## Rewriting-based Techniques for Runtime Verification

### Cached

### Download Links

- [ase.arc.nasa.gov]
- [gureni.cs.uiuc.edu]
- [www.havelund.com]
- [www.runtime-verification.org]
- [gureni.cs.uiuc.edu]
- DBLP

### Other Repositories/Bibliography

Citations: | 29 - 1 self |

### BibTeX

@MISC{Rosu_rewriting-basedtechniques,

author = {Grigore Rosu and Klaus Havelund},

title = {Rewriting-based Techniques for Runtime Verification},

year = {}

}

### Years of Citing Articles

### OpenURL

### Abstract

Techniques for efficiently evaluating future time Linear Temporal Logic (abbreviated LTL) formulae on finite execution traces are presented. While the standard models of LTL are infinite traces, finite traces appear naturally when testing and/or monitoring real applications that only run for limited time periods. A finite trace variant of LTL is formally defined, together with an immediate executable semantics which turns out to be quite inefficient if used directly, via rewriting, as a monitoring procedure. Then three algorithms are investigated. First, a simple synthesis algorithm for monitors based on dynamic programming is presented; despite the e#- ciency of the generated monitors, they unfortunately need to analyze the trace backwards, thus making them unusable in most practical situations. To circumvent this problem, two rewritingbased practical algorithms are further investigated, one using rewriting directly as a means for online monitoring, and the other using rewriting to generate automata-like monitors, called binary transition tree finite state machines (and abbreviated BTT-FSMs). Both rewriting algorithms are implemented in Maude, an executable specification language based on a very e#cient implementation of term rewriting. The first rewriting algorithm essentially consists of a set of equations establishing an executable semantics of LTL, using a simple formula transforming approach. This algorithm is further improved to build automata on-the-fly via caching and reuse of rewrites (called memoization), resulting in a very e#cient and small Maude program that can be used to monitor program executions. The second rewriting algorithm builds on the first one and synthesizes provably minimal BTT-FSMs from LTL formulae, which can then be used to a...

### Citations

3839 |
D.: Introduction to Automata Theory, Languages and Computation
- Hopcroft, Ullman
- 1979
(Show Context)
Citation Context ...e expense of having to store the execution trace and then, at the end of the monitoring session, to analyze it by traversing it forwards and backwards many times. The interested reader is referred to =-=[36]-=- for a O(n3m) dynamic programming algorithm (n is the length of the execution trace and m is the size of the ERE), and to [63, 42] for O(n2m) non-trivial algorithms. Based on these observations, we pr... |

2939 | Graph--based algorithms for boolean function manipulation
- Bryant
- 1986
(Show Context)
Citation Context ...e state to another with a minimum amount of computation. In order to effectively do this we introduce the notion of binary transition tree (BTT), as a generalization of binary decision diagrams (BDD) =-=[4]-=-, whose purpose is to provide an optimal order in which state predicates need to be evaluated to decide the next state. The motivation for this is that in practical applications evaluating a state pre... |

1506 |
The Temporal Logic of Reactive and Concurrent Systems - Specification
- Manna, Pnueli
- 1992
(Show Context)
Citation Context ...eans forexperimenting and implementing logics for program monitoring. 1 Introduction and Motivation Future time Linear Temporal Logic, abbreviated LTL, was introduced by Pnueli in 1977 [51] (see also =-=[44, 45]-=-) for stating properties about reactive and concurrent systems. LTL provides temporal operators that refer to the future/remaining part of an execution trace relative to a current point of reference. ... |

1215 |
The temporal logic of programs
- Pnueli
- 1977
(Show Context)
Citation Context ...nd attractive means forexperimenting and implementing logics for program monitoring. 1 Introduction and Motivation Future time Linear Temporal Logic, abbreviated LTL, was introduced by Pnueli in 1977 =-=[51]-=- (see also [44, 45]) for stating properties about reactive and concurrent systems. LTL provides temporal operators that refer to the future/remaining part of an execution trace relative to a current p... |

571 | Bandera: Extracting finite-state models from java source code
- Corbett, Dwyer, et al.
- 2000
(Show Context)
Citation Context ...ified as LTL formulae. Several systems are currently being developed that apply model checking to software *Supported in part by joint NSF/NASA grant CCR-0234524. 1ssystems written in Java, C and C++ =-=[2, 11, 35, 9, 50, 18, 61, 27, 62]-=-. However, for very large systems, there is little hope that one can actually prove correctness, and one must in those cases rely on debugging and testing. In the context of highly reliable and/or saf... |

558 | Eraser: A dynamic data race detector for multi-threaded programs
- SAVAGE, BURROWS, et al.
- 1997
(Show Context)
Citation Context ...t deadlock, a warning can be reported to users if a cycle is found in the wait-for-graph, because that represents a potential of a deadlock. Another algorithm falling into the same category is Eraser =-=[55]-=-, a datarace prediction procedure. For each shared memory region, Eraser maintains a set of active locks which protect it, which is intersected with the set of locks held by any accessing thread. If t... |

475 |
Conditional Rewriting Logic as a unified model of concurrency
- Meseguer
- 1992
(Show Context)
Citation Context ...n amount of mathematical notions and notations, which we introduce in Section 3 together with Maude [7], a high-performance system supporting both membership equational logic [48] and rewriting logic =-=[47]-=-. The current version of Maude can do more than 3 million rewritings per second on standard PCs, and its compiled version is intended to support more than 15 million rewritings per second1, so it can ... |

470 | S (2000) Model checking programs
- Visser, Havelund, et al.
- 2000
(Show Context)
Citation Context ...ified as LTL formulae. Several systems are currently being developed that apply model checking to software *Supported in part by joint NSF/NASA grant CCR-0234524. 1ssystems written in Java, C and C++ =-=[2, 11, 35, 9, 50, 18, 61, 27, 62]-=-. However, for very large systems, there is little hope that one can actually prove correctness, and one must in those cases rely on debugging and testing. In the context of highly reliable and/or saf... |

388 |
Temporal Verification of Reactive Systems: Safety
- Manna, Pnueli
- 1995
(Show Context)
Citation Context ...eans forexperimenting and implementing logics for program monitoring. 1 Introduction and Motivation Future time Linear Temporal Logic, abbreviated LTL, was introduced by Pnueli in 1977 [51] (see also =-=[44, 45]-=-) for stating properties about reactive and concurrent systems. LTL provides temporal operators that refer to the future/remaining part of an execution trace relative to a current point of reference. ... |

374 | Model checking for programming languages using VeriSoft
- Godefroid
- 1997
(Show Context)
Citation Context ...ified as LTL formulae. Several systems are currently being developed that apply model checking to software *Supported in part by joint NSF/NASA grant CCR-0234524. 1ssystems written in Java, C and C++ =-=[2, 11, 35, 9, 50, 18, 61, 27, 62]-=-. However, for very large systems, there is little hope that one can actually prove correctness, and one must in those cases rely on debugging and testing. In the context of highly reliable and/or saf... |

330 |
The complexity of propositional linear temporal logics
- Sistla, Clarke
- 1985
(Show Context)
Citation Context ...f a finite trace LTL formula is very expensive (we are not aware of any theoretical result stating its exact complexity, but we believe that it is PSPACEcomplete, like for standard infinite trace LTL =-=[60]-=-). We are currently considering providing a fully synchronous LTL monitoring module within JPaX, at the expense of calling a validity checker after each event, and let the user of the system choose ei... |

316 | Model checking java programs using java path finder
- Havelund, Pressburger
- 2000
(Show Context)
Citation Context |

185 |
Initial algebra semantics and continuous algebras
- Goguen, Thatcher, et al.
- 1977
(Show Context)
Citation Context ...restrict the class of models of a MEL specification only to those which are initial, that is, those which obey the no junk no confusion principle; therefore, our specifications have initial semantics =-=[20]-=- in this paper. Intuitively, that means that only those models are allowed in which all elements can be "constructed" from smaller elements and in which no terms which cannot be proved equal are inter... |

161 | Boolean and cartesian abstraction for model checking C programs
- Ball, Podelski, et al.
(Show Context)
Citation Context |

142 | Membership algebra as a logical framework for equational specification
- Meseguer
- 1997
(Show Context)
Citation Context ...s paper requires a certain amount of mathematical notions and notations, which we introduce in Section 3 together with Maude [7], a high-performance system supporting both membership equational logic =-=[48]-=- and rewriting logic [47]. The current version of Maude can do more than 3 million rewritings per second on standard PCs, and its compiled version is intended to support more than 15 million rewriting... |

127 |
Monitoring Java Programs with Java PathExplorer
- Havelund, Ro¸su
- 2001
(Show Context)
Citation Context ...ficiently and conveniently. The work presented in this paper has been started as part of, and stimulated by, the PathExplorer project at NASA Ames, and in particular the Java PathExplorer (JPaX) tool =-=[28, 29]-=- for monitoring Java programs. JPaX facilitates automated instrumentation of Java byte-code, currently using Compaq's Jtrek which is not public anymore, but soon using BCEL [10]. The instrumented code... |

121 | Introducing OBJ
- Goguen, Winkler, et al.
- 2000
(Show Context)
Citation Context ...operation declaration oe : s1 * * * sn ! s above is equivalent to (8x1 : s1, . . . , xn : sn) oe(x1, . . . , xn) : s. 10s3.2 Maude Maude [7] is a freely distributed high-performance system in the OBJ =-=[21]-=- algebraic specification family, supporting both rewriting logic [47] and membership equational logic [48]. Because of its efficient rewriting engine, able to execute 3 million rewriting steps per sec... |

119 | Efficient Monitoring of Safety Properties
- Havelund, Ros¸u
(Show Context)
Citation Context ...e on finite execution traces [53]. Even though this algorithm is not dependent on rewriting (but it could be easily implemented in Maude by rewriting as we did with its dual variant for past time LTL =-=[32, 5]-=-), for the sake of completeness we present it in some detail in Section 5. This algorithm evaluates a formula bottom-up for each point in the trace, going backwards from the final state towards the in... |

117 |
Partial orders for parallel debugging
- Fidge
- 1989
(Show Context)
Citation Context ...ast 7stime temporal logic, and a prototype system called Java MultiPathExplorer is being implemented [58]. The main idea here is to instrument Java classes to emit events timestamped by vector clocks =-=[14]-=-, thus enabling the observer to extract a partial order reflecting the causal dependency on the memory accesses of the multithreaded program. If any linearization of that inferred partial order leads ... |

104 | Model-Checking Multi-threaded Distributed Java Programs
- Stoller
- 2000
(Show Context)
Citation Context |

103 | Model checking of safety properties
- Kupferman, Vardi
- 2001
(Show Context)
Citation Context ...e these four states by 0, 1, # and $. Consider also some natural number k and the language Lk = {oe#w#oe0$w | w 2 {0, 1}k and oe, oe0 2 {0, 1, #}*}. This language was previously used in several works =-=[40, 41, 54]-=- to prove lower bounds. The languagecan be shown to contain exactly those finite traces satisfying the following LTL formula [41] of size \Theta (k2): OEk = [(!$) U ($ /\ o[](!$))] /\ <>[# /\ on+1# /\... |

102 | Specification-based test oracles for reactive systems
- RICHARDSON, AHA, et al.
- 1992
(Show Context)
Citation Context ...osed in [16], and a specialized LTL collecting statistics along the execution trace is described in [15]. Various algorithms to generate testing automata from temporal logic formulae are discussed in =-=[52, 49]-=-, and [17] presents a B"uchi automata inspired algorithm adapted to finite trace LTL. The major goal of this paper is to present rewriting-based algorithms for effectively and efficiently evaluating L... |

88 |
The temporal rover and the ATG rover
- Drusinsky
- 2000
(Show Context)
Citation Context ...ion MaudeDispatcher Figure 1: Overview of JPaX . Using temporal logic in testing is an idea of broad practical and theoretical interest. One example is the commercial Temporal Rover and DBRover tools =-=[12, 13]-=-, in which LTL properties are translated into code, which is then inserted at chosen positions in the program and executed whenever reached during program execution. The MaC tool [43, 38] is another e... |

84 |
A deadlock detection tool for concurrent Java programs
- Demartini, Iosif, et al.
- 1999
(Show Context)
Citation Context ...plorer (JPaX) tool [28, 29] for monitoring Java programs. JPaX facilitates automated instrumentation of Java byte-code, currently using Compaq's Jtrek which is not public anymore, but soon using BCEL =-=[10]-=-. The instrumented code emits relevant events to an observer during execution (see Figure 1). The observer can be running a Maude [7] process as a special case, so Maude's rewriting engine can be used... |

73 | Formal Analysis of a Space Craft Controller using Spin - Havelund, Lowry, et al. |

73 | Experiments in theorem proving and model checking for protocol verification - Havelund, Shankar - 1996 |

72 | Runtime assurance based on formal specifications
- Lee, Kannan, et al.
- 1999
(Show Context)
Citation Context ...BRover tools [12, 13], in which LTL properties are translated into code, which is then inserted at chosen positions in the program and executed whenever reached during program execution. The MaC tool =-=[43, 38]-=- is another example of a runtime monitoring tool. Here, Java byte-code is automatically instrumented to generate events of interest during the execution. Of special interest is the temporal logic used... |

61 | Automata-based verification of temporal properties on running programs
- Giannakopoulou, Havelund
(Show Context)
Citation Context ...and a specialized LTL collecting statistics along the execution trace is described in [15]. Various algorithms to generate testing automata from temporal logic formulae are discussed in [52, 49], and =-=[17]-=- presents a B"uchi automata inspired algorithm adapted to finite trace LTL. The major goal of this paper is to present rewriting-based algorithms for effectively and efficiently evaluating LTL formula... |

57 |
Monitoring programs using rewriting
- Havelund, Rosu
- 2001
(Show Context)
Citation Context ...t practical rewriting-based algorithm, which can directly monitor an LTL formula. This algorithm originates in [31, 53] and it was partially presented at the Automated Software Engineering conference =-=[30]-=-. The algorithm is expressed as a set of equations establishing an executable semantics of LTL using a simple formula transforming approach. The idea is to rewrite or transform an LTL monitoring requi... |

52 |
Refutational theorem proving using term-rewriting systems
- Hsiang
- 1985
(Show Context)
Citation Context ...e trace do not matter because A is a simple atom, so it refers to only the current state. 3.2.2 Defining Propositional Calculus A rewriting decision procedure for propositional calculus due to Hsiang =-=[37]-=- is adapted and presented. It provides the usual connectives _/\_ (and), _++_ (exclusive or), _\/_ (or), !_ (negation), _->_ (implication), and _<->_(equivalence). The procedure reduces tautological f... |

49 | Towards Monitoring-Oriented Programming: A Paradigm Combining Specification and Implementation
- Chen, Rosu
(Show Context)
Citation Context ...xplorer [58] is a tool which checks a past time LTL safety formula against a partial order extracted online from an execution trace. POTA [56] is another partial order trace analyzer system. Java-MoP =-=[5]-=- is a generic logic monitoring tool encouraging "monitoring-oriented programming" as a paradigm merging specification and implementation. Complexity results for testing a finite trace against temporal... |

43 |
Determinism: From Linear-time to Branching-time
- Freedom
- 1998
(Show Context)
Citation Context ...e these four states by 0, 1, # and $. Consider also some natural number k and the language Lk = {oe#w#oe0$w | w 2 {0, 1}k and oe, oe0 2 {0, 1, #}*}. This language was previously used in several works =-=[40, 41, 54]-=- to prove lower bounds. The languagecan be shown to contain exactly those finite traces satisfying the following LTL formula [41] of size \Theta (k2): OEk = [(!$) U ($ /\ o[](!$))] /\ <>[# /\ on+1# /\... |

41 | Java Model Checking
- Park, Stern, et al.
- 2000
(Show Context)
Citation Context |

38 | Checking Finite Traces using Alternating Automata
- Finkbeiner, Sipma
- 2001
(Show Context)
Citation Context ...s for testing a finite trace against temporal formulae expressed in different temporal logics are investigated in [46]. Algorithms using alternating automata to monitor LTL properties are proposed in =-=[16]-=-, and a specialized LTL collecting statistics along the execution trace is described in [15]. Various algorithms to generate testing automata from temporal logic formulae are discussed in [52, 49], an... |

38 |
Java-MaC: a Run-time Assurance Tool for Java
- Kim, Kannan, et al.
- 2001
(Show Context)
Citation Context ...BRover tools [12, 13], in which LTL properties are translated into code, which is then inserted at chosen positions in the program and executed whenever reached during program execution. The MaC tool =-=[43, 38]-=- is another example of a runtime monitoring tool. Here, Java byte-code is automatically instrumented to generate events of interest during the execution. Of special interest is the temporal logic used... |

38 | Runtime safety analysis of multithreaded programs
- Sen, Rosu, et al.
- 2003
(Show Context)
Citation Context ...ies after the program terminates. The PET tool, described in [24, 23, 22], uses a future time temporal logic formula to guide the execution of a program for debugging purposes. Java MultiPathExplorer =-=[58]-=- is a tool which checks a past time LTL safety formula against a partial order extracted online from an execution trace. POTA [56] is another partial order trace analyzer system. Java-MoP [5] is a gen... |

34 | A Practical Method for Verifying Event-Driven Software
- Holzmann, Smith
- 1999
(Show Context)
Citation Context |

29 | Java PathExplorer – A runtime verification tool
- Havelund, Ro¸su
- 2001
(Show Context)
Citation Context ...ficiently and conveniently. The work presented in this paper has been started as part of, and stimulated by, the PathExplorer project at NASA Ames, and in particular the Java PathExplorer (JPaX) tool =-=[28, 29]-=- for monitoring Java programs. JPaX facilitates automated instrumentation of Java byte-code, currently using Compaq's Jtrek which is not public anymore, but soon using BCEL [10]. The instrumented code... |

25 | Experiments with test case generation and runtime analysis
- Artho, Drusinsky, et al.
- 2003
(Show Context)
Citation Context ...sented in this paper is X9, a test-case generation and monitoring environment for a software system that controls the planetary NASA rover K9. This collaborative effort is described in more detail in =-=[1]-=- and it will be presented in full detail elsewhere soon. The rover controller, programmed in 35,000 lines of C++, essentially executes plans, where a plan is a tree-like structure consisting of action... |

22 | Partial order trace analyzer (POTA) for distributed programs
- Sen, Garg
- 2003
(Show Context)
Citation Context ...execution of a program for debugging purposes. Java MultiPathExplorer [58] is a tool which checks a past time LTL safety formula against a partial order extracted online from an execution trace. POTA =-=[56]-=- is another partial order trace analyzer system. Java-MoP [5] is a generic logic monitoring tool encouraging "monitoring-oriented programming" as a paradigm merging specification and implementation. C... |

21 | Monitoring temporal rules combined with Time Series
- Drusinsky
- 2003
(Show Context)
Citation Context ...ion MaudeDispatcher Figure 1: Overview of JPaX . Using temporal logic in testing is an idea of broad practical and theoretical interest. One example is the commercial Temporal Rover and DBRover tools =-=[12, 13]-=-, in which LTL properties are translated into code, which is then inserted at chosen positions in the program and executed whenever reached during program execution. The MaC tool [43, 38] is another e... |

21 | Model checking a path (preliminary report
- Schnoebelen
- 2003
(Show Context)
Citation Context ...programming" as a paradigm merging specification and implementation. Complexity results for testing a finite trace against temporal formulae expressed in different temporal logics are investigated in =-=[46]-=-. Algorithms using alternating automata to monitor LTL properties are proposed in [16], and a specialized LTL collecting statistics along the execution trace is described in [15]. Various algorithms t... |

20 | Collecting statistics over runtime executions
- Finkbeiner, Sankaranarayanan, et al.
(Show Context)
Citation Context ...s are investigated in [46]. Algorithms using alternating automata to monitor LTL properties are proposed in [16], and a specialized LTL collecting statistics along the execution trace is described in =-=[15]-=-. Various algorithms to generate testing automata from temporal logic formulae are discussed in [52, 49], and [17] presents a B"uchi automata inspired algorithm adapted to finite trace LTL. The major ... |

18 | Efficient Specification-Based Oracles for Critical Systems - O’Malley, Richardson, et al. - 1996 |

18 | Generating Optimal Monitors for Extended Regular Expressions
- Sen, Rosu
- 2003
(Show Context)
Citation Context ... monitoring frameworks. We claim that the techniques presented in this paper, even though applied to LTL, are in fact generic and can be easily applied to other logics for monitoring. For example, in =-=[54, 57]-=- we applied the same generic, "formula transforming", techniques to obtain rewriting based algorithms for situations in which the logic for monitoring was replaced by extended regular expressions (reg... |

13 |
Maude System documentation at http://maude.csl.sri.com/papers
- Clavel, Duran, et al.
- 1999
(Show Context)
Citation Context ...cally. In this paper we describe a collection of algorithms for monitoring program executions against LTL formulae. It is demonstrated how term rewriting, and in particular the Maude rewriting system =-=[7]-=-, can be used to implement some of these algorithms very efficiently and conveniently. The work presented in this paper has been started as part of, and stimulated by, the PathExplorer project at NASA... |

13 | An overview of the Tatami project
- Goguen, Lin, et al.
- 2000
(Show Context)
Citation Context ...he proof obligations by hand. In other words, the proof that follows was not generated automatically. However, it could have been mechanized by using proof assistants and/or theorem provers like Kumo =-=[19]-=-, PVS [59], or Maude-ITP [6]. We have already done it in PVS, but we prefer to use only plain Maude in this paper. Theorem 3 For any trace T and any formula X, T |= X if and only if T |- X. Proof: By ... |

12 | Testing Linear Temporal Logic Formulae on Finite Execution Traces
- Havelund, Rosu
- 2001
(Show Context)
Citation Context ...n synchronously. 1Personal communication by Jos'e Meseguer. 4sSection 6 presents our first practical rewriting-based algorithm, which can directly monitor an LTL formula. This algorithm originates in =-=[31, 53]-=- and it was partially presented at the Automated Software Engineering conference [30]. The algorithm is expressed as a set of equations establishing an executable semantics of LTL using a simple formu... |

10 | Collecting and analyzing data from distributed control programs
- Kortenkamp, Milam, et al.
- 2001
(Show Context)
Citation Context ...erties in a succinct way. All the systems above try to discharge the program execution events as soon as possible, in order to minimize the space requirements. In contrast, a technique is proposed in =-=[39]-=- where the execution events are stored in an SQL database at runtime and then analyzed by means of queries after the program terminates. The PET tool, described in [24, 23, 22], uses a future time tem... |

9 |
The ITP Tool
- Clavel
- 2001
(Show Context)
Citation Context ...ectively. It is now only a simple exercise to write up the following algorithm: Input: trace t = e1e2...en next[10]s(r 2 en); next[9]s"next[10]; next[8]s(q 2 en); next[7]snext[8] implies next[9]; next=-=[6]-=-s(q 2 en); next[5]s(p 2 en); next[4]snext[7]; next[3]snext[6]; next[2]snext[3] implies next[4]; next[1]snext[2]; for i = n - 1 downto 1 do { now[10]s(r 2 ei); now[9]snext[10]; now[8]s(q 2 ei); now[7]s... |