Formal Methods in System Design

, Volume 49, Issue 1–2, pp 109–158 | Cite as

Organising LTL monitors over distributed systems with a global clock

  • Christian Colombo
  • Yliès FalconeEmail author


Users wanting to monitor distributed systems often prefer to abstract away the architecture of the system by directly specifying correctness properties on the global system behaviour. To support this abstraction, a compilation of the properties would not only involve the typical choice of monitoring algorithm, but also the organisation of submonitors across the component network. Existing approaches, considered in the context of LTL properties over distributed systems with a global clock, include the so-called orchestration and migration approaches. In the orchestration approach, a central monitor receives the events from all subsystems. In the migration approach, LTL formulae transfer themselves across subsystems to gather local information. We propose a third way of organising submonitors: choreography, where monitors are organised as a tree across the distributed system, and each child feeds intermediate results to its parent. We formalise choreography-based decentralised monitoring by showing how to synthesise a network from an LTL formula, and give a decentralised monitoring algorithm working on top of an LTL network. We prove the algorithm correct and implement it in a benchmark tool. We also report on an empirical investigation comparing these three approaches on several concerns of decentralised monitoring: the delay in reaching a verdict due to communication latency, the number and size of the messages exchanged, and the number of execution steps required to reach the verdict.


Monitoring LTL Distributed system Orchestration 



The work reported in this article has been done in the context of the COST Action ARVI IC1402, supported by COST (European Cooperation in Science and Technology). The authors would like to thank Adrian Francalenza (U of Malta), Susanne Graf (Vérimag), and César Sanchez (IMDEA Madrid) for discussions the issue on simplifying \(\text{ LTL } \) formulae. The authors are grateful to the DataMill team at the University of Waterloo for providing us with such a nice experimentation platform. The authors gratefully thank the anonymous reviewers for their comments and suggestions allowing to improve the quality of this paper.


  1. 1.
    Baier C, Katoen J (2008) Principles of model checking. MIT Press, CambridgezbMATHGoogle Scholar
  2. 2.
    Barringer H, Rydeheard DE, Havelund K (2010) Rule systems for run-time monitoring: from Eagle to RuleR. J Log Comput 20(3):675–706MathSciNetCrossRefzbMATHGoogle Scholar
  3. 3.
    Bartocci E (2013) Sampling-based decentralized monitoring for networked embedded systems. In: 3rd international workshop on hybrid autonomous systems, EPTCS, vol 124, pp 85–99Google Scholar
  4. 4.
    Bauer A, Leucker M, Schallhart C (2010) Comparing LTL semantics for runtime verification. Log Comput 20(3):651–674MathSciNetCrossRefzbMATHGoogle Scholar
  5. 5.
    Bauer A, Leucker M, Schallhart C (2011) Runtime verification for LTL and TLTL. ACM Trans Softw Eng Methodol (TOSEM) 20(4):14CrossRefGoogle Scholar
  6. 6.
    Bauer AK, Falcone Y (2012) Decentralised LTL monitoring. In: 18th international symposium on formal methods, LNCS, vol 7436. Springer, pp 85–100Google Scholar
  7. 7.
    Colombo C, Falcone Y (2014) Organising LTL monitors over distributed systems with a global clock. In: Proceedings of the 5th international conference runtime verification (RV 2014), Lecture notes in computer science. Springer, pp 140–155Google Scholar
  8. 8.
    Dwyer MB, Avrunin GS, Corbett JC (1999) Patterns in property specifications for finite-state verification. In: International conference on software engineering (ICSE). ACM, pp 411–420Google Scholar
  9. 9.
    Etessami K, Holzmann GJ (2000) Optimizing Büchi automata. In: Palamidessi C (ed) CONCUR 2000—concurrency theory, 11th international conference, University Park, PA, USA, August 22–25, 2000, Lecture notes in computer science, vol 1877. Springer, pp 153–167Google Scholar
  10. 10.
    Falcone Y, Cornebize T, Fernandez J-C (2014) Efficient and generalized decentralized monitoring of regular languages. In: Ábrahám E, Palamidessi C (eds) FORTE 2014: 34th IFIP international conference on formal techniques for distributed objects, components and systems, LNCS, vol 8461. Springer, pp 66–83Google Scholar
  11. 11.
    Falcone Y, Fernandez J, Mounier L (2012) What can you verify and enforce at runtime? Int J Softw Tools Technol Transf 14(3):349–382CrossRefGoogle Scholar
  12. 12.
    Falcone Y, Havelund K, Reger G (2013) A tutorial on runtime verification. In: Broy M, Peled D, Kalus G (eds) Engineering dependable software systems, NATO science for peace and security series, D: Information and communication security, vol 34. IOS Press, pp 141–175Google Scholar
  13. 13.
    Francalanza A, Gauci A, Pace GJ (2013) Distributed system contract monitoring. J Log Algebr Program 82(5–7):186–215MathSciNetCrossRefzbMATHGoogle Scholar
  14. 14.
    Graf S, Peled D, Quinton S (2011) Monitoring distributed systems using knowledge. In: Bruni R, Dingel J (eds) Proceedings of the joint 13th IFIP WG 6.1 international conference and 31st IFIP WG 6.1, LNCS, vol 6722. Springer, pp 183–197Google Scholar
  15. 15.
    Gunzert M, Nägele A (1999) Component-based development and verification of safety critical software for a brake-by-wire system with synchronous software components. In: International symposium on SE for parallel and distributed systems (PDSE). IEEE, p 134Google Scholar
  16. 16.
    Harris D (2003) A taxonomy of parallel prefix networks. Signals Syst Comput 2:2213–2217Google Scholar
  17. 17.
    Havelund K, Goldberg A (2005) Verify your runs. In: Meyer B, Woodcock J (eds) Verified software: theories, tools, experiments, first IFIP TC 2/WG 2.3 conference, VSTTE 2005, Zurich, Switzerland, October 10–13, 2005, revised selected papers and discussions, Lecture notes in computer science, vol 4171. Springer, pp 374–383Google Scholar
  18. 18.
    Havelund K, Rosu G (2001) Monitoring programs using rewriting. In: 16th IEEE international conference on automated software engineering (ASE 2001), pp 135–143Google Scholar
  19. 19.
    Larrieu R, Shankar N (2014) A framework for high-assurance quasi-synchronous systems. In: Twelfth ACM/IEEE international conference on formal methods and models for codesign, MEMOCODE 2014, Lausanne, Switzerland, October 19–21, 2014. IEEE, pp 72–83Google Scholar
  20. 20.
    Leucker M, Schallhart C (2009) A brief account of runtime verification. J Log Algebr Program 78(5):293–303CrossRefzbMATHGoogle Scholar
  21. 21.
    Lynch WC (1968) Computer systems: reliable full-duplex file transmission over half-duplex telephone line. Commun ACM 11(6):407–410MathSciNetCrossRefGoogle Scholar
  22. 22.
    Manna Z, Pnueli A (1992) The temporal logic of reactive and concurrent systems. Springer-Verlag New York Inc, New YorkCrossRefzbMATHGoogle Scholar
  23. 23.
    Mayr R, Clemente L (2013) Advanced automata minimization. In: Giacobazzi R, Cousot R (eds) The 40th annual ACM SIGPLAN-SIGACT symposium on principles of programming languages, POPL ’13, Rome, Italy, January 23–25, 2013. ACM, pp 63–74Google Scholar
  24. 24.
    Miller SP, Whalen MW, Cofer DD (2010) Software model checking takes off. Commun ACM 53:58–64CrossRefGoogle Scholar
  25. 25.
    Pnueli A (1977) The temporal logic of programs. In: SFCS’77: Proceedings of the 18th annual symposium on foundations of computer science. IEEE Computer Society, pp 46–57Google Scholar
  26. 26.
    Pnueli A, Zaks A (2006) PSL model checking and run-time verification via testers. In: Misra J, Nipkow T, Sekerinski E (eds) FM 2006: formal methods, 14th international symposium on formal methods, Hamilton, Canada, August 21–27, 2006, Lecture notes in computer science, vol 4085. Springer, pp 573–586Google Scholar
  27. 27.
    Pnueli A, Zaks A (2008) On the merits of temporal testers. In: Grumberg O, Veith H (eds) 25 Years of model checking—history, achievements, perspectives, Lecture notes in computer science, vol 5000. Springer, pp 172–195Google Scholar
  28. 28.
    Pop T, Pop P, Eles P, Peng Z, Andrei A (2008) Timing analysis of the FlexRay communication protocol. Real-Time Syst 39:205–235CrossRefzbMATHGoogle Scholar
  29. 29.
    Rosu G, Havelund K (2005) Rewriting-based techniques for runtime verification. Autom Softw Eng 12(2):151–197MathSciNetCrossRefGoogle Scholar
  30. 30.
    Sen K, Rosu G, Agha G (2003) Generating optimal linear temporal logic monitors by coinduction. In: Saraswat VA (ed) Advances in computing science—ASIAN 2003 programming languages and distributed computation, 8th Asian computing science conference, Mumbai, India, December 10–14, 2003, Lecture notes in computer science, vol 2896. Springer, pp 260–275Google Scholar
  31. 31.
    Sen K, Vardhan A, Agha G, Rosu G (2006) Decentralized runtime analysis of multithreaded applications. In: 20th parallel and distributed processing symposium (IPDPS). IEEEGoogle Scholar
  32. 32.
    Sokolsky O, Havelund K, Lee I (2012) Introduction to the special section on runtime verification. Int J Softw Tools Technol Transf 14(3):243–247CrossRefGoogle Scholar
  33. 33.
    Somenzi F, Bloem R (2000) Efficient büchi automata from LTL formulae. In: Emerson EA, Sistla AP (eds) Computer aided verification, 12th international conference, CAV 2000, Chicago, IL, USA, July 15–19, 2000, Lecture notes in computer science, vol 1855. Springer, pp 248–263Google Scholar

Copyright information

© Springer Science+Business Media New York 2016

Authors and Affiliations

  1. 1.Department of Computer ScienceUniversity of MaltaMsidaMalta
  2. 2.Université Grenoble Alpes, Inria, LIGGrenobleFrance
  3. 3.University of Illinois at Urbana-ChampaignChampaignUSA

Personalised recommendations