After having introduced in the previous section the specification language LTL, a model checker and monitor’s task can be described to decide for a given property of that language whether it is satisfied (or violated) by all traces of some given set of traces, or a given single trace, respectively. However, while a model checker, in terms of reactive systems, can evaluate traces according to the standard semantics of LTL5—since both are defined over infinite traces—a monitor must use a finite LTL semantics, as observations are merely prefixes of infinite traces.
§2.5 LTL semantics for runtime verification 27
Runtime verification is usually performed to complement model checking, and therefore the finite LTL semantics should preferably coincide with the infinite one; that is, a monitor should only returntruedenoted by>(orfalsedenoted by⊥) if the property is satisfied (or violated, respectively) for all continuations. Recall that this is exactly the definition of impartiality, described by Property 4 in §1.2.2. Note that this property is easy to comply with for an offline monitor, as there are no continuations, and verdicts are returned only once at the end of a trace. In other words, a trace represents complete knowledge—as no further observations of a system are to be expected—so that under this assumption monotonicity is not an issue. An offline monitor, therefore, can for example implement the finite LTL semantics introduced in Def. 2.4.2: Intuitively ϕUψis interpreted asfalse if ψnever evaluates totrue on a
finite trace, andXϕ is interpreted as false at the end of the trace if no further event
exists—called thestrongsemantics of theX-operator. This idea is extended by Manna and Pnueli [1995], who add a weak view of theX-operator (being dual to the strong one, and which we denote here with X!) that is interpreted as “if a next event exists then for this event ϕmust hold”.
In contrast, during online monitoring, traces always resemble only incomplete albeit expanding knowledge (and are therefore also called truncated). In this section we will see that the finite LTL semantics from above and similar variations based on a 2-valued semantics (i.e., with onlytrueandfalseas truth values) are inadequate for that purpose since these are inherently not able to comply with monotonicity.
Weak, strong, and neutral finite path semantics. While the syntax and semantics of LTL for checking complete traces is well accepted in the literature, there is no con- sensus on defining LTL over truncatedtraces. Eisner et al. [2003] define for example LTLtrunc, which is an LTL semantics defined wrt. finite or infinite traces, and an in-
dicator for the strength of the interpretation; it can be either weak, strong or neutral in relation to the standard finite semantics by Kamp [1968] in Def. 2.4.2 (denoted by
[w |= ϕ]−,[w|= ϕ]+, and[w|= ϕ]F, respectively). We call the resulting logics LTL−,
LTL+, and FLTL, respectively. Intuitively, in the weak viewUacts likeW,Xlike X!; and in the strong view (which is dual to the weak one)Wacts likeU, andX! likeX; whereas the neutral one leaves the operators unchanged. In other words, the weak view has a preference for false positives, the strong view for false negatives, and the neutral view desires to see as much evidence as can reasonably be expected from a finite trace.
Table 2.2 exemplifies how these three semantics behave differently for a trace consisting of a single event. An interesting corollary shows that ifw is infinite then
[w |= ϕ]F iff [w |= ϕ]− iff [w |= ϕ]+; that is, the strength indicators behave identical over an infinite trace [Eisner et al., 2003, Corollary 5]. However, the inherent problem with all three proposed finite semantics for truncated paths is that those must eval- uate totrue orfalse prematurely since these cannot reflect the “not yet known”-case properly to avoid either false positives or negatives.
28 Preliminaries
Table 2.2: The evaluations of a trace wrt. the weak, strong and natural view.
neutral strong weak
{a} 6|= aUb {a} 6|= aUb {a} |=aUb {a} 6|=Fb {a} 6|=Fb {a} |=Fb {a} |=Ga {a} 6|=Ga {a} |=Ga {a} 6|=Xb {a} 6|=Xb {a} |=Xb.
LTL3 semantics. Therefore, Bauer et al. [2011] have introduced a 3-valued prefix
semantics (i.e., it cannot be defined inductively as in Def. 2.4.2), defined as follows. Definition 2.5.1(LTL3semantics). [u|= ϕ]3= > if ∀w∈ Σω :uw|= ϕ ⊥ if ∀w∈ Σω :uw6|= ϕ ? otherwise.
It agrees with the property of impartiality and anticipation stated in §1.2.2. Note that thetruth domain here is a setB3 = {>,⊥, ?}, where ? denotes the inconclusive
case. A monitor following this semantics must return ? for a prefix as long as there exist continuations of which some satisfy and some violate the property ϕ. However,
as soon as there are only continuations of one sort, it must return a conclusive verdict. RV-LTL semantics. Bauer et al. [2010] further introduced a 4-valued prefix seman- tics, called RV-LTL. It refines the inconclusive case of LTL3by “presumably true” (>P)
and “presumably false” (⊥P); that is, helps with so-called ugly prefixes (i.e., prefixes
whose expansions all lead to a monitor returning ? but never a conclusive verdict) by providing at least some information to which degree a formula is considered satisfied or not. Definition 2.5.2(RV-LTL semantics). [u|= ϕ]RV = > if [u|= ϕ]3=> ⊥ if [u|= ϕ]3=⊥ >P if [u|= ϕ]3=?and[u|= ϕ]F=> ⊥P if [u|= ϕ] 3=?and[u|= ϕ]F=⊥
Note that RV-LTL complies with a property that is not further considered in this thesis: complementation by negation, i.e., a formula ¬ϕof a logic should yield a com-
plementary and different truth value than ϕ when evaluated over the same trace.
This is not the case for traces leading to ? wrt. the LTL3 semantics, as ? is comple-
mentary to itself, in contrast to >,⊥ or >P,⊥P being complementary to each other,