Formal Methods in System Design

, Volume 41, Issue 3, pp 233–235 | Cite as

Introduction to the special issue on runtime verification

Article

Runtime verification is a research area that is concerned with monitoring and dynamic analysis of evolving executions with respect to precisely specified properties. The primary motivation for this field of study, at its inception over a decade ago, was to overcome the scalability limitations of exhaustive design-time formal verification. Traditionally, model checking techniques suffer from state explosion that limits the size of systems that can be verified. Moreover, model checkers operate on models and thus introduce additional proof obligations on the correctness of abstraction or model creation. On the other hand, verification based on theorem proving usually involves a significant amount of manual effort that, effectively, limits the size of the system that can be verified. By concentrating on the current execution of the actual system, runtime verification techniques allow us to have automatic analysis that is less dependent on the size of the system and, at the same time, does not require as much abstraction.

Early efforts in the runtime verification community focused on characterizing properties suitable for checking at run time [2], on the generation of efficient monitors for properties specified in a variety of formal languages [7, 8] and on improving efficiency of monitoring by static analysis [3]. These efforts led to the development of mature tools, such as the MOP framework [9], within less than one decade of runtime verification research. A somewhat separate line of research was concerned with “specification-less” monitoring, which targets runtime checking algorithms for a set of common and well-defined problems. Typically, these algorithms are related to concurrency within the system, such as freedom from race conditions [5], atomicity [11], serializability [4], etc.

The runtime verification domain has seen an increased interest over the recent years, generating enough traction for the community to form its own international conference. This special issue contains selected revised papers presented at the First International Conference on Runtime Verification, held in St. Julians, Malta, on November 1–4, 2010. Collectively, the papers represent some of the most relevant current research directions within the runtime verification area.

Reduction of monitoring overhead remains an active research area. In contrast to the general-purpose techniques studied in the initial runtime verification research, current research concentrates on approaches specific to a particular application domain. Techniques applicable to low-level monitoring of embedded systems [10] and by necessity very different compared to techniques that can be used for the monitoring of web services [6]. This issue includes the paper “Optimized Temporal Monitors for SystemC” by Deian Tabakov, Kristin Rozier, and Moshe Vardi. The authors compare several ways to encode monitors embedded in SystemC designs and identify the most efficient ones in different scenarios through extensive evaluation. This paper will serve as a useful guide to implementors of efficient monitors in resource-constrained software systems.

An important question that remains when a monitoring approach to verification is used, is what happens when a problem is discovered by the checker. Runtime verification systems typically involve the capability of invoking recovery actions in response to property violations. Effectiveness of such recovery actions often depends on the assumption that system execution does not progress beyond the point of violation. That is, that checking is synchronous and the system is effectively stopped while checking is performed. This assumption may have a serious impact on the response time of the system and would be too restrictive in some cases. This issue contains the paper “Safer Asynchronous Runtime Monitoring Using Compensations,” by Christian Colombo, Gordon Pace, and Patrick Abela, which relaxes the synchronous checking assumption and aims to impose transaction-like semantics on system executions and explores the means of unrolling the execution back once a violation is discovered. The authors also propose means of switching between synchronous and asynchronous monitoring modes as means of a trade-off between performance and the level of assurance.

Another important direction of research in the runtime verification area is the generation of a trace from the execution of a system. In some cases, traces can be obtained by passive observation; for example, monitoring of bus traffic. However, in the cases when we are checking an execution of a software system, some kind of instrumentation is needed to extract observations. An important observation made in [1] was that construction of a monitor, which has to observe all accesses to an object of interest throughout a system execution, corresponds to an aspect in terms of aspect-oriented programming. This observation has led to significant advances in state of the art. A variety of tools for program instrumentation using aspect-oriented techniques has been proposed, becoming a dominant approach in runtime verification of software systems. This issue includes the paper “InterAspect: Aspect-Oriented Instrumentation with GCC” by Justin Seyster, Ketan Dixit, Xiaowan Huang, Radu Grosu, Klaus Havelund, Scott A. Smolka, Scott D. Stoller, and Erez Zadok, which builds upon a powerful and widely used compiler infrastructure. An important advantage of the framework is the access to static analysis modules within GCC, which can help to reduce overhead of the instrumentation. Combined with the large number of language front-ends supported by GCC, InterAspect provides an instrumentation framework that rivals most of the common instrumentation approaches for high-level languages.

One of the most pervasive research topics in specification-less monitoring is to devise specialized and efficient algorithms to dynamically detect very specific types of concurrency errors. Data-races remain one of the major types of concurrency errors, which can have catastrophic consequences. For example, they were among the flaws of the Therac-25 radiation therapy machine, which led to the death and serious injuries of several patients. Also, the North American Blackout of 2003 was caused by a race condition. There are many race detector systems developed by the runtime verification and testing communities, but in order to make their use widespread and an integral part of software development cycles, they need to be efficient. In this context, efficiency means low runtime overhead. This issue includes the paper “Efficient Data Race Detection for Async-Finish Parallelism” by Raghavan Raman, Jisheng Zhao, Vivek Sarkar, Martin Vechev, and Eran Yahav, which shows that various kinds of data-races can be detected with an average slowdown of about 3 times. This number is a significant improvement over the current state-of-the art dynamic race detectors, which often add an order of magnitude or more slowdown to the running system.

We hope that this special issue gives a quick, yet technical snapshot of the current research in runtime verification, and that it will encourage the reader to investigate and to contribute to this dynamic and growing field.

References

  1. 1.
    Allan C, Avgustinov P, Kuzins S, de Moor O, Sereni D, Sittampalam G, Tibble J, Christensen AS, Hendren L, Lhoták O (2005) Adding trace matching with free variables to AspectJ. In: Proceedings of the 20th ACM SIGPLAN conference on object-oriented programming, systems, languages, and applications (OOPSLA’05), pp 345–364 CrossRefGoogle Scholar
  2. 2.
    Bauer A, Leucker M, Schallhart C (2010) Comparing ltl semantics for runtime verification. J Log Comput 20(3):651–674 MathSciNetMATHCrossRefGoogle Scholar
  3. 3.
    Bodden E, Hendren L, Lhoták O (2007) A staged static program analysis to improve the performance of runtime monitoring. In: Proceedings of the 21st European conference on object-oriented programming (ECOOP’07). LNCS, vol 4609, pp 525–549 Google Scholar
  4. 4.
    Chen K, Malik S, Patra P (2008) Runtime validation of transactional memory systems. In: International symposium on quality electronic design, pp 750–756 Google Scholar
  5. 5.
    Elmas T, Qadeer S, Tasiran S (2006) Goldilocks: efficiently computing the happens-before relation using locksets. In: Proceedings of the workshop on formal approaches to testing and runtime verification (FATES/RV’06) Google Scholar
  6. 6.
    Hallé S, Bultan T, Hughes G, Alkhalaf M, Villemaire R (2010) Runtime verification of web service interface contracts. IEEE Comput 43(3):59–66 CrossRefGoogle Scholar
  7. 7.
    Havelund K, Roşu G (2002) Synthesizing monitors for safety properties. In: Proceedings of tools and algorithms for construction and analysis of systems (TACAS’02). LNCS, vol 2280, pp 342–356 CrossRefGoogle Scholar
  8. 8.
    Kim M, Kannan S, Lee I, Sokolsky O, Viswanathan M (2004) Java-MaC: a run-time assurance approach for Java programs. Form Methods Syst Des 24(2):129–155 MATHCrossRefGoogle Scholar
  9. 9.
    Meredith P, Jin D, Griffith D, Chen F, Roşu G (2011) An overview of the MOP runtime verification framework. Int J Softw Tools Technol Transf 14(3):249–289. Special Section on Runtime Verification CrossRefGoogle Scholar
  10. 10.
    Pike L, Goodloe A, Morisset R, Niller S (2010) Copilot: a hard real-time runtime monitor. In: International conference on runtime verification (RV 2010). LNCS, vol 6418 Google Scholar
  11. 11.
    Wang L, Stoller SD (2006) Runtime analysis of atomicity for multi-threaded programs. IEEE Trans Softw Eng 32:93–110 CrossRefGoogle Scholar

Copyright information

© Springer Science+Business Media, LLC 2012

Authors and Affiliations

  1. 1.University of PennsylvaniaPhiladelphiaUSA
  2. 2.University of IllinoisUrbana-ChampaignUSA

Personalised recommendations