvEmpty [CAU ]
` 2i empty ≡ empty (C.184)
C.1.8 Strict initial intervals
BsDef [DRS ]
2s f =̂ empty ∨ 2i f ; skip (C.185)
DsDef [DRS ]
3s f =̂ ¬ 2s ¬ f (C.186)
DsMoreDi [DRS ]
` 3s f ≡ more ∧ 3i f ; skip (C.187)
DsDi [DRS ]
` 3s f ≡ 3i f ; skip (C.188)
C.1.8.1 Duality
BsEqvNotDsNot [DRS ]
` 2s f ≡ ¬ 3s ¬ f (C.189)
246 Appendix C: List of laws
NotBsEqvDsNot [DRS ]
` ¬ 2s f ≡ 3s ¬ f (C.190)
NotDsEqvBsNot [DRS ]
` ¬ 3s f ≡ 2s ¬ f (C.191)
NotDsAndEmpty [DRS ]
` ¬ (3s f ∧ empty) (C.192)
C.1.8.2 Distribution through conjunction and disjunction
BsMoreEqvEmpty [DRS ]
` 2s more ≡ empty (C.193)
BsAndEqv [DRS ]
` 2s f ∧ 2s g ≡ 2s (f ∧ g) (C.194)
DsOrEqv [DRS ]
` 3s f ∨ 3s g ≡ 3s (f ∨ g) (C.195)
BsOrImp [DRS ]
` 2s f ∨ 2s g ⊃ 2s (f ∨ g) (C.196)
C.1 First order ITL 247
DsAndImp [DRS ]
` 3s (f ∧ g) ⊃ 3s f ∧ 3s g (C.197)
DsAndImpElimL [DRS ]
` 3s (f ∧ g) ⊃ 3s f (C.198)
DsAndImpElimR [DRS ]
` 3s (f ∧ g) ⊃ 3s g (C.199)
C.1.8.3 Useful implications
BiImpBs [DRS ]
` 2i f ⊃ 2s f (C.200)
BsImpBsBs [DRS ]
` 2s f ⊃ 2s 2s f (C.201)
DsImpDi [DRS ]
` 3s f ⊃ 3i f (C.202)
BsImpBsRule [DRS ]
` f ⊃ g ⇒ ` 2s f ⊃ 2s g (C.203)
248 Appendix C: List of laws
DsChopImpDsB [DRS ]
` 3s (f ; g) ⊃ 3s f (C.204)
NotBsImpBsNotChop [DRS ]
` 2s ¬ f ⊃ 2s ¬ (f ; g) (C.205)
C.1.8.4 Relating strict and non-strict initial intervals
BsOrBsEqvBsBiOrBi [DRS ]
` 2s f ∨ 2s g ≡ 2s (2i f ∨ 2i g) (C.206)
DiOrDsEqvDi [DRS ]
` 3i f ∨ 3s f ≡ 3i f (C.207)
DiAndDsEqvDs [DRS ]
` 3i f ∧ 3s f ≡ 3s f (C.208)
OrDsEqvDi [DRS ]
` f ∨ 3s f ≡ 3i f (C.209)
AndBsEqvBi [DRS ]
` f ∧ 2s f ≡ 2i f (C.210)
C.1 First order ITL 249
BsEqvBsBi [DRS ]
` 2s f ≡ 2s 2i f (C.211)
StateImpBs [DRS ]
` w ⊃ 2s w (C.212)
DsAndDsEqvDsAndDiOrDsAndDi [DRS ]
` 3s f ∧ 3s g ≡ 3s (f ∧ 3i g) ∨ 3s (g ∧ 3i f ) (C.213)
BsEqvBiMoreImpChop [DRS ]
` 2s f ≡ 2i (more ⊃ f ; skip) (C.214)
C.1.8.5 Strict final intervals
BtDef [DRS ]
2t f =̂ empty ∨ skip ; 2f (C.215)
DtDef [DRS ]
3t f =̂ ¬ 2t ¬ f (C.216)
BsrEqvBtr [DRS ]
` (2s f )r ≡ 2t f r (C.217)
250 Appendix C: List of laws
DsrEqvDtr [DRS ]
` (3s f )r ≡ 3t f r (C.218)
BtrEqvBsr [DRS ]
` (2t f )r ≡ 2s f r (C.219)
DtrEqvDsr [DRS ]
` (3t f )r ≡ 3s f r (C.220)
AlwaysImpBt [DRS ]
` 2f ⊃ 2t f (C.221)
C.1.9 First occurrence operator
FstDef [DRS ]
B f =̂ f ∧ 2s ¬ f (C.222)
C.1.9.1 First with conjunction and disjunction
FstWithAndImp [DRS ]
` B f ∧ g ⊃ B(f ∧ g) (C.223)
C.1 First order ITL 251
FstWithOrEqv [DRS ]
` B(f ∨ g) ≡ (B f ∧ 2s ¬ g) ∨ (B g ∧ 2s ¬ f ) (C.224)
FstFstAndEqvFstAnd [DRS ]
` B(B f ∧ g) ≡ B f ∧ g (C.225)
C.1.9.2 First with true, false, empty, more
FstTrue [DRS ]
` B true ≡ empty (C.226)
FstFalse [DRS ]
` B false ≡ false (C.227)
FstChopFalseEqvFalse [DRS ]
` B f ; false ≡ false (C.228)
FstEmpty [DRS ]
` B empty ≡ empty (C.229)
FstAndEmptyEqvAndEmpty [DRS ]
` B f ∧ empty ≡ f ∧ empty (C.230)
252 Appendix C: List of laws
FstEmptyOrEqvEmpty [DRS ]
` B(empty ∨ f ) ≡ empty (C.231)
FstChopEmptyEqvFstChopFstEmpty [DRS ]
` B f ; g ∧ empty ≡ B f ; B g ∧ empty (C.232)
FstMoreEqvSkip [DRS ]
` Bmore ≡ skip (C.233)
C.1.9.3 First with initial intervals
FstOrDiEqvDi [DRS ]
` B f ∨ 3i f ≡ 3i f (C.234)
FstAndDiEqvFst [DRS ]
` B f ∧ 3i f ≡ B f (C.235)
DiEqvDiFst [DRS ]
` 3i f ≡ 3i B f (C.236)
FstDiEqvFst [DRS ]
` B3i f ≡ B f (C.237)
C.1 First order ITL 253
DiAndFstOrEqvFstOrDiAnd [DRS ]
` 3i f ∧ (B f ∨ g) ≡ B f ∨ (3i f ∧ g) (C.238)
DiOrFstAndEqvDi [DRS ]
` 3i f ∨ (B f ∧ g) ≡ 3i f (C.239)
FstDiAndDiEqv [DRS ]
` B(3i f ∧ 3i g) ≡ (B f ∧ 3i g) ∨ (B g ∧ 3i f ) (C.240)
BiNotFstEqvBiNot [DRS ]
` 2i ¬ B f ≡ 2i ¬ f (C.241)
BsNotFstEqvBsNot [DRS ]
` 2s ¬ B f ≡ 2s ¬ f (C.242)
C.1.9.4 First with state formulae
FstState [DRS ]
` Bw ≡ empty ∧ w (C.243)
FstStateAndBsNotEmpty [DRS ]
` Bw ∧ 2s ¬ empty ≡ Bw (C.244)
254 Appendix C: List of laws
FstStateImpFstStateOr [DRS ]
` Bw ⊃ B(w ∨ f ) (C.245)
HaltStateEqvFstFinState [DRS ]
` halt w ≡ B(fin w) (C.246)
HaltStateEqvFstHaltState [DRS ]
` halt w ≡ B(halt w) (C.247)
FstDiamondStateEqvHalt [DRS ]
` B(3w) ≡ halt w (C.248)
FstBoxStateEqvStateAndEmpty [DRS ]
` B(2w) ≡ w ∧ empty (C.249)
C.1.9.5 First and unique length
FstLenSame [DRS ]
` 3i (B f ∧ len(i)) ∧ 3i (B f ∧ len(j )) ⊃ i = j (C.250)
DiImpExistsOneDiLenAndFst [DRS ]
` 3i f ⊃ ∃1 k • 3i (len(k) ∧ B f ) (C.251)
C.1 First order ITL 255
C.1.9.6 First with chop distribution through conjunction
LFstAndDistr [DRS ]
` (B f ∧ g1) ; h1 ∧ (B f ∧ g2) ; h2 ≡ (B f ∧ g1 ∧ g2) ; (h1 ∧ h2) (C.252)
LFstAndDistrA [DRS ]
` (B f ∧ g1) ; h ∧ (B f ∧ g2) ; h ≡ (B f ∧ g1 ∧ g2) ; h (C.253)
LFstAndDistrB [DRS ]
` (B f ∧ g) ; h1 ∧ (B f ∧ g) ; h2 ≡ (B f ∧ g) ; (h1 ∧ h2) (C.254)
LFstAndDistrC [DRS ]
` B f ; h1 ∧ B f ; h2 ≡ B f ; (h1 ∧ h2) (C.255)
LFstAndDistrD [DRS ]
` 3i (B f ∧ g1) ∧ 3i (B f ∧ g2) ≡ 3i (B f ∧ g1 ∧ g2) (C.256)
C.1.9.7 Further useful theorems
FstEqvBsNotAndDi [DRS ]
` B f ≡ 2s ¬ f ∧ 3i f (C.257)
256 Appendix C: List of laws
NotFstChop [DRS ]
` ¬ (B f ; g) ≡ ¬ 3i B f ∨ B f ; ¬ g (C.258)
BsNotFstChop [DRS ]
` 2s ¬ (B f ; g) ≡ empty ∨ ¬ 3i B f ∨ B f ; 2s ¬ g (C.259)
FstFstChopEqvFstChopFst [DRS ]
` B(B f ; g) ≡ B f ; B g (C.260)
FstFixFst [DRS ]
` BB f ≡ B f (C.261)
DsImpNotFst [DRS ]
` 3s f ⊃ (¬ B f ) (C.262)
FstLenAndEqvLenAnd [DRS ]
` B(len(k) ∧ f ) ≡ len(k) ∧ f (C.263)
FstAndElimL [DRS ]
` B f ⊃ f (C.264)
C.1 First order ITL 257
FstImpNotDiChopSkip [DRS ]
` B f ⊃ ¬ (3i f ; skip) (C.265)
FstImpDiEqv [DRS ]
` B f ⊃ (3i f ≡ f ) (C.266)
FstAndDiFstAndEqvFstAnd [DRS ]
` B f ∧ 3i (B f ∧ g) ≡ B f ∧ g (C.267)
FstAndDiImpBsNotAndDi [DRS ]
` (B f ∧ 3i g) ⊃ (2s ¬ (3i f ∧ g)) (C.268)
FstFstOrEqvFstOrL [DRS ]
` B(B f ∨ g) ≡ B(f ∨ g) (C.269)
FstFstOrEqvFstOrR [DRS ]
` B(f ∨ B g) ≡ B(f ∨ g) (C.270)
FstFstOrEqvFstOr [DRS ]
` B(B f ∨ B g) ≡ B(f ∨ g) (C.271)
258 Appendix C: List of laws
C.1.9.8 First with len and skip
FstLenEqvLen [DRS ]
` B len(k) ≡ len(k) (C.272)
FstSkip [DRS ]
` B skip ≡ skip (C.273)
FstLenEqvLenFst [DRS ]
FstLenEqvLenFst (C.274)
FstNextEqvNextFst [DRS ]
FstNextEqvNextFst (C.275)
C.1.9.9 First occurrence with iteration
FstCSEqvEmpty [DRS ]
` B(f ∗) ≡ empty (C.276)
FstIterFixFst [DRS ]
` (B f )n ≡ B((B f )n), [n ≥ 0] (C.277)
C.1 First order ITL 259
C.1.9.10 Dual of first
NFstDef [DRS ]
−B f =̂ ¬ B¬ f (C.278)
NFstEqvOrDsNot [DRS ]
` −B f ≡ f ∨ 3s ¬ f (C.279)
NotFstEqvNFstNot [DRS ]
` ¬ B f ≡ −B¬ f (C.280)
NotNFstEqvFstNot [DRS ]
` ¬ −B f ≡ B¬ f (C.281)
C.1.9.11 Reflection of the first occurrence operator
LstDef [DRS ]
C f =̂ f ∧ 2t ¬ f (C.282)
NLstDef [DRS ]
−C f =̂ ¬ C¬ f (C.283)
260 Appendix C: List of laws
FstrEqvLstr [DRS ]
` (B f )r ≡ C f r (C.284)
LstrEqvFstr [DRS ]
` (C f )r ≡ B f r (C.285)
FstChopFstREqvLstrChopLstr [DRS ]
` (B f ; B g)r ≡ C gr ; C f r (C.286)
FstFstChoprEqvLstrChopLstr [DRS ]
` (B(B f ; g))r ≡ C(gr ; C f r ) (C.287)
LstChopLstEqvLstChopLst [DRS ]
` C(g ; C f ) ≡ C g ; C f (C.288)
C.2 ITL Monitor definitions, combinators and laws
C.2.1 ITL Monitor definitions
MFirstDef [DRS ]
M(FIRST (f )) =̂ B f (C.289)
C.2 ITL Monitor definitions, combinators and laws 261
MUptoDef [DRS ]
M(a UPTO b) =̂ B(M(a) ∨M(b)) (C.290)
MThruDef [CAU ]
M(a THRU b) =̂ B(3i M(a) ∧ 3i M(b)) (C.291)
MThenDef [DRS ]
M(a THEN b) =̂ M(a) ; M(b) (C.292)
MWithDef [DRS ]
M(a WITH f ) =̂ M(a) ∧ f (C.293)
C.2.2 ITL Monitor derived definitions
MHaltDef [DRS ]
HALT (w) =̂ FIRST (fin w) (C.294)
MLenDef [DRS ]
LEN (k) =̂ FIRST (len(k)) (C.295)
MEmptyDef [DRS ]
EMPTY =̂ FIRST (empty) (C.296)
262 Appendix C: List of laws
MSkipDef [DRS ]
SKIP =̂ FIRST (skip) (C.297)
MGuardDef [DRS ]
GUARD (w) =̂ EMPTY WITH w (C.298)
MTimesDef [DRS ]
a TIMES 0 =̂ EMPTY
a TIMES (k + 1) =̂ a THEN (a TIMES k), k ≥ 0 (C.299)
MFailDef [DRS ]
FAIL =̂ FIRST (false) (C.300)
MAlwaysDef [DRS ]
a ALWAYS w =̂ a WITH (2i fin w) (C.301)
MSometimeDef [DRS ]
a SOMETIME w =̂ a WITH (3i fin w) (C.302)
MUntilDef [DRS ]
w1 UNTIL w2 =̂ (HALTw2) WITH (2m w1) (C.303)
C.2 ITL Monitor definitions, combinators and laws 263
MWithinDef [DRS ]
a WITHIN f =̂ a WITH (2s ¬ f ) (C.304)
MAndDef [DRS ]
a AND b =̂ a WITHM(b) (C.305)
MIterateDef [DRS ]
a ITERATE b =̂ a WITH (M(b))∗ (C.306)
MStarDef [DRS ]
a STAR f =̂ FIRST (3f ) ITERATE a (C.307)
MRepeatDef [DRS ]
a REPEATUNTIL w =̂ (HALTw) ITERATE (a WITH (2m ¬ w)) (C.308)
C.2.3 ITL Monitor laws
MFixFst [DRS ]
` M(a) ≡ BM(a) (C.309)
MGuardFalseEqvFalse [DRS ]
` M(GUARD (false)) ≡ false (C.310)
264 Appendix C: List of laws
MFstFalseEqvFalse [DRS ]
` M(FIRST (false)) ≡ false (C.311)
C.2.4 ITL Monitor alternative definitions
MFailAlt [DRS ]
` M(FAIL) ≡ false (C.312)
MEmptyAlt [DRS ]
` M(EMPTY) ≡ empty (C.313)
MSkipAlt [DRS ]
` M(SKIP) ≡ skip (C.314)
MGuardAlt [DRS ]
` M(GUARD (w)) ≡ empty ∧ w (C.315)
MLengthAlt [DRS ]
` M(LEN k) ≡ len(k) (C.316)
MAlwaysAlt [DRS ]
` M(a ALWAYS w) ≡M(a) ∧ 2w (C.317)
C.2 ITL Monitor definitions, combinators and laws 265
MSometimeAlt [DRS ]
` M(a SOMETIME w) ≡M(a) ∧ 3w (C.318)
MWithinAlt [DRS ]
` M(a WITHIN f ) ≡M(a) ∧ 2s ¬ f (C.319)
MTimesAlt [DRS ]
` M(a TIMES k) ≡ (M(a))k (C.320)
MUptoAlt [DRS ]
` M(a UPTO b) ≡ (M(a)∧ 2i ¬M(b)) ∨ (M(b)∧ 2i ¬M(a)) ∨ (M(a)∧M(b)) (C.321)
MThruAlt [DRS ]
` M(a THRU b) ≡ (M(a) ∧ 3i M(b)) ∨ (M(b) ∧ 3i M(a)) (C.322)
MHaltAlt [DRS ]
` M(HALTw) ≡ halt w (C.323)
C.2.5 ITL Monitor equivalence
EqDef [CAU ]
(a ' b) ≡ (` M(a) =M(b)) (C.324)
266 Appendix C: List of laws
MonEqRefl [CAU ]
a ' a (C.325)
MonEqSym [CAU ]
a ' b ` b ' a (C.326)
MonEqTrans [CAU ]
a ' b, b ' c ` a ' c (C.327)
MonEq [CAU ]
(a ' b) = (` M(a) =M(b)) (C.328)
C.2.6 Efficient implementation of FAIL
MFailEqvFstFalseWithinEmpty [DRS ]
` FAIL ' FIRST (false) WITHIN empty (C.329)
C.2.7 ITL Monitor annihilator and identity laws
MFailUpto [DRS ]
FAIL UPTO a ' a (C.330)
C.2 ITL Monitor definitions, combinators and laws 267
MFailThru [DRS ]
FAIL THRU a ' FAIL (C.331)
MFailAnd [DRS ]
FAIL AND a ' FAIL (C.332)
MThenFail [DRS ]
a THEN FAIL ' FAIL (C.333)
MFailThen [DRS ]
FAIL THEN a ' FAIL (C.334)
MFailWith [DRS ]
FAIL WITH f ' FAIL (C.335)
MWithFalse [DRS ]
a WITH false ' FAIL (C.336)
MWithTrue [DRS ]
a WITH true ' a (C.337)
268 Appendix C: List of laws
MEmptyUpto [DRS ]
EMPTY UPTO a ' EMPTY (C.338)
MEmptyThru [DRS ]
EMPTY THRU a ' a (C.339)
MThenEmpty [DRS ]
a THEN EMPTY ' a (C.340)
MEmptyThen [DRS ]
EMPTY THEN a ' a (C.341)
MEmptyIterate [DRS ]
EMPTY ITERATE b ' EMPTY (C.342)
C.2.8 ITL Monitor idempotence laws
MIterateIdemp [DRS ]
a ITERATE a ' a (C.343)
MUptoIdemp [DRS ]
a UPTO a ' a (C.344)
C.2 ITL Monitor definitions, combinators and laws 269
MThruIdemp [DRS ]
a THRU a ' a (C.345)
MAndIdemp [DRS ]
a AND a ' a (C.346)
MWithIdemp [DRS ]
(WITH f ) ◦ (WITH f ) ' (WITH f ) (C.347)
C.2.9 ITL Monitor commutativity laws
MUptoCommut [DRS ]
a UPTO b ' b UPTO a (C.348)
MThruCommut [DRS ]
a THRU b ' b THRU a (C.349)
MAndCommut [DRS ]
a AND b ' b AND a (C.350)
MWithCommut [DRS ]
(WITH f ) ◦ (WITH g) ' (WITH g) ◦ (WITH f ) (C.351)
270 Appendix C: List of laws
C.2.10 ITL Monitor associativity laws
MUptoAssoc [DRS ]
(a UPTO b) UPTO c ' a UPTO (b UPTO c) (C.352)
MThruAssoc [DRS ]
(a THRU b) THRU c ' a THRU (b THRU c) (C.353)
MAndAssoc [DRS ]
(a AND b) AND c ' a AND (b AND c) (C.354)
MThenAssoc [DRS ]
(a THEN b) THEN c ' a THEN (b THEN c) (C.355)
C.2.11 ITL Monitor absorption laws
MWithAbsorp [DRS ]
(WITH f ) ◦ (WITH g) ' (WITH (f ∧ g)) (C.356)
MUptoThruAbsorp [DRS ]
a UPTO (a THRU b) ' a (C.357)
C.2 ITL Monitor definitions, combinators and laws 271
MThruUptoAbsorp [DRS ]
a THRU (a UPTO b) ' a (C.358)
C.2.12 ITL Monitor distributivity laws
MUptoThruDistrib [DRS ]
a UPTO (b THRU c) ' (a UPTO b) THRU (a UPTO c) (C.359)
MUptoThruRDistrib [DRS ]
(a UPTO b) THRU c ' (a THRU c) UPTO (b THRU c) (C.360)
MThruUptoDistrib [DRS ]
a THRU (b UPTO c) ' (a THRU b) UPTO (a THRU c) (C.361)
MThruUptoRDistrib [DRS ]
(a THRU b) UPTO c ' (a UPTO c) THRU (b UPTO c) (C.362)
MWithAndDistrib [DRS ]
(a AND b) WITH f ' (a WITH f ) AND (b WITH f ) (C.363)
MThenAndDistrib [DRS ]
a THEN (b AND c) ' (a THEN b) AND (a THEN c) (C.364)
272 Appendix C: List of laws
MAndThenDistrib [DRS ]
(a AND b) THEN c ' (a THEN c) AND (b THEN c) (C.365)
MThenUptoDistrib [DRS ]
a THEN (b UPTO c) ' (a THEN b) UPTO (a THEN c) (C.366)
MThenThruDistrib [DRS ]
a THEN (b THRU c) ' (a THEN b) THRU (a THEN c) (C.367)
MHaltWithAndDistrib [DRS ]
((HALTw) WITH f ) AND ((HALTw) WITH g) ' (HALTw) WITH (f ∧ g) (C.368)
MHaltWithUptoHaltWithEqvHaltWithOr [DRS ]
((HALTw) WITH f ) UPTO ((HALTw) WITH g) ' (HALTw) WITH (f ∨ g) (C.369)
MHaltWithThruHaltWithEqvHaltWithAndHaltWith [DRS ]
((HALTw) WITH f ) THRU ((HALTw) WITH g) ' ((HALTw) WITH f ) AND ((HALTw) WITH g)
(C.370)
