A Counting Semantics for Monitoring LTL Specifications over Finite Traces

We consider the problem of monitoring a Linear Time Logic (LTL) specification that is defined on infinite paths, over finite traces. For example, we may need to draw a verdict on whether the system satisfies or violates the property"p holds infinitely often."The problem is that there is always a continuation of a finite trace that satisfies the property and a different continuation that violates it. We propose a two-step approach to address this problem. First, we introduce a counting semantics that computes the number of steps to witness the satisfaction or violation of a formula for each position in the trace. Second, we use this information to make a prediction on inconclusive suffixes. In particular, we consider a good suffix to be one that is shorter than the longest witness for a satisfaction, and a bad suffix to be shorter than or equal to the longest witness for a violation. Based on this assumption, we provide a verdict assessing whether a continuation of the execution on the same system will presumably satisfy or violate the property.


Introduction
Alice is a verification engineer and she is presented with a new exciting and complex design. The requirements document coming with the design already incorporates functional requirements formalized in Linear Temporal Logic (LTL) [11]. The design contains features that are very challenging for exhaustive verification and her favorite model checking tool does not terminate in reasonable time.
Runtime Verification. Alice decides to tackle this problem using runtime verification (RV), a light, yet rigorous verification method. RV drops the exhaustiveness of model checking and analyzes individual traces generated by the system. Thus, it scales much better to the industrial-size designs. RV can be directly applied to the design, and does not require its abstract model. This method enables automatic generation of monitors from formalized requirements and thus provides a systematic way to check whether the system executions satisfy or violate the specification.
Motivating Example. During her RV activities, Alice comes across the following unbounded response requirement: This formula says that every request coming from the environment must be granted by the design in some finite (but unbounded) future. Alice realizes that she is trying to check a liveness property over a set of finite traces. She looks closer at the executions and identifies the two interesting examples trace τ 1 and trace τ 2 , depicted in Table 1.
The runtime verification tool reports that both τ 1 and τ 2 presumably violate the unbounded response property. This verdict is against Alice's intuition. The evaluation of trace τ 1 seems right to her -the request at Cycle 1 is followed by a grant at Cycle 3, however the request at Cycle 4 is never granted during that execution. There are good reasons to suspect a bug in the design. Then she looks at τ 2 and observes that after every request the grant is given exactly after 2 cycles. It is true that the last request at Cycle 7 is not followed by a grant, but this seems to happen because the execution ends at that cycle -the past trace observations give reason to think that this request would be followed by a grant in cycle 9 if the execution was continued. Thus, Alice is not satisfied by the second verdict.
Alice looks closer at the way that the LTL property is evaluated over finite traces. She finds out that temporal operators are given strength -eventually and until are declared as strong operators, while always and weak until are defined to be weak [7]. A strong temporal operator requires all outstanding obligations to be met before the end of the trace. In contrast, a weak temporal operator must not witness any outstanding obligation violation before the end of the trace. Under this interpretation, both τ 1 and τ 2 violate the unbounded response property.
Alice explores another popular approach to evaluate future temporal properties over finite traces -the 3-valued semantics for LTL [2]. In this setting, the Boolean set of verdicts is extended with a third unknown (or maybe) value. A finite trace satisfies (violates) the 3-valued LTL formula if and only if all the infinite extensions of the trace satisfy (violate) the same LTL formula under its classical interpretation. In all other cases, we say that the satisfaction of the formula by the trace is unknown. Alice applies the 3-valued interpretation of LTL on the traces τ 1 and τ 2 to evaluate the unbounded response property. In both situations, she ends up with the unknown verdict. Once again, this is not what she expects and it does not meet her intuition about the satisfaction of the formula by the observed traces.
Alice desires a semantics that evaluates LTL properties on finite traces by taking previous observations into account.
Contributions. In this paper, we study the problem of LTL evaluation over finite traces encountered by Alice and propose a solution. We introduce a new counting semantics for LTL that takes into account the intuition illustrated by the example from Table 1. This semantics computes for every position of a trace two values -the distances to the nearest satisfaction and violation of the co-safety, respectively safety, part of the specification. We use this quantitative information to make predictions about the (infinite) suffixes of the finite observations. We infer from these values the maximum time that we expect for a future obligation to be fulfilled. We compare it to the value that we have for an open obligation at the end of the trace. If the latter is greater (smaller) than the expected maximum value, we have a good indication of a presumed violation (satisfaction) that we report to the user. In particular, our approach will indicate that τ 1 is likely to violate the specification and should be further inspected. In contrast, it will evaluate that τ 2 most likely satisfies the unbounded response property.
Organization of the paper. The rest of the paper is organized as follows. We discuss the related work in Section 2 and we provide the preliminaries in Section 3. In Section 4 we present our new counting semantics for LTL, while in Section 5 we show how to make predictions about the (infinite) suffixes of the finite observations. Section 6 shows the application of our approach to some examples. Finally in Section 7 we draw our conclusions.

Related Work
The finitary interpretation of LTL was first considered in [9], where the authors propose to enrich the logic with the weak next operator that is dual to the (strong) next operator defined on infinite traces. While the strong next requires the existence of a next state, the weak next trivially evaluates to true at the end of the trace. In [7], the authors propose a more semantic approach with weak and strong views for evaluating future obligations at the end of the trace. In essence the empty word satisfies (violates) every formula according to the weak (strong) view. These two approaches result in the violation of the specification ψ by both traces τ 1 and τ 2 .
The authors in [2] propose a 3-valued finitary LTL interpretation of LTL, in which the set {true, false} of verdicts is extended with a third inconclusive verdict. According to the 3-valued LTL, a finite trace satisfies (violates) a specification iff all its infinite extensions satisfy (violate) the same property under the classical LTL interpretation. Otherwise, it evaluates to inconclusive. The main disadvantage of the 3-valued semantics is the dominance of the inconclusive verdict in the evaluation of many interesting LTL formulas. In fact, both τ 1 and τ 2 from Table 1 evaluate to inconclusive against the unbounded response specification ψ.
In [3], the authors combine the weak and strong operators with the 3-valued semantics to refine the inconclusive with {presumably true, presumably false}. The strength of the remaining future obligation dictates the presumable verdict. The authors in [10] propose a finitary semantics for each of the LTL (safety, liveness, persistence and recurrence) hierarchy classes that asymptotically converges to the infinite traces semantics of the logic. In these two works, the specification ψ also evaluates to the same verdict for both the traces τ 1 and τ 2 .
To summarize, none of the related work handles the unbounded response example from Table 1 in a satisfactory manner. This is due to the fact that these approaches decide about the verdict based on the specification and its remaining future obligations at the end of the trace. In contrast, we propose an approach in which the past observations within the trace are used to predict the future and derive the appropriate verdict. In particular, the application of our semantics for the evaluation of ψ over τ 1 and τ 2 results in presumably true and presumably false verdicts.
In [14], the authors propose another predictive semantics for LTL. In essence, this work assumes that at every point in time the monitor is able to precisely predict a segment of the trace that it has not observed yet and produce its outcome accordingly. In order to ensure such predictive power, this approach requires a white-box setting in which instrumentation and some form of static analysis of the systems are needed in order to foresee in advance the upcoming observations. This is in contrast to our work, in which the monitor remains a passive participant and predicts its verdict only based on the past observations.
In a different research thread [13], the authors introduce the notion of monitorable specifications that can be positively or negatively determined by a finite trace. The monitorability of LTL is further studied in [12,4]. This classification of specifications is orthogonal to our work. We focus on providing a sensible evaluation to all LTL properties, including the non-monitorable ones (e.g., GF p).
We also mention the recent work on statistical model checking for LTL [6]. In this work, the authors assume a gray-box setting, where the system-under-test (SUT) is a Markov chain with the known minimum transition probability. This is in contrast to our work, in which we passively observe existing finite traces generated by the SUT, i.e., we have a blackbox setting.
In [1], the authors propose extending LTL with a discounting operator and study the properties of the augmented logic. The LTL specification formalism is extended with path-accumulation assertions in [5]. These LTL extensions are motivated by the need for a more quantitative and refined analysis of the systems. In our work, the motivation for the counting semantics is quite different. We use the quantitative information that we collect during the execution of the trace to predict the future behavior of the system and thus improve the quality of the monitoring verdict.

Preliminaries
We first introduce traces and Linear Temporal Logic (LTL) that we interpret over 3-valued semantics.
Definition 2 (Linear Temporal Logic). In this paper, we consider linear temporal logic (LTL) and we define its syntax by the grammar: where p ∈ P . We denote by Φ the set of all LTL formulas.
From the basic definition we can derive other standard Boolean and temporal operators as follows: Let π ∈ Π ω be an infinite trace and φ an LTL formula. The satisfaction relation (π, i) |= φ is defined inductively as follows We now recall the 3-valued semantics from [2]. We denote by [π |= 3 φ] the evaluation of φ with respect to the trace π ∈ Π * that yields a value in {⊤, ⊥, ?}.
We now restrict LTL to a fragment without explicit ⊤ and ⊥ symbols and with the explicit F operator that we add to the syntax. We provide an alternative 3-valued semantics for this fragment, denoted by µ π (φ, i) where i ∈ N >0 indicates a position in or outside the trace. We assume the order ⊥ <? < ⊤, and extend the Boolean operations to the 3-valued domain with the rules ¬ 3 ⊤ = ⊥, ¬ 3 ⊥ = ⊤ and ¬ 3 ? =? and φ 1 ∨ 3 φ 2 = max(φ 1 , φ 2 ). We define the semantics inductively as follows: We note that the adapted semantics allows evaluating a finite trace in polynomial time, in contrast to [π |= 3 φ], which requires a PSPACE-complete algorithm. This improvement in complexity comes at a price -the adapted semantics cannot semantically characterize tautologies and contradiction. We have for example that µ π (p ∨ ¬p, 1) for the empty word evaluates to ?, despite the fact that p ∨ ¬p is semantically equivalent to ⊤. The novel semantics that we introduce in the following sections make the same tradeoff.
In the following lemma, we relate the two three-valued semantics.

Counting Finitary Semantics for LTL
In this section, we introduce the counting semantics for LTL. We first provide necessary definitions in Section 4.1, we present the new semantics in Section 4.2 and finally propose a predictive mapping that transforms the counting semantics into a qualitative 5-valued verdict in Section 4.3.

Definitions
Let N + = N 0 ∪ {∞, −} be the set of natural numbers (incl. 0) extended with the two special symbols ∞ (infinite) and − (impossible) such that ∀n ∈ N 0 , we define n < ∞ < −. We define the addition ⊕ of two elements a, b ∈ N + as follows.
Definition 4 (Operator ⊕). We define the binary operator ⊕ : N + ×N + → N + s. t. for a ⊕ b with a, b ∈ N + we have a + b if a, b ∈ N 0 and max{a, b} otherwise.
We denote by (s, f ) a pair of two extended numbers s, f ∈ N + . In Definition 5, we introduce several operations on pairs: (1) the swap between the two values (∼), (2) the increment by 1 of both values (⊕1), (3) the minmax binary operation (⊔) that gives the pair consisting of the minimum first value and the maximum second value, and (4) the maxmin binary operation (⊓) that is symmetric to (⊔).
Definition 7 introduces the counting semantics for LTL that for a finite trace π and LTL formula φ gives a pair (s, f ) ∈ N + × N + . We call s and f satisfaction and violation witness counts, respectively. Intuitively, the s (f ) value denotes the minimal number of additional steps that is needed to witness the satisfaction (violation) of the formula. The value ∞ is used to denote that the property can be satisfied (violated) only in an infinite number of steps, while − means the property cannot be satisfied (violated) by any continuation of the trace.

Semantics
We now present our finitary semantics.
Definition 7 (Counting finitary semantics). Let π ∈ Π * be a finite trace, i ∈ N >0 be a position in or outside the trace and φ ∈ Φ be an LTL formula. We define the counting finitary semantics of LTL as the function We now provide some motivations behind the above definitions.
Proposition A proposition is either evaluated before or after the end of the trace. If it is evaluated before the end of the trace and the proposition holds, the satisfaction and violations witness counts are trivially 0 and −, respectively. In the case that the proposition does not hold, we have the symmetric witness counts. Finally, we take an optimistic view in case of evaluating a proposition after the end of the trace: The trace can be extended to a trace with i steps s.t. either p holds or p does not hold.
Negation Negating a formula simply swaps the witness counts. If we witness the satisfaction of φ in n steps, we witness the violation of ¬φ in n steps, and vice versa. Disjunction We take the shorter satisfaction witness count, because the satisfaction of one subformula is enough to satisfy the property. And we take the longer violation witness count, because both subformulas need to be violated to violate the property. Next The next operator naturally increases the witness counts by one step. Eventually We use the rewriting rule F φ ≡ φ ∨ XF φ to define the semantics of the eventually operator. When evaluating the formula after the end of the trace, we replace the remaining obligation (XF φ) by (−, ∞).Thus, F φ evaluated on the empty word is satisfied by a suffix that satisfies φ, and it is violated only by infinite suffixes. Until We use the same principle for defining the until semantics that we used for the eventually operator. We use the rewriting On the empty word, φ U ψ is satisfied (in the shortest way) by a suffix that satisfies ψ, and it is violated by a suffix that violates both φ and ψ.
Example 8. We refer to our motivating example from Table 1 and evaluate the trace τ 2 with respect to the specification ψ. We present the outcome in Table 2. We see that every proposition evaluates to (0, −) when true. The satisfaction of a proposition that holds at time i is immediately witnessed and it cannot be violated by any suffix. Similarly, a proposition evaluates to (−, 0) when false. The valuations of F g count the number of steps to positions in which g holds. For instance, the first time at which g holds is i = 3, hence F g evaluates to (2, −) at time 1, (1, −) at time 2 and (0, −) at time 3. We also note that F g evaluates to (0, ∞) at the end of the trace -it could be immediately satisfied with the continuation of the trace with g that holds, but could be violated only by an infinite suffix in which g never holds. We finally observe that G(r → F g) evaluates to (∞, ∞) at all positions -the property can be both satisfied and violated only with infinite suffixes.
Not all pairs (s, f ) ∈ N + × N + are possible according to the counting semantics. We present the possible pairs in Lemma 9.
Lemma 9. Let π ∈ Π * be a finite trace, φ an LTL formula and i ∈ N 0 an index.
Proof. The proof can be obtained using structural induction on the LTL formula (see Appendix A.2).
Finally, we relate our counting semantics to the three valued semantics in Lemma 10.
Lemma 10. Given an LTL formula and a trace π ∈ Π * where i ∈ N >0 is an index and φ is an LTL formula, we have that Intuitively, Lemma 10 holds because we only introduce the symbol "−" within the trace when a satisfaction (violation) is observed. And the values of a pair only propagate into the past (and never into the future).
We evaluate a property on a trace to ⊤ (⊥) when the satisfaction (violation) can be fully determined from the trace, following the definition of the threevalued semantics µ. Intuitively, this takes care of the case in which the safety (co-safety) part of a formula has been violated (satisfied), at least for properties that are intentionally safe (intentionally co-safe, resp.) [8].
Whenever the truth value is not determined, we distinguish whether d π (φ, i) indicates the possibility for a satisfaction, respective violation, in finite time or not. For possible satisfactions, respective violations, in finite time we make a prediction on whether past observations support the believe that the trace is going to satisfy or violate the property. If the predictions are not inconclusive and not contradicting, then we evaluate the trace to the (presumable) truth value ⊤ P or⊥ P . If we cannot make a prediction to a truth value, we compute the truth value recursively based on the operator in the formula and the truth values of the subformulas (with temporal operators unrolled).
We use the predicate pred π to give the prediction based on the observed witnesses for satisfaction. The predicate pred π (φ, i) becomes ? when no witness for satisfaction exists in the past. When there exists a witness that requires at least the same amount of additional steps as the trace under evaluation then the predicate evaluates to ⊤. If all the existing witnesses (and at least one exists) are shorter than the current trace, then the predicate evaluates to ⊥. For a prediction on the violation we make a prediction on the satisfaction of d π (¬φ, i), i.e., we compute pred π (¬φ, i).

Definition 11 (Prediction predicate).
Let s, f denote natural numbers and let For the evaluation we consider a case split among the possible combinations of values in the pairs.
Example 13. The outcome of evaluating τ 2 from Table 1 is shown in Table 3. Subformula r → F g is predicted to be ⊤ P at i = 7 because there exists a longer witness for satisfaction in the past (e.g., at i = 1). Thus, the trace evaluates to ⊤ P , as expected.
In Figure 1 we visualize the evaluation of a pair d π (φ, i) = (s, f ) for a fixed φ and a fixed position i. On the x-axis is the witness count s for a satisfaction and on the y-axis is the witness count f for a violation. For a value s, respectively f , that is smaller than the length of the suffix starting at position i (with the other value of the pair always being −), the evaluation is either ⊤ or ⊥. Otherwise the evaluation depends on the values s max and f max . These two values represent the largest witness counts for a satisfaction and a violation in the past, i.e., for positions smaller than i in the trace. Based on the prediction function pred π (φ, i) the evaluation becomes ⊤ P , ? or ⊥ P , where ? indicates that the auxiliary function r π (φ, i) has to be applied. Starting at an arbitrary point in the diagram and moving to the right increases the witness count for a satisfaction while the witness count for a violation remains constant. Thus, moving to the right makes the pair "more false". The same holds when keeping the witness count for a satisfaction constant and moving up in the diagram as this decrease the witness count for a violation. Analogously, moving down and/or left makes the pair "more true" as the witness count for a violation gets larger and/or the witness count for a satisfaction gets smaller. Our 5-valued predictive evaluation refines the 3-valued LTL semantics.
Theorem 14. Let φ be an LTL formula, π ∈ Π * and i ∈ N >0 . We have Theorem 14 holds, because the evaluation to ⊤ and ⊥ is simply the mapping of a pair that contains the symbol "−", which we have shown in Lemma 10. Remember that N + ×N + is partially ordered by . We now show that having a trace that is "more true" than another is correctly reflected in our finitary semantics. To define "more true", we first need the polarity of a proposition in an LTL formula.
Definition 16 (Polarity). Let #¬ be the number of negation operators on a specific path in the parse tree of φ starting at the root. We define the polarity as the function pol(p) with proposition p in an LTL formula φ as follows: if #¬ on all paths to a leaf with proposition p is even, neg, if #¬ on all paths to a leaf with proposition p is odd, mixed, otherwise.
With the polarity defined, we now define the constraints for a trace to be "more true" with respect to an LTL formula φ.
Definition 17 (π ⊑ φ π ′ ). Given two traces π and π ′ of equal length and an LTL formula φ over proposition p, we define that π ⊑ φ π ′ iff Whenever one trace is "more true" than another, this is correctly reflected in our finitary semantics.
Theorem 18 holds, because we have that replacing an arbitrary observed value in π by one with positive polarity in π ′ always results with d π (φ, 1) = (s, f ) and d π ′ (φ, 1) = (s ′ , f ′ ) in s ′ ≤ s and f ′ ≥ f , as with π ⊑ φ π ′ we have that π ′ witnesses a satisfaction of φ not later than π and π ′ also witness a violation of φ not earlier than π.
In Table 4 we give examples to illustrate the transition of one evaluation to another one. Note that it is possible to change from ⊤ P to ⊥ P . However, this is only the predicated truth value that becomes "worse", because we have strengthened the prefix on which the prediction is based on, the values of d π (φ, i) don't change and remain the same is such a case.

Examples
We demonstrate the strengths and weaknesses of our approach on the examples of LTL specifications and traces shown in Table 5. We fully develop these examples in Appendix B. Table 6 summarizes the evaluation of our examples. The first and the second column denote the evaluated specification and trace. We use these examples to

compare LTL with counting semantics (c-LTL) presented in this paper, to the other two popular finitary LTL interpretations, the 3-valued LTL semantics [2] (3-LTL) and LTL on trucated paths [7] (t-LTL). We recall that in t-LTL there is a distinction between a weak and a strong next operator. We denote by t-LTL-s (t-LTL-w) the specifications from our examples in which X is interpreted
as the strong (weak) next operator and assume that we always give a strong interpretation to U and F and a weak interpretation to G. There are two immediate observations that we can make regarding the results presented in Table 6. First, the 3-valued LTL gives for all the examples an inconclusive verdict, a feedback that after all has little value to a verification engineer. The second observation is that the verdicts from c-LTL and t-LTL Specifications Traces ψ1 ≡ F X g π1 : g : ⊥⊥⊥⊥ π5 : r : ⊥⊤⊤⊤⊤⊥⊤⊤ ψ2 ≡ G X g π2 g : ⊤⊤⊤⊤ g : ⊥⊤⊥⊥⊥⊥⊤⊥ ψ3 ≡ G(r → F g) π3 r : ⊥⊤⊥⊥⊤⊥ π6 :  can differ quite a lot, which is not very surprising given the different strategies to interpret the unseen future. We now further comment on these examples, explaining in more details the results and highlighting the intuitive outcomes of c-LTL for a large class of interesting LTL specifications.

Effect of Nested Next
We evaluate with ψ 1 and ψ 2 the effect of nesting X in an F and an G formula, respectively. We make a prediction on X g at the end of the trace before evaluating F and G. As a consequence, we find that (ψ 1 , π 1 ) evaluates to presumably false, while (ψ 2 , π 2 ) evaluates to presumably true. In t-LTL, this class of specification is very sensitive to the weak/strong interpretation of next, as we can see from the verdicts.

Request/Grants
We evaluate the request/grant property ψ 3 from the motivating example on the trace π 3 . We observe that r at cycle 2 is followed by g at cycle 3, while r at cycle 5 is not followed by g at cycle 6. Hence, (ψ 3 , π 3 ) evaluates to presumably false.

Concurrent Request/Grants
We evaluate the specification ψ 4 against the trace π 4 . In this example r 1 is triggered at even time stamps and r 2 is triggered at odd time stamps. Every request is granted in one cycle. It follows that regardless of the time when the trace ends, there is one request that is not granted yet. We note that ψ 4 is a conjunction of two basic request/grant properties and we make independent predictions for each conjunct. Every basic request/grant property is evaluated to presumably true, hence (ψ 4 , π 4 ) evaluates to presumably true. At this point, we note that in t-LTL, every request that is not granted by the end of the trace results in the property violation, regardless of the past observations.
Until We use the specification ψ 5 and the trace π 5 to evaluate the effect of U on the predictions. The specification requires that X r continuously holds until X X g becomes true. We can see that in π 5 X r is witnessed at cycles 1 − 4, while X X g is witnessed at cycle 5. We can also see that X r is again witnessed from cycle 6 until the end of the trace at cycle 8. As a consequence, (ψ 5 , π 5 ) is evaluated to presumably true.
Stabilization The specification ψ 6 says that the value of g has to eventually stabilize to either true or false. We evaluate the formula on two traces π 6 and π 7 . In the trace π 6 , g alternates between true and false every two cycles and becomes true in the last cycle. Hence, there is no sufficiently long witness of trace stabilization (ψ 6 , π 6 ) evaluates to presumably false. In the trace π 7 , g also alternates between true and false every two cycles, but in the last four cycles g remains continuously true. As a consequence, (ψ 6 , π 7 ) evaluates to presumably true. This example also illustrates the importance of when the trace truncation occurs. If both π 6 and π 7 were truncated at cycle 5, both (ψ 6 , π 6 ) and (ψ 6 , π 7 ) would evaluate to presumably false. We note that ψ 6 is satisfied by all traces in t-LTL.

Sub-formula Domination
The specification ψ 7 exposes a weakness of our approach. It requires that in every cycle, either r or g is witnessed in some unbounded future. With our approach, (ψ 7 , π 8 ) evaluates to presumably false. This is against our intuition because we have observed that g becomes regularly true very second time step. However, in this example our prediction for F r dominates over the prediction for F g, leading to the unexpected presumably false verdict. On the other hand, t-LTL interpretation of the same specification is dependent only on the last value of r and g.

Semantically Equivalent Formulas
We now demonstrate that our approach may give different answers for semantically equivalent formulas. For instance, both ψ 8 and ψ 9 are semantically equivalent to ψ 7 . We have that (ψ 8 , π 8 ) evaluates to presumably false, while (ψ 9 , π 8 ) evaluates to presumably true. We note that t-LTL verdicts are stable for semantically different formulas.

Conclusion
We have presented a novel finitary semantics for LTL that uses the history of satisfaction and violation in a finite trace to predict whether the co-safety and safety aspects of a formula will be satisfied in the extension of the trace to an infinite one. We claim that the semantics closely follow human intuition when predicting the truth value of a trace. The presented examples (incl. nonmonitorable LTL properties) illustrate our approach and support this claim. Our definition of the semantics is trace-based, but it is easily extended to take an entire database of traces into account, which may make the approach more precise. Our approach uses a very simple form of learning to predict the future. It would be interesting to consider more elaborate learning methods to make better predictions.

A.1 Proof for Lemma 3
Proof. Let be i ∈ N >0 , i ≤ n = |π|, n > 0 and π i···n a suffix of π starting at position i.
In the first case we have that: True by assumption For the other three cases we have: Induction step for X ϕ We can prove that for i + 1 ≤ n: True by assumption

True by assumption
Induction step for F ϕ We can prove that ∃j, i ≤ j ≤ |π|: This is always false This is true Induction step for ϕ1 U ϕ2 We can prove that:

A.2 Proof for Lemma 9
Let s, f ∈ N 0 ∪ {∞}. We first define the following sets: The set P + i,π represents the set of all the possible pairs of the form (a, −), the set P − i,π represents the set of all the possible pairs of the form (−, a) while P ? i,π represents the set of all the possible pairs of the form We now provide and prove the following proposition that will be used to prove later Lemma 9.
Proof. We now need to prove the closure of P i,π under d π (φ, i) inductively on the structure of the LTL formula by considering all the possible cases.

B Examples
Evaluation of the Next Operator: In Table 7 we illustrate the evaluation of the X operator nested in an F property and nested in a G property.
Our approach focuses on observed past behavior and predicts evaluations of subformulas when possible. The prediction on X g is necessary to draw a conclusion on the eventually, respectively globally, property being violated, respectively satisfied. For the trace in Table 7 (a) our approach results in the expected presumably false verdict, because we have always observed X g being violated and we do not expect it to be satisfied. For the trace in Table 7 (b) our approach results in the expected presumably true verdict, because we have always observed X g being satisfied and we do not expect it to be violated. Table 7: Evaluation of the X operator nested in an F and a G property.
(a) F X g.
Request/Acknowledge Properties: As a running example we have already illustrated the evaluation of trace π 1 from the motivation with the property We now also evaluate the second trace from the motivation. In Table 8 we present the evaluation. While for many positions (like i = 5) the signal r dominates (because it is false and, thus, the implication is trivially satisfied) this is not the case for position i = 4. At this position the implication is not yet satisfied within the trace and, thus, can be at earliest satisfied in 4 steps by extending the trace with g = true at i = 8. However, the longest observed witness for satisfaction of the implication is at i = 1 and requires two additional steps. As we've never observed a witness that requires at least 4 additional steps for a satisfaction, the suffix at i = 4 is concluded to be presumably false. Hence, the globally property is expected to be violated and we conclude that this trace is going to presumably violate the given property. Table 8: Trace π 2 from the motivation.
Next we illustrate in Table 9 why predictions on the different levels of subformulas are necessary. Note that the prediction for the property F g at Position 5 is ⊤ P , because there exists a witness in the past (at Position 1) that required the same amount of additional steps for satisfaction. when evaluating the property r → F g, the prediction for the same Position becomes ⊥ P , because now the longest witness (at Position 2) only requires one additional step, which is shorter than the required two additional steps (at Position 5). This is, because the signal g is related to the signal r, and at Position 1 the truth value of signal r dominates. Human intuition supports this evaluation. While evaluating only F g allows the observer to conclude that it always takes two additional steps to observe the grant, this is not the case when evaluating r → F g. For this property, the signal g is only relevant whenever a request r is observed and then the grant g is observed in one additional step.
In another request/acknowledge example we analyze the property with r 1 being triggered at even time steps, r 2 being triggered at odd time steps, and both requests being always granted after exactly one time step. No matter where you cut the trace there is always one request not yet granted (Table 10 illustrates an example trace). The two request/grant properties are conjunct on the highest level of the formula. Our approach computes truth values for every subformula, i.e., computes Table 9: Need for prediction of individual subformulas. Table 10: Trace of a system claiming to implement G(¬r 1 ∨ F g 1 ) ∧ G(¬r 2 ∨ F g 2 ).
1 2 3 4 5 6 7 8 9 10 11 12 13 independent predictions for both request/grant properties which is in both cases ⊤ P . On the highest level (no predictions are possible anymore at this level, because all computed pairs are of the form (∞, ∞)) the computed truth values for the two request/grant properties are conjunct and result in the expected verdict presumably true.
Evaluation of the Until Operator: To illustrate our approach on a specification that contains an until operator, we consider the property G((X a) U X X b). Table 11 shows an example trace and the associated evaluation. The longest observed witness for satisfaction of the until property starts at position 1 and requires six additional time steps. In positions 1, 2, 3 and 4 the subformula X a holds, until in position 5 the subformula X X b holds. The suffix of the trace from position 6 can be satisfied at earliest after 3 time steps by an extension of the trace with b = ⊤ at i = 9. As the suffix is shorter than the longest observed witness for satisfaction and we have not observed any violation, this inconclusive suffix is predicted to be presumably true. The same applies for the suffixes starting at i = 7 and i = 8. Thus, we neither observe nor expect a violation of the globally property. Hence, the property evaluates to ⊤ P with respect to the given trace. Table 11: Evaluation of G((X a) U X X b).  that states that eventually the truth value of a has to stabilize. We analyze the traces presented in Table 12. While in trace π 1 the system seems to flip the truth value of a always after time time steps, in trace π 2 the truth value of a seems to remain stable from i = 9 onwards. Applying our approach, the first sequence (π 1 ) evaluates to presumably false because the suffix with one time a = ⊤ is shorter than a previous observed sequence of as being stable (e.g. at position i = 1 the truth value of a was stable for two time steps). In the second sequence, the suffix with five times a = ⊤ is longer than any previous sequence of as being stable and, thus, our approach evaluates this trace to presumably true.
These two examples also illustrate the importance of having a trace not truncated too early. Imagine cutting the trace at i = 5 or i = 9, then both traces evaluate to presumably false with respect to previously observed behavior, because we miss the observation of the long stable suffix.
When one subformula dominates: We now discuss a shortcoming of our approach. Consider the following specification This specification requires that for any index i either signal a evaluates to true now or at a future position or, otherwise, signal b evaluates to true now or at a  ∨ F b).
future position. In Table 13 we see that our approach concludes the trace under evaluation to presumably false. This is not what we would expect, as for positions smaller than or equal to 4, the formula F a is always satisfied immediately in the same time step and for all observed positions i ≤ 5 the formula F b is satisfied within in at most one additional time step. In position i = 6 our approach predicts the formula F a ∨ F b to be presumably false, because the shorter witness for satisfaction dominates and, as both of the subformulas are eventually properties, none of them can be violated in finite time. Thus, the globally property is predicted to be violated which results in the evaluation of presumably false. Intuitively, φ requires in every time step to eventually raise one of the two signals, i.e., one interpretation is that only the faster satisfaction counts. The specification φ ′ = G F(a ∨ b) is semantically equivalent to φ and expresses this interpretation formally and (also) evaluates to presumably false.
On the other side, if we rewrite φ to which is again semantically equivalent to φ, then the conclusion is presumably true (see Table 14), which is what we would expect. Thus, there is a difference in the interpretation of φ (and φ ′ ) and φ ′′ . The specification φ ′′ can be interpreted such that the system only has to satisfy one of the two formulas G F a and G F b, as those to formulas are connected with a logical or. Thus, the violation of one of the globally properties still allows the specification to be presumably satisfied (by the other globally).
Another example for two specifications that are semantically equivalent, but can be interpreted in different ways is:   While in specification ψ the formula F a dominates, because the formula G b cannot be satisfied in finite time, the rewriting to ψ ′ eliminates this dominating factor. Thus, for the trace presented in Table 15, evaluating ψ results in presumably false and evaluating ψ ′ results in presumably true.
System implements the specification in different modes: In the above examples we've shown a weakness of our approach that arises from a dominating subformula. The specifications with dominating subformulas for which our predictions fail have in common that they implicitly allow systems to operate in two modes and (eventually) switch from one mode to the other.
Our approach may also fail for a system that operates in different modes when the mode is not part of the specification, e.g., a system that has a high-and a low-performance mode. Consider a system that implements the low-performance mode in such a way that the system takes longer to react (without violating the specification). When the trace contains system behavior of both modes, i.e., the high-performance and the low-performance mode, then our prediction is built on the behavior of the low-performance mode (assuming that witnesses are longer here), as we look at the longest observed witness for satisfaction. Thus, at some point predictions in the high-performance mode may be incorrect.
Shortcoming of our Approach: Consider the specification G F p and a system that raises p in the time steps 1, 2, 4, . . . , 2 i with i = 3 . . . ∞. As the distance for the next satisfaction of F p always doubles, we will give a wrong evaluation in half of the case. The reason for the wrong evaluation is that we have not yet observed witnesses with similar lengths for the second half of the last (doubled) distance to the (not yet observed) satisfaction of the eventually part.