STAn: analysis of data traces using an event-driven interval temporal logic

The increasing integration of systems into people’s daily routines, especially smartphones, requires ensuring correctness of their functionality and even some performance requirements. Sometimes, we can only observe the interaction of the system (e.g. the smartphone) with its environment at certain time points; that is, we only have access to the data traces produced due to this interaction. This paper presents the tool STAn, which performs runtime verification on data traces that combine timestamped discrete events and sampled real-valued magnitudes. STAn uses the Spin model checker as the underlying execution engine, and analyzes traces against properties described in the so-called event-driven interval temporal logic (eLTL) by transforming each eLTL formula into a network of concurrent automata, written in Promela, that monitors the trace. We present two different transformations for online and offline monitoring, respectively. Then, Spin explores the state space of the automata network and the trace to return a verdict about the corresponding property. We use the proposal to analyze data traces obtained during mobile application testing in different network scenarios.


Introduction
Nowadays, many electronic devices play an important role in our daily life, from inhome monitoring systems (Botia et al. 2012) or medical devices (Cameron et al. 2015), to smartphones that also allow interacting with other devices (Espada et al. 2019). Since we increasingly depend on these systems, it is important to check that they satisfy some correctness properties which, in many cases, imply fulfilling different non-functional requirements. In the domain of smartphones, an example of these properties could be "the energy consumed by the device during the download of a given application is always less than a threshold K ". The evaluation of this property involves handling the energy consumption of the device that is usually represented by a magnitude variable whose value evolves over time.
In this paper, we describe an approach to perform runtime verification of nonfunctional properties of event-driven systems that include magnitude variables and evolve by reacting to internally or externally triggered events. Figure 1 shows our proposal, which has been implemented in the tool STAn. The inputs of STAn are the non-functional properties described in the event-driven temporal logic (eLTL in short) , and the data trace under analysis, which is a sequence of observable system states that includes timestamps and sampled real-valued variables.
eLTL is a temporal logic that extends LTL to support the definition of properties with real-valued variables that must be evaluated on sub-traces delimited by events. Thus, intuitively, the eLTL formulae [ p,q] φ and [ p,q] φ indicate that the nested formula φ has to be true in all/some sub-traces of the input data trace satisfying that the first and the last sub-trace states satisfy p and q, respectively. These specifications allow an unknown number of sub-traces of the data trace (of an unknown duration) to be described. In addition, the nested formula φ can describe properties on the values of any system variable, such as energy consumed or time elapsed, inside the sub-traces provided by the corresponding operator.
Inspired by Pnueli and Zaks (2006), STAn transforms each eLTL operator into an instance of a monitor template; that is, an automaton that analyzes the input data trace. Thus, each eLTL formula is represented by a network of automata that monitors the data trace and determines whether it satisfies the property. This approach is suitable for Fig. 1 Runtime verification of event-driven hybrid systems with STAn runtime verification of event traces, but also for system model checking as proposed in Pnueli and Zaks (2006).
The current implementation of STAn is publicly available in GitLab 1 and relies on the Spin model checker (Holzmann 2003) to perform the analysis. To ease the transformation from eLTL to Promela, which is Spin's modeling language, we provide a parser, called eltl2pml, that transforms a textual representation of a formula into the instantiation of the corresponding monitors.
Although an implementation based on a programming language could be more efficient, Spin and its modelling language Promela introduces several advantages. Firstly, it is possible to easily implement both automata and their composition by means of the Promela process type (proctype). Thus, each eLTL formula is implemented by the synchronized execution of instances of the corresponding proctypes of their nested operators. Second, Promela models can embed C code, which provides high flexibility for the implementation and further extensions. For instance, STAn currently uses C functions to obtain and store data traces, and also to externally monitor the magnitude variables. A similar approach was followed in Gallardo and Panizo (2014), where the embedded C code made it possible to work in a transparent manner with abstractions of the continuous variables for the exploration algorithm.
In Gallardo and Panizo (2019), we presented the eLTL logic and a first version of the implementation. In the current paper, we extend this work with the following contributions: (1) the tool STAn that includes a new offline and online monitoring approaches; (2) an intermediate tree-based implementation of the monitors that demonstrates the correct transformation of eLTL operators into monitors; (3) study of the temporal and space complexities of both implementations; (4) extended case study based on realistic traces.
The rest of the paper is organized as follows. Section 2 presents the syntax and semantics of eLTL. In Sect. 3, we introduce some features of Promela and Spin to facilitate the reading of Sect. 4, which first introduces an intermediate implementation of eLTL monitors and then presents the two approaches to transform eLTL operators into Promela monitor templates. To ease the reading of the paper, most of the Promela code of the online and offline implementations is included in Appendix A. Section 5 presents complexity results of the two monitoring approaches. The proofs of these results are detailed in Appendix B. Then, Sect. 6 presents a case study based on the analysis of non-functional properties of mobile apps in different network scenarios. Section 7 discusses related work on languages and algorithms to analyze data traces in different contexts. Finally, Sect. 8 presents the conclusions and future work.

Event-driven systems and the eLTL logic
In this section, we define the behavior of event-driven systems (EDSs) by means of the well-known and classic notion of labeled transition systems. We consider EDSs as black boxes whose states can be observed at some time instants. In particular, states are visible just after an external or internal event occurs or when a certain

Pure timed transitions
EDSs may evolve when a pure timed transition occurs, i.e., when the only change in the system is produced by the passing of δ > 0 time units. As commented above, we use the special label tick to identify the timed transitions. Observe that the transition updates the value of variable ts properly. In addition, it rewrites the value of magnitudes asv m since their values could be changed by the transition. In contrast, transition does not change the value of the discrete variables except for ev that is updated to ⊥ to indicate that no event has occurred. Transitions labeled with an event express both time passing and event firing before the final time instant. In this case, the variable ev registers the event and the other state variables are properly updated. Some discrete and magnitude variables may be updated as the result of the event. We have decided not to deal with discrete transitions in isolation to model the fact that it is not possible to observe two consecutive discrete transitions at the same time instant. This also avoids the Zeno behavior that could occur when infinite discrete transitions take place between two time instants.
Following the car example, assume Var d = {ev, status} and Var m = {ts, speed, gas}. If v ev , v status , v ts , v speed , v gas is the state with each variable var ∈ Var m ∪ Var d bound to value v var , transition ⊥, on, 10, 10, 0.2 tick − − → ⊥, on, 15, 0, 0.5 represents the evolution of speed and gas consumption after passing 5 time units. In this case, the car is reducing its speed from 10 to 0 Km/h but the gas consumption is increased from 0.2 to 0.5 l since the engine is on. Moreover, ⊥, on, 15, 0, 0.5 turnOff − −−− → turnOff , off , 20, 0, 0.0 represents that the engine has been turned off (event turnOff ) at timestamp 20, which causes the change in the status variable but also a reset to 0 of the gas variable.
Given an EDS H, we denote with O f (H) the set of traces of finite length of the form π = s 0 e 0 − → · · · e n−2 −−→ s n−1 with n > 0 determined by H produced applying pure timed or mixed transitions. The length of a trace π is the number n of states.

Syntax and semantics of eLTL
In this section, we first describe the syntax of eLTL and then, given H = Σ, − − → , E ∪ {tick}, s 0 , we present the eLTL semantics on the traces of O f (H).
We assume that events of E constitute the state formulae to be checked on states. Recall that given a transition s l − → s , state s stores in variable ev the event l = e ∈ E that occurred in the transition, or ⊥, if no event took place, i. e., l = tick. Thus, it is possible to know whether an event has happened by observing a state. We define relation ⊆ Σ × E that associates states and events as follows. Given s ∈ Σ, and e ∈ E, s e iff variable ev of state s is equals to e, i.e. if event e has just occurred.
Given a trace π = s 0 l 0 − → · · · l n−2 − − → s n−1 of length n, and 0 ≤ j < k < n, π [ j, k] denotes the sub-trace s j l j − → · · · l k−1 − − → s k of π . To simplify the notation, in the following we denote with ts j the value of variable ts in state s j . Recall that since time evolves in both the pure timed and mixed transitions, we have that ts j < ts k .
Our proposal is inspired by the duration calculus introduced in Chaochen and Hansen (2004), where the interval logic domain is the set of time intervals I defined as To analyze the evolution of magnitude variables (and also discrete variables, if necessary) on intervals, we use the so-called interval formulae as defined below.
Definition 2 An interval formula is a function of the type φ : I → {true, false} that associates each time interval with a truth value.
Let Φ be the set of all these interval formulae. We assume that Φ contains the special interval formula True : I → {true, false} that returns true for all time intervals; that is, ∀I ∈ I.True(I ) = true. The elements of Φ will be the atomic propositions on which the eLTL logic is constructed.
For instance, consider the real-valued magnitude speed in the car example intro- can be used to determine whether the speed at the interval end points is decreasing.
The following two definitions are used to determine the time intervals at which the interval formulae should be evaluated. To do this, we use the so-called interval of events of the form [ p, q] where p, q ∈ E. The idea is that, given a data trace π , each interval of events [ p, q] may determine different sub-traces of π and, consequently, different time intervals. Event p fixes the initial timestamp of the interval, and q the final one.

Definition 3 Given a trace
, two events p, q ∈ E and two states s j , s k of π such that j < k, we say that sub-trace π [ j, k] satisfies the interval of events [ p, q], and we denote it as π [ j, k] [ p, q], iff the following four conditions hold: 1) s j p; 2) ∀r . j < r < k, s r q; 3) s k q; and 4) if p and q are different events, there is no state s h with h < j, such that s h p and ∀r .h < r ≤ j.s r q.
Intuitively, given π , π [ j, k] [ p, q] holds iff states s j and s k occur in different timestamps, s j satisfies p and s k is the first state following s j that satisfies q. In addition, when the events are different, the fourth condition ensures that sub-trace π [ j, k] is maximal in the sense that it is not possible to find a larger sub-trace ending at s k satisfying the previous conditions. This notion of maximality guarantees that the evaluation of interval formulae starts at the state when event p first occurs.

Example 1
The following trace π tries to clarify Definition 3. Let us first assume that p, q ∈ E are different. Then we have that π [ j, k] The following trace π has more than one sub-trace satisfying the interval of events The fourth condition in Definition 3 guarantees that the logic manages maximal intervals wrt the first occurrence of event p that makes it easy to represent properties in some application domains. For example, if we are interested in analyzing some property of a network during a video streaming session, the current definition determines that the session is given by the first occurrence of events that initiate and end the video stream, independently of whether the user tries to start the session several times until the video is observed.
Remark 1 It is worth noting that relation of Definition 3 could have been differently defined to produce other types of sub-traces. For instance, we could modify condition (2) of Definition to consider the last state where event q occurs (before p appears again) instead of the first one. This would lead us to extract sub-trace π [ j, k ] instead of π [ j, k] in the first trace of the previous example. In the same line, relation could have been defined less restrictively to take into account all sub-traces determined by p and q, including the nested and overlapped ones. In this case, for the same trace of Example 1 just mentioned, we would obtain that π [ j, k] [ The next definition is used to simplify the semantics of eLTL given in Definition 6. [ p, q]) the ordered set of sub-traces {π [ j, k]|π [ j, k] [ p, q]}. Similarly, we use S(π, p) to denote the ordered set of states {s j |s j p}.

Definition 4 Given a trace
That is, S(π, [ p, q]) is the set of sub-traces of π satisfying Definition 3. The set S(π, [ p, q]) can contain several sub-traces as illustrated in trace (3) of Example 1. In addition, S(π, [ p, q]) is ordered with respect to the value of the starting timestamp of each sub-trace. Similarly, S(π, p) is ordered with respect to the timestamps of their states. Considering this, and given a Boolean condition C, we write fst (S(π, [ p, q]), C) for the first sub-trace in S(π, [ p, q]) that satisfies C, if it exists. Otherwise, we define fst (S(π, [ p, q]), C) as the empty trace . Similarly, we write fst(S(π, p), C) for the first state in S(π, p) that satisfies C (fst(S(π, p), C) = , if no state of S(π, p) satisfies p).
Definition 5 (eLTL formulae) Given p, q ∈ E, and φ ∈ Φ, the formulae of eLTL logic are recursively constructed as follows: The other temporal operators are defined accordingly as: [ p,q] ψ ≡ True U [ p,q] ψ, [ p,q] The following definition provides the semantics of eLTL formulae given above. Recall that given a trace π ∈ O f (H) of length n, π [i, f ] is the sub-trace of π from state s i to state s f .
The semantics given by | is similar to that of LTL, except that | manages interval formulae instead of state formulae. For instance, case 2.1 states that the sub-trace π [i, f ] of π satisfies an interval formula φ iff φ holds on the time interval determined by timestamps of states s i and s f (φ([ts i , ts f ])). Case 2.4 establishes that ψ 1 U [ p,q] ψ 2 holds on trace π [i, f ] iff we can find two timestamps ts j < ts k , determined by events p and q, that split the trace into two sub-traces π [i, j] and π [ j, k], each one satisfying ψ 1 and ψ 2 , respectively. Observe that ψ 1 must hold in the sub-trace determined by the first interval of events [ p, q] on which ψ 2 is true. This way, the until operator follows the same semantics of the classical LTL until. However, other alternative approaches are also possible. For instance, in Maler and Ničković (2013) the authors provide a more relaxed definition for until, since they do not require that ψ 1 be true the first time ψ 2 holds. Nonetheless, we could easily change the until definition to also accept these behaviors if in the future we think this is necessary. Finally, case 2.5 is similar to case 2.4, except that ψ 2 is satisfied at a time instant rather than an interval. Similarly, in p ψ (or p ψ) the nested formula ψ will be evaluated at a single point.

Remark 2
Observe that the semantics of operator U [ p,q] completely depends on relation of Definition 3. The sub-traces of π [i, f ] produced by determine the sub-trace π [ j, k] chosen to evaluate ψ 2 (and, consequently, the sub-trace to evaluate ψ 1 ). However, as discussed in Remark 1, relation could be differently defined, which would lead to different semantics of operator U [ p,q] and, therefore, to different logic implementations. For instance, if we define to produce maximal sub-traces wrt both events p and q, the current definition of U [ p,q] would not change, although the sub-traces on which sub-formulae ψ 1 and ψ 2 are evaluated would be different. However, to take into account nested or overlapping sub-traces, the definition and the implementation of U [ p,q] would have to change significantly. The current definition of preserves the balance between having enough expressiveness in eLTL to describe a set of rich properties and having an efficient implementation as it is shown in Sects. 4 and 5. [ p,q] , [ p,q] , p and p , given in Definition 5 have the following meaning:

Proposition 1 Operators
Proof 1. Cases 2.6 and 2.8 follow from the definition of [ p,q] and p , taking into account that the interval formula True holds for all intervals. 2. Case 2.7. By definition [ p,q] ψ = ¬ [ p,q] ¬ψ; that is, π [i, f ] | [ p,q] ψ iff π [i, f ] | [ p,q]  Remark 3 At this point it is worth highlighting that eLTL preserves the separation of concerns related to where interval formulae have to be evaluated and what interval formulae must be checked in each sub-trace found. This independence (illustrated in Fig. 1) means that the logic provides, on the one hand, the temporal operators in charge of determining the sub-traces of interest to analyze a given property and, on the other, the interval formulae φ to be evaluated on these sub-traces.
In addition, the way eLTL deals with interval formulae allows hiding the possible complexity of its evaluation. For instance, consider function Formally, the eLTL semantics given above just need that the interval formula φ can be computed. It is an implementation issue to determine how φ ([t i , t f ]) is calculated in practice. For example, an implementation of φ could use only the observable states of the trace under analysis to decide whether speed is decreasing in [t i , t f ], or it could use the actual dynamic behaviour of speed in [t i , t f ], if it is available.

Examples
Now, we mention some examples of eLTL properties to show its expressiveness and motivate the usefulness of the logic. We specify some properties of interest on data traces of smartphones running applications (apps) in different network scenarios. This case study is further discussed in Sect. 6.
In the Introduction, we stated a non-functional property that must hold when an app is downloaded. The property says that "the energy consumed by a mobile device during the download of a given app is always less than a constant K ". The following eLTL formula represents this property: where d Stt and d St p are the events raised when the download of an app starts and ends, respectively, and φ e is the interval formula that determines whether the energy is below the limit K each time the application is downloaded. In addition, we can express that "the app is downloaded at least once in less than T time units" using the following formula: The previous property can be refined to express that "the app has to be downloaded at least once, and the download always takes less than T time units and the energy consumed is always less than K " as follows: Combining operators with one and two events, we can describe the property "if during the download of an app the mobile raises an overheated event (oh), the device temperature has increased at least C degrees from the download start" as follows: Figure 2 shows, for the previous formula, how each temporal operator determines the sub-trace where its nested formula has to be evaluated. For instance, [d Stt,d Stp] scans the complete trace to find sub-traces delimited by [d Stt, d St p]. In each subtrace, φ h U oh T rue detects the first occurrence of event oh (this state satisfies T rue), and then φ h can be evaluated in the sub-trace delimited by events d Stt and oh. Observe that to satisfy the property, in the second sub-trace determined by [d Stt, d St p] the event oh must occur and φ h must hold.

Background of PROMELA and SPIN
This section introduces the main characteristics of the Spin model checker (Holzmann 2003) and its modeling language Promela. A more complete description of both the tool and the language may be found at Holzmann (1997).
Spin is able to verify the correctness of systems typically composed of concurrent processes against safety and liveness properties described in LTL. Spin is an explicit model checker that works as follows. The system under analysis and the properties to be analyzed are both translated into Büchi automata. Then, the property automaton is executed synchronously with the model automaton, which is exhaustively explored by an efficient double depth-first search algorithm, which builds the system state space onthe-fly. To better understand the interaction between the execution of both automata, we can consider that the property automaton acts as an observer of the system automaton and is able to stop the analysis when an anomalous behavior of the system is observed.
Although Spin is a very efficient model checking tool, the exhaustive exploration of the state space can lead to the so-called state space explosion problem when the number of states generated exceeds the available memory. Thus, system abstraction plays an important role in the analysis work.
Promela, Spin's modeling language, has a syntax similar to language C. A Promela model is composed of a finite set of concurrent processes, whose execution is, by default, interleaved. Promela provides asynchronous/synchronous communication channels, and global/local variables of a non-floating type. System states are given by the values of variables, channels and the program counter (the next statement to be executed) of each process in execution. When some of these elements change, a new state is generated and stored (if it has not yet been visited), building this way the system state space.
Listing 1 shows an example of a Promela process called formula which, in fact, is the instantiation of the eLTL formula [ p,q] (φ 1 ∨ φ 2 ). The behavior of the process is written in a proctype (line 17), where the keyword active indicates that initially there is a running instance of this process. Promela has a rich syntax that includes enumerate types (lines 3 and 4), variable assignments (line 18), logic operations (line 31), dynamic process creation (line 27) and unconditional jumps (goto) to labeled statements (line 30). Regarding labeled statements, it is worth clarifying that some labels have a special meaning that directly affects the analysis. For instance, labels starting with end mark valid termination states.
Spin simulates the execution a Promela program by interleaving the execution of its processes in a non-deterministic manner. A process can only be selected to continue the execution if it is executable, i.e., if it has an executable statement to be run next. If no executable process exists, the program blocks. Thus, the executability of statements is key to understand how a Promela program may progress. Boolean expressions constitute a special case in the language. A Boolean expression is a basic statement, in the sense that it can be used such as an assignment. The main difference is that a Boolean expression can only be executed if it evaluates to true, while assignments are always executable. This semantics is very useful to easily model the synchronization by shared variables in the language. The executability of the other statements is defined similarly to that of other languages.
Promela provides if selection statements (lines47-52), and do loop statements (lines 29-45). Both statements can be composed of multiple guarded branches (starting with symbols ::) and can exhibit a non-deterministic behavior. If multiple branch guards are executable, one of these branches is non-deterministically selected to be executed. Otherwise, when all guards are non-executable, the process containing the statement is suspended.
In addition to the process synchronization through shared variables, Promela also provides synchronization via messages passing through channels. When the channel size is zero (line 5) the communication is synchronous (rendezvous), which implies that the transmission and reception of a message takes place simultaneously in the two end-point processes. Thus, if one of the processes is not ready to send/receive the message through a synchronous channel, the other process is suspended. Asynchronous channels are used as bounded buffers. The transmitting process can send a message if the channel is not full, while the receiving process can read messages if the 1 /* Definition of constants with # define */ 2 # define FORM 4 /* Number of operators of the formula */ 3 mtype : event = {q , p }; 4 mtype : command = { START , STOP }; TTrace events , measures ; 9 ChannelEv * ev ; 10 P_Event proc [ FORM ]; 11 } 12 /* ***************************************************** */ 13 int i ; 14 mtype : event e ; 15 inline sendEvent () { c_code { insertEvent ( ev , proc , FORM , now .i , now . e ) ;};} 16 /* ***************************************************** */ 17 active proctype formula ( Listing 1 Online implementation of a formula channel is not empty. Otherwise, the corresponding process is suspended. Symbols ! and ? after the channel name represent, respectively, the transmission and reception of messages through channels (lines 34 and 39). Observe that messages can comprise multiple values. For example, in line 34, the message includes the value of the integer variable i and the enumerated value START. From Promela 4.0, the language supports embedded C code in the models. The basic statements to embed C code are c_decl (line 7) to declare C variables or include native libraries, c_expr that allows the use of C expressions in guarded statements, and c_code (line 21) that allows the unconditional execution of C code. As we will see in further examples, Promela variables can be accessed from c_expr and c_code blocks. Global variables are referenced using the notation now. < var_name >, whereas local variables are referenced using P < proctype_name > − >< var_name >. It is worth mentioning that, by default, the C variables are not part of the system states, and thus changes in the C variables values do not produce new system states. This way, it is possible to keep part of the system behavior in the C variables and maintain an abstract representation in the Promela model (which takes fewer values) and a tractable system's state space.

Implementation
As described in Fig. 1, STAn analyzes execution traces of an EDS against properties described in eLTL. The goal of this section is to show how each eLTL formula is translated into a network of finite automata which are, in fact, Promela processes capable of monitoring and analyzing the input trace. Once the network has been constructed, STAn uses the Spin model checker to determine whether each trace satisfies the formula by analyzing the network of finite automata.
To better understand the approach followed by STAn, in Sect. 4.1 we first introduce an intermediate implementation using the recursive function evalT that makes use of a tree representation of the formulae to be evaluated. Then, we present the implementation of the monitor templates of the eLTL operators described in Sect. 2, which are the patterns of the above mentioned automata. We describe the offline and online implementations of the templates in Sects. 4.2 and 4.3, respectively.

Tree based implementation
We can represent each eLTL formula ψ by means of a binary tree T ψ where each node corresponds to an eLTL operator of ψ and branches relate each operator with the sub-trees of its nested formulae. For example, formula ψ = [ p,q] (φ 1 → [r ,k] φ 2 ), rewritten as [ p,q] (¬φ 1 ∨ [r ,k] φ 2 ), induces the binary tree T ψ of Fig. 3. As one can see, the tree structure completely matches the structure of ψ. Thus, the root node ( [ p,q] ) corresponds to the outer operator of ψ. As [ p,q] is a unary operator, the root node has only one child, and so on.
Now assume that we want to check whether a given eLTL formula ψ holds on a trace π [i, f ]. Once the tree T ψ has been constructed, the role of each tree node is to evaluate a sub-formula of ψ on a sub-trace of π [i, f ]. For instance, in Fig. 3, the root node [ p,q] [ p, q]). Thus, the node [ p,q] behaves as an iterator searching for the sub-traces of π [i, f ] satisfying [ p, q] that, once found, are sent to their child, in this case the node ∨. When the node ∨ finishes the evaluation of the sub-trace, it returns the result to its parent node ( [ p,q] ). Figure 4 shows the definition of the Boolean function evalT that, based on a tree T ψ , evaluates ψ on a trace π [i, f ]. The left column contains the eLTL operator of the root node of T ψ , the middle column contains the name of its sub-trees, if any, and finally, the right column shows the algorithm to evaluate ψ on the trace π [i, f ]. For instance, when ψ = φ is an interval formula, the tree T φ only has the root node φ, and the function evalT returns the value of φ on the interval determined by the initial and final states of π [i, f ]. The cases in which ψ = ¬ψ 1 , ψ = ψ 1 ∨ ψ 2 are simple: the root node ¬ or ∨ only has to propagate the trace to its sub-tree T ψ 1 (or sub-trees T ψ 1 and T ψ 2 ) and wait for the result.
However, when ψ = [ p,q] q] ψ 2 , the evaluation of ψ involves both an iteration through trace π [i, f ] searching for the sub-traces satisfying [ p, q] and recursive calls to evaluate the sub-formula ψ 1 on the sub-traces using the sub-trees T ψ 1 (and evaluate ψ 2 using T ψ 2 for U [ p,q] ).
In Fig. 4, we use a notation close to the object oriented programming. For example, the statement T ψ 1 .evalT (π [i, f ]) denotes the tasks carried out by T ψ 1 to evaluate whether trace π [i, f ] satisfies ψ 1 . This way, we emphasize that once the tree T ψ 1 is constructed, it executes method evalT every time its parent (T ψ ) asks it.
The following result gives us the correctness of algorithm evalT .

Theorem 1 For each eLTL formula ψ and trace
The proof proceeds by induction of the structure of ψ. The base case when ψ = φ is an interval function is trivial. The other cases hold from the definition of the logic using induction. The most interesting point to be noted is that in all cases iterator for produces the sub-traces of π [i, f ] ordered with respect to time instants when the corresponding states have occurred. In consequence, for instance in the U [ p,q] case, when a sub-trace π [ j, k] is found that satisfies ψ 2 , it is in fact the first sub-trace of these characteristics in π [i, f ], which matches the definition of operator U [ p,q] in the logic.
The offline and online implementations presented in the next sections, follow this approach; that is, to evaluate an eLTL formula ψ on a trace π [i, f ], they construct a tree T ψ representing the formula, in which each tree node is a Promela process in charge of evaluating a sub-formula of ψ on a sub-trace of π [i, f ], as explained above. Since the behaviour of each tree is completely determined by the operator in its root node, the implementations described below focus on providing the so-called monitor templates for each of the eLTL operators. Once a particular formula ψ is given, the monitor templates can be automatically instantiated into Promela processes organized in a tree like T ψ . The concurrent execution of all these processes is able to evaluate ψ on any trace.

Offline implementation in PROMELA
This section describes how STAn analyzes a trace π [i, f ] offline against an eLTL formula ψ using a hierarchical tree of processes. To simplify this section, the Promela implementation of most of these processes is in Appendix A.
Each eLTL operator is represented by an instance of a Promela process (proctype) that is parameterized with a number (id) that identifies the process instance (id=0 is assigned to the outer formula operator) and the identifiers of the nested formulae (c1 and/or c2), if any. In the following, we will call each one of these Promela processes monitor. In addition, STAn always adds an extra monitor called formula connected with the monitor of the outer formula operator. The monitor formula initializes the system execution (including the construction of the tree of monitors) at the beginning of the analysis and receives the result at the end.
To simplify the following discussion, we assume that the monitor id corresponds to an eLTL operator with two nested sub-formulae whose behaviors are implemented by monitors c1 and c2. The case when the operator only has one (or no) nested formula is simpler. The templates also have as parameters the events in which the corresponding monitor is interested (to carry out the iteration work over the trace, as explained in the previous section).
In the offline implementation, monitors inspect the trace when the execution has finished; thus, each monitor knows a priori the end of the trace to be analyzed. This fact is directly reflected in the way in which monitors communicate with each other, which is based on the message passing through different Promela channels (see Sect. 3). Thus, the monitor id receives from its parent, through channel cm[id], the time interval of the sub-trace on which it should perform its analysis work (as a message of the form (ti,tf) with the interval endpoints). Similarly, the monitor id can propagate the time interval information to the monitors of its sub-formulae via channels cm[c1] and cm [c2]. Inversely, the monitor id uses the (output) channel rd[id] to return its evaluation to the outer operator's monitor (or to the formula monitor, if it is the monitor of the outer formula operator). Both channels are synchronous, which means that the two monitors in communication have to execute the send and receive statements simultaneously. Observe that channels cm and rd correspond, respectively, to the down and up arrows connecting the nodes in the tree of Fig. 3.
As discussed in Sect. 4.1, the monitors of eLTL operators with events (e.g. [ p,q] or [ p,q] ) have to identify the sub-intervals determined by [ p, q] and propagate them to the monitor of its nested operators. In the offline implementation, each monitor makes use of the C function nextEv that, given a complete trace, a time instant t and an event of interest e, returns the next time instant following t when the event e occurs in the trace. [ p,q] As an example, we now describe the behavior of the tree of monitors constructed to evaluate the formula [ p,q] (φ 1 ∨ φ 2 ) by using the Message Sequence Chart (MSC) of Fig. 5 and the Promela code shown in Listings 2 and 3, which show, respectively, the offline Promela implementation of the formula and [ p,q] monitor templates.
The proctype formula is the only initially active process (observe the keyword active in Listing 2, line 7). It is in charge of instantiating the monitors of the eLTL operators (Listing 2, line 14) and sending the message with the endpoints of the trace through channel cm[0] (Listing 2, line 15) to the outermost operator's monitor. In this example, the process ALWAYS_PQ receives this first message (Listing 3, line 5). Then, it searches for the first time sub-interval [tp,tq] ⊆ [ti,tf] that satisfies [p,q] (Listing 3, line 7), propagates the time interval to the monitor OR through cm[1] and waits for OR to return the result of the evaluation. The OR mon-  [ p,q] itor propagates the received time interval to its two nested monitors through cm[2] and cm[3] and waits for their results, which will be received through rd[2] and rd[3], respectively. Monitors PHI_1 and PHI_2 are the functions that implement the interval formulae φ 1 and φ 2 and, for this reason, they do not have any other nested monitor. Thus, if both PHI_1 and PHI_2 evaluate to false, the OR monitor and the ALWAYS_PQ also evaluate to false, and the formula evaluation is finished. Otherwise, ALWAYS_PQ searches for the following sub-interval [tp',tq'] ⊆ [ti,tf] (after [tp,tq]) satisfying [p,q] and proceeds as previously described. When there are no more sub-intervals in [ti,tf] that satisfy [p,q], ALWAYS_PQ evaluates to true and sends the result via channel rd[0] to the process formula. Observe that the condition result && tq <= tf is needed to stop the execution when the value of result obtained is false or when the sub-trace found is not inside the original trace (in the interval [ti,tf]).
Finally, when the formula receives the evaluation from cm[0] (Listing 2, line 16), it prints the result and executes assert(false) to produce an assertion violation error that stops the analysis. It is worth mentioning that Spin can be configured to produce a counterexample (a trail fail) when assertion violations occur. The counterexample can be reproduced to see how the monitors synchronize to evaluate the formula on the trace.

Online implementation in PROMELA
The online implementation follows a similar approach to the offline; that is, there is a hierarchical tree of monitors, each one in charge of analyzing a sub-formula of the original formula. The main difference is that the online monitors scan the trace while it is being produced; thus, the end of the trace is initially unknown. In addition, the online monitors use a slightly different synchronization scheme in order to return a verdict as soon as possible, avoiding if possible the analysis of the complete trace. // ti , tf 6 /* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */ 7 active proctype formula ( However, it is worth noting that the online monitors of eLTL operators with intervals cannot always return the final verdict even though their nested formulae have sent them their results. Assume, for instance, the tree of monitors for formula [ p,q] ψ. When the monitor of [ p,q] detects that event p has occurred, it may start the monitor of ψ. However, although the monitor of ψ returns it false, it has to wait to know if event q occurs before deciding whether the whole formula holds or not. This is because if no q event occurs in the trace, [ p,q] ψ is true. We now describe how the online monitors evaluate the formula [ p,q] (φ 1 ∨ φ 2 ) by using the MSC shown in Fig. 6. Listing 1 shows the online implementation of the process formula. As in the offline version, the proctype formula, which is the only initially active process, is in charge of instantiating the tree of monitors for the eLTL operators.
The first difference in the online monitoring approach is that each monitor receives two different messages, (ti,START) and (tf,STOP), through the channel cm [id], which, respectively, announce the start and the end of the sub-trace evaluate. Between these two messages, the ALWAYS_PQ monitor has to search for the time intervals satisfying [p,q] and propagate them to its nested monitor OR. Finally, as in the offline implementation, the synchronous channel rd[id] is used to return the result of the evaluation to the outer operator's monitor. Observe that an online monitor could send its result before receiving the message (tf,STOP) (see the left lower diagram of Fig. 6). For instance, the ALWAYS_PQ monitor can send its evaluation when φ 1 and φ 2 evaluate to false. But in any case, the monitor waits for the (tf,STOP) message to be received.
The second difference in the online implementation is that each monitor receives the events through the asynchronous channel ev. A monitor should only consider events between the reception of the (ti,START) and (tf,STOP) messages. Thus, any event received outside this interval is ignored. In Listing 1, the process formula simulates how the system probes transmit the events by using the inline function sendEvent that inserts events in the channel. Since Promela asynchronous channels are buffers of limited size, we have implemented ev channel as a combination of two external C structures (ev and proc), in such a way that the number of events can dynamically grow and each monitor can process the events of its interest independently.
Apart from these changes in the synchronization of monitors, the evaluation of the formulas follows the principles described in Sect. 4.1. Fig. 6 Synchronization of online monitors for formula [ p,q]

Complexity results
In this section, we enunciate two results concerning the asymptotic time and space complexity of the implementation based on the tree of monitors described in Sect. 4.1. Since the actual behavior of the monitors is in Appendix A, the proofs of these results have also been moved to Appendix B.
We will denote as C s (ψ, π ) and C t (ψ, π ) the space and time complexities of the evaluation of the formula ψ by means of the monitor templates on a finite data trace π ∈ O f (H). When necessary, we will distinguish the complexity of the online/offline implementations using super-indexes n and f , respectively, as C n s (ψ, π )/C f s (ψ, π ) and C n t (ψ, π )/C f t (ψ, π ).

Space and time complexities of interval formulae
We start by discussing the complexities of the interval formulae and then, we reason on the formula structure to extract the complexities of other eLTL operators. Given an interval formula φ and a finite trace π [i, f ], the calculation of φ([ts i , ts f ]) requires two well defined steps: (i) reading of the interval endpoints ts i and ts f from π and (ii) evaluating φ([ts i , ts f ]). This last step is carried out by a C function which is called from the Promela code using the constructor c_code.
In both the offline and online implementations, reading ts i and ts f from π involves a spatial constant cost (we only need two variables to store ts i and ts f ). Regarding the time complexity, the offline implementation also has a constant cost, since the two interval extremes are known at the beginning of the analysis. In contrast, the online implementation has a linear complexity wrt the length of π (denoted by n from now on), since the monitor has to wait until the last state of π (s f ) occurs to know ts f .
Evidently, as φ is a generic interval formula, we cannot estimate exactly the space or time needed to evaluate it. Despite this, in this section, we study the complexity of some interval formulae, and then we establish a condition under which the complexity of eLTL formulae can be approximated. In the following, we discuss some C functions that implement interval formulae with the worst-case time complexity proportional to the length of the trace n, i. e., C t (φ, π ) ∈ O(n). The space complexity C s (φ, π ) is usually constant, since the evaluation of φ normally requires a finite number of variables.
Let us study the complexities of evaluating two eLTL formulae on a finite trace π of length n: -Time complexity In this case, we clearly have that C f t (φ len , π) ∈ O(1) and C n t (φ len , π) ∈ O(n) as it was commented above. -Space complexity It is similar in both cases, since only a finite number of variables are needed to calculate φ len , i. e., C s (φ len , π) ∈ O(1) -Time complexity Since trace π must be completely traversed to calculate φ c max , the time complexity of both implementations has to be proportional to the length of the trace, and so -Space complexity Assuming that the evaluation of φ c max only makes use of observable states, as in the previous example, the space complexity of both monitors is constant because a finite number of variables is sufficient to evaluate φ c max on any trace. In consequence, C s (φ c max , π) ∈ O(1). We now impose a condition on the functions that measure the time and space complexity of interval formulae to be able to reason on the complexity of more complex eLTL formulae. The intuition behind the condition is the following. Assume that g φ (n) gives us an estimation of the time/space complexity of the calculation of φ over a trace of length n. From the tree based implementation of Sect. 4.1, we know that the monitors for operators [ p,q] , [ p,q] and U [ p,q] have to include some kind of iteration on the original trace π [i, f ] searching for the sub-traces π [ j, k] that satisfying [ p, q]. The nested interval formulae must be evaluated over these sub-traces. This means that the calculation of the complexity of [ p,q] , [ p,q] and U [ p,q] operators typically involves summing up functions of the form g φ (n) for each of those sub-traces. Assume we have s sub-traces of this type. The intuition tells us that calculating φ on the whole trace is more costly than calculating it on each of the sub-traces. That is, if n 1 , · · · , n s are the length of these sub-traces, the cost of calculating g φ (n 1 ) + · · · + g φ (n s ) should be less than g φ (n). In consequence, this is the condition we impose on the complexity functions of interval formulae: Inverse Triangular Condition(ITC): We assume that worst-case time and space complexities of interval formulae satisfy the inverse triangular condition wrt the trace length, i.e., given φ ∈ Φ and a finite data trace π of length n, if g φ is the time/space complexity of calculating φ and n 1 , · · · , n s ∈ N satisfy that n 1 + · · · + n s ≤ n then g φ (n 1 ) + · · · + g φ (n s ) ≤ g φ (n).

Complexities of eLTL formulae
Now, we enunciate two propositions that establish the time and space complexities of eLTL formulae on traces under the ITC assumption. Proposition 2 shows how the length of the trace, the number of operators of the formula and the time complexity of the nested interval formulae influence the time complexity of the formula. In Proposition 3, we obtain a similar result, but considering the space used by the monitors that implement the formula.
Proposition 2 Given an eLTL formula ψ with m nested eLTL temporal operators and a data trace π of length n, then if g φ is the asymptotically worst time complexity of the interval formulae nested in ψ and it satisfies the ITC assumption, and we have that C t (ψ, π ) ∈ O(g φ (n) + m * n).
Proof The proof may be found in Appendix B.
Proposition 3 Given an eLTL formula ψ with m nested eLTL operators and a data trace π of length n, then if g φ and C s (ψ) are, respectively, the asymptotically worst space complexity of the interval formulae nested in ψ and the monitors implementing ψ, we have that C s (ψ, π ) ∈ O(g φ (n) + m * C s (ψ)).

Proof The proof may be found in Appendix B.
It is important to remark that polynomial functions trivially satisfy ITC. Thus, we have the following corollary.

Corollary 1 Given an eLTL formula ψ with m eLTL operators and a data trace π of length n, then if the worst time complexity of the interval formulae nested in ψ is in
Similarly, if the worst space complexity of the interval formulae nested in ψ is in O(n θ ), then C s (ψ, π ) ∈ O(n θ + m * C s (ψ)), C s (ψ) being the worst spatial cost of the monitors implementing the operators of ψ.
When complexity functions of interval formulae do not satisfy ITC, the calculation of complexity of the monitors of more complex eLTL formulae must introduce additional linear factors depending on the number of eLTL operators nested in the formula. This case is studied in depth in Appendix B.

Use case
In Espada et al. (2019) and Panizo et al. (2020), we presented a model-based testing approach to test mobile applications (apps) under different network scenarios. We used the Spin model checker to generate different test cases, along with the TRIANGLE testbed, which provides a controlled mobile network environment. In Panizo et al. (2020), the complete approach was used to evaluate the performance of Exoplayer, a video streaming app that implements different video streaming protocols. The application is instrumented in order the TRIANGLE testbed can log different events of interest, such as the start and stop of the video playback (events stt and st p, respectively), the video resolution (the event h means that the video is in high resolution, whilst event l marks that the video is in low resolution), or when the first picture is loaded (event fp). In addition, the testbed captures network traffic using libpcap 2 and periodically measures different magnitudes used to compute Key Performance Indicators (KPIs), such as transmitted and received data and data rates, or the strength of the radio signal (rssi).
Using the TRIANGLE testbed we can obtain two types of event traces: first, traces at the app level (Exoplayer) that include video events (e.g. change of video resolution); and second, traces based on the network traffic level that include Tcp protocol events (e.g. connection established or released). In the following sections, we show how STAn can effectively perform the analysis of these two types of traces against different non-functional properties described in eLTL.

Analysis of video event traces
We have analyzed 5 video event traces produced in a network scenario recreating an internet café at busy hours, and 5 other traces obtained in a network scenario simulating a trip in a high-speed train. In each test, the app tries to play a 2-min long video. Depending on the network conditions, the resulting trace can include (or not) stt, fp, st p events and a variable number of resolution changes. Each trace has between 5 and 10 events and around 140 measures of the rssi, received data, and received data rate parameters. Since the length of traces is short and the number of traces is reduced, we have also generated synthetic traces that have between 40 and 120 events and nearly 700-2000 measure points. We analyze these traces against the following properties: 1. [stt,st p] T rue This formula checks whether the trace includes a video playback (from stt to st p events). This formula requires an instance of the template EVENTUALLY_PQ and an instance of interval formula TRUE, which is an interval formula monitor that always evaluates to true.
This formula checks whether in a complete video playback, which is delimited by stt and st p events, the first image (fp) is loaded between 1 and 6 s after the video playback starts. 3. [stt,st p] This formula checks whether a downgrade of resolution is preceded by a fall of the rssi below -99 dB. This formula uses a total of 3 monitors. 4. ( [h,l] 1Mbps and φ r x Data is defined as follows. We assume that r x Data : R ≥0 → R ≥0 represents the size of the packets received at each time instant. Thus, given an Then, the function φ r x Data is defined as follows The complete formula checks the conjunction of two properties: on the one hand, whether the change in resolution from high to low is preceded by a low reception rate (e.g. the rate is below 1 Mbps) and whether the data corresponding to the video has been received (e.g. it receives more than 14 MB). Table 1 summarizes the performance of STAn when analyzing the 4 properties. It shows, for offline and offline implementations, the time to evaluate the property, the state vector size and the number of states stored. In addition, we report the maximum values for the real and the synthetic traces without specifying the result of the evaluation. In all cases, the time to evaluate the property is at most 0.01 sec. (this is the minimum time reported by Spin).
Observe that the size of the state vector only depends on the number of operators in the formula. For instance, formula 4, which requires running 5 monitors, uses 348 bytes in the offline implementation and 372 in the online version. The number of states explored depends on the length of the trace and the number of event intervals scanned to determine whether the property is satisfied or not. The size of the state and the number of states give us an idea of the memory used in each analysis, which depends on both the number of monitors and the length of the trace. These experimental results match the temporal and spatial complexity analysis of both implementations, which is summarized in Sect. 5 and detailed in Appendix B. Figure 7 shows Spin's report for a synthetic trace that fails formula 3, as stated in the two first lines. The time shown in the second line indicates the timestamp of the trace of events at which the monitors determined the evaluation of the property. It is worth clarifying that the memory usage reported includes the auxiliary structures used by Spin associated to the model checking algorithm (e.g. the hash table and the DFS stack). However, it does not consider the memory used by the external C data structures, since they are hidden to Spin. To obtain this information, we have used the profiling tool included in Valgrind. 3 In the real traces, Valgrind reports 50KB more than Spin and, in the longest synthetic trace, it reports 200KB more. This difference is the space needed to load event and measure files, which is done in C structures.

Analysis of traffic captures
We have also analyzed the network traffic captured during the video sessions using a Dash video server and a mobile phone as client. Network traffic has been captured and exported as cvs files using Wireshark 4 protocol analyzer, which internally uses the libpcap library. The events of interest are the combination of the Tcp flags activated in each packet (syn, ack, fin, push, reset). In the following, we refer to event as the sequence of active flags. For instance, SA represents an event produced by the reception of a packet with syn and ack flags activated.
The magnitude variables considered are data included in the packet headers, such as the source and destination Tcp ports, and other performance metrics, such as the round trip time calculated by Wireshark. As the traces produced have more than 33.000 events, this example allows us to show the performance of STAn when analyzing long traces.
During a video session, the client and the Dash server establish different connections between different pairs of Tcp ports in order to send video segments with different quality. Each Tcp connection is established using the so-called Tcp 3-way handshake and can be explicitly closed. In both cases, the peers exchange a sequence of messages activating different flags, as shown in Fig. 8.
We analyze the traces (network traffic) against the following three properties: This property determines whether the establishment of a connection between the ports p 1 and p 2 (messages with flags syn and syn,ack) implies that, at some point, this connection will be closed using a message fin,ack, or fin,push,ack. The current implementation of STAn does not provide a specific monitor for the implication operator (ψ 1 → ψ 2 ). Thus, the property can be analyzed by transforming it into ¬ψ 1 ∨ ψ 2 . In order to ease the specification of this kind of formulae, the eltl2pml parser, shown in Fig. 1, generates the Promela formula process with the suitable instantiation of 9 monitors. 3. ( [S,RA] .rtt(t) ≥ 35 ms: This property determines whether fact that the connection between p 1 and p 2 ports is reset implies that during this connection the round trip time was greater than 35 ms.
Observe that in the second and third formulae, φ ports checks the connection between the specific ports p1 and p2 to determine that these events are associated to the same Tcp connection. As we will see in Sect. 7, other specification languages allow free variables associated to events, in such a way that they can express that for any (or for all) ports p1 and p2 the property is fulfilled. Table 2 shows the performance metrics of STAn when analyzing the traces of the network traffic generated during the playback of the 2-minute long video against the 3 previous properties. Observe that the online implementation of formula 2 explores 10 times more states than the offline one. In formula 3, the online implementation explores 100 times more states than the offline implementation. This difference is due to the fact that the offline monitor of EVENTUALLY_PQ obtains the end points of the interval of events making two queries, while the online monitor explores the events of the trace one-by-one. Clearly, the online approach explores a greater number of states and consumes more time and memory. In the offline implementation of formula 3, Spin reports 181.7 MB and Valgrind detects 3.5 MB more, which is the memory used to load the event and measure files. In contrast, in the online implementation, Spin reports 669 MB and Valgrind detects 3.5 MB more.

Related work
In the last few decades, runtime verification has gained attention in research and industry. As a result, a variety of specification languages, algorithms and tools have appeared to support different types of case studies, such as the analysis of unmanaged vehicles (Reinbacher et al. 2014), mixed signal circuits (Maler and Ničković 2013), or stream processing systems (Espinosa et al. 2019;Awad et al. 2019). This section briefly describes some related works from different perspectives. Some of them have inspired us in the definition of the eLTL logic and the implementation of the monitoring algorithms. In Sánchez et al. (2019), the reader can find an extensive survey on runtime verification work.

Specification languages for interval properties
Linear temporal logic (LTL) has been traditionally used to describe properties that must hold along the traces of concurrent systems (Rosu and Havelund 2005;Pnueli and Zaks 2006). When execution traces are state sequences with timestamped events, many studies use enriched versions of LTL that are able to capture events or time intervals. For instance, Metric temporal logic (MTL) (Alur and Henzinger 1993) and Signal temporal logic (STL) (Maler and Ničković 2013) are extensions of LTL with real-time intervals. Formulae in MTL can describe what should happen in a (predefined) time interval after (or before) an event occurs. Moreover, STL extends MTL to introduce a dense-time model and real-valued variables. Observe that, unlike these logics, eLTL focuses on describing what should happen in a time interval, determined by two events, of a priori unknown length. In addition, eLTL formulae are evaluated over intervals of states, while the other logics evaluate over single states. Some of the properties described in the case studies can be also expressed in STL. However, it worth noting that the philosophy behind the two logics is different. In particular, expressing bounded interval determined by events is not natural in STL. For instance, the property "always during a video playback (delimited by events stt and st p) the first picture (fp event) takes place between 1 and 6 s after the start" is expressed as follows in eLTL: Assuming that there are some signals that rise when events stt, st p and fp take place, a first attempt to express the property in STL will be the following: We have used the until operator to describe that st p cannot rise before fp.
It is also worth noting that in the case of STL, the boolean constraint over signals supported are predicates of the form x • c, where x is a signal and • ∈ <, ≤, =, ≥, > and c ∈ Q. Thus, the properties defined in Sect. 6.2, which requires comparing the ports involved in two different time instants, would be difficult to define in STL.
Unlike STL and eLTL, which can express properties in future time, other languages such as past-time Metric Temporal Logic (pMTL) (Reinbacher et al. 2014) and Quantified Temporal Logic (QTL)  are suitable to express properties in past time. pMTL is the past fragment of MTL. Thus, pMTL provides past temporal operators defined over time intervals where the nested properties are evaluated. On the contrary, in QTL the logic operators do not explicitly include time intervals, but time is managed as a variable defined in N. The key feature of QTL is the use of events parameterized with variables which can be existentially quantified.
Transforming an eLTL property into a past-time logic is not straightforward. We have adapted the first two properties analyzed in Sect. 6.2 to QTL. For instance, we have rewritten the property "if a new connection is open, the previous opened connection is closed" as "if a connection is closed it was previously opened and not closed since then", which is specified in QTL as follows: where is the previous operator and interval [syn, fin) is a syntactic sugar for ¬fin S syn, S being the since operator. It is worth noting that in QTL you cannot define events intervals, instead they are a simplified notation of operator since.
The second property establishes whether "if a connection is correctly established then it is closed using fin or finP events". It could be similarly specified in QTL as follows: Observe that to simplify the previous QTL formula, we are only checking that the source and destination ports match in the syn and fin events. The original property in eLTL checks that ports can be swapped in the syn and fin events. The third property of Sect. 6.2 cannot be expressed in QTL because it does not support comparing variables with constants or with other variables. Observe that despite eLTL (and STAn) is not currently aimed to support event parameterization; thanks to the interval formulae φ ports we can express that in the maximal interval of events [syn, fin] the source and destination ports are the same (or swapped) without specifying specific ports values, similarly to QTL.
In the same line, Eagle (Barringer et al. 2004) is a more sophisticated framework in which temporal logics with different characteristics can be defined. To do this, Eagle uses parameterized and recursive equations (called rules), quantifiers and the temporal operators next ( ), previous ( ) and concatenation (·). Rules can be combined to construct monitors which can describe complex properties when properly instantiated.
Although eLTL formulae could be described in Eagle, we think that, from the user point of view, this language is harder to manipulate. For instance, in Eagle the eLTL formula [ p,q] φ could be written as Eventually (φ, p, q), where Eventually is recursively defined as the minimal fixed point (min) of the following rule and Form is the predefined type of Eagle formulae: Similarly, the rule for Eventually(F, P, Q) is constructed as min Eventually(Form F, Form P, Form Q) = P ∧ Maximal(P, Q) ∧ Search(F, Q, clock) ∨ Eventually (F, P, Q) where clock is a real-time clock that registers the current time, Maximal is a rule that checks whether the interval found is maximal (in the sense given by Definition 3) and Search is a rule that searches for the next occurrence of F2 to evaluate the interval formula F. These two rules can be defined in Eagle as follows where max is the maximal fixed point of the corresponding function: Eagle's expressiveness implies a huge cost in the implementation of a monitoring algorithm. This is why its authors defined other less expressive languages, such as Ruler  or LOGSCOPE , that have less complex implementations.
In Kauffman et al. (2016) and Kauffman et al. (2018), the authors define the specification language nfer for the description of properties to be specifically held by streams containing telemetry data produced by spacecraft rovers. The language is based on the Allen's interval logic (Allen 1983) augmented with rule-based predicates on how the interval must be combined. Although language nfer is constructed from the operators of Allen logics, it is interesting to note the importance of having an interval-based specification language to make the precise description of properties easier for users.

Monitoring algorithms for interval properties
Regarding the monitoring algorithms, we can find multiple approaches depending mainly on the length of the trace (e.g. bounded or unbounded traces), and when the analysis is performed (e.g. online or offline). Perhaps the most general approach is presented in Kesten and Pnueli (2005), where a compositional transformation of CTL * formulae is defined using the so-called temporal testers, which are monitors inductively constructed from the formula structure. The tester processes organize according to the formula structure and evolve in a synchronous manner. Later, Pnueli and Zaks (2006) proposed an algorithm based on the composition of these temporal testers to perform online analysis of unbounded traces. In D'Souza and Matteplackel (2012), the authors also apply a compositional approach to construct monitors from LTL formulas inspired by Kesten and Pnueli (2005). However, the monitor construction is more concise in this case, since they focus on LTL instead of the more general CTL * logic. The hierarchical Büchi automata built in this work are structured in a kind of tree of processes that communicate through synchronous actions, which is similar to our approach. Our current algorithm, which is based on the transformation of the eLTL operators into automata, is similar to Pnueli and Zaks (2006) and the first algorithm presented in Rosu and Havelund (2005), but thanks to Spin, we can deal with abstract representations of the real-valued variables by using external libraries through embedded C code. Rosu and Havelund (2005) proposed three different algorithms to perform online monitoring of finite traces. The first one synthesizes a monitor of the complete formula solving a dynamic programming problem, while the other two use rewriting techniques to monitor the trace or produce the automata-like monitor. In Reinbacher et al. (2014), the objective is to perform online monitoring of signals bounded by a mission time. In this case the MTL formula is transformed into a pair of observers, which can be implemented in hardware in order to achieve a high performance. In Basin et al. (2015), the proposed algorithm is able to perform online and offline analysis of unbounded signals. It is inspired by relational databases, and it incrementally works out the result of the formula (as a structure) for each point of time. In Maler and Ničković (2013), the authors propose two algorithms to monitor finite continuous signals by interpolating the evolution of the continuous variables between two sampled values; both algorithms are implemented in the tool AMT. More recently, ;  presented monitoring algorithms based on BDD to support runtime verification of properties specified in QTL, which are implemented in the DejaVu tool.
We have used DejaVu to analyze the traces used in Sect. 6.2 against the QTL properties described in the previous section. DejaVu reports that the time elapsed in the analysis of each property is around 0.45 s, which is more than the time reported by Spin (around 0.05 s in both cases). DejaVu does not report the memory consumed during the analysis, so we cannot compare this metric.

Stream runtime verification
In the recent years, some works have focused specifically on stream runtime verification (SRV), in which the trace of events is in fact a set of (possibly infinite) streams or signals (numerical or boolean) and the specifications represent the temporal and data manipulation dependencies between input and output streams. These works can be classified into those that assume that the input streams are synchronous (all streams are produced following a global clock and thus the sequence of data is not timestamped), such as Hallé (2016), and those that assume asynchronous input streams, such as Volanschi and Serpette (2019), Faymonville et al. (2019) and Convent18TeSSLa. In general, SRV tools use very expressive specification languages in order to describe the complex relation between input and output streams.
Currently, STAn does not perform SRV, but the eLTL logic could be used as a specification language in this context. For example, we could assume that the trace π over which an eLTL formula is evaluated is the result of merging multiple SRV input streams. In addition, the eLTL verdict must be a Boolean output stream instead of a single Boolean value. In this new context, we could design SRV tools based on this extended eLTL.
In the domain of SRV, we have identified two main features. On the one hand, these tools have to deal efficiently with infinite (or very long) streams. Most of them use some operator to define a (fixed or sliding) temporal window in which a property has to be fulfilled (Convent et al. 2018;Espinosa et al. 2019;Faymonville et al. 2019;Awad et al. 2019). In eLTL, we could analyze a property ψ in a time window of fixed size with [ p,q] ψ formula, where p and q are events triggered at the beginning and end of each temporal window. On the other hand, some SRV tools (Hallé 2016;Volanschi and Serpette 2019;Gorostiaga and Sánchez 2021) implement monitors in such a way that they can support customized or user-defined operations to deal with their rich input language. In this sense, eLTL maintains a balance between the fixed set of operators and the interval formulae that can be defined by the user.

Conclusions
In this paper, we have presented the approach followed by the tool STAn, which performs runtime verification on finite data traces against properties expressed in the Event-driven Interval Logic eLTL.
STAn transforms each eLTL operator into a monitor (automata-like) template that determines the sub-traces in which a property must be satisfied. This way, an eLTL formula is transformed into a tree of monitors, which is the composition of the operators' templates included in the formula.
We have presented two different transformations of eLTL operators into monitors, and both of them have been implemented in Promela. The online implementation is intended for the analysis of properties during the execution of the system, and the offline implementation is suitable for the analysis of previously produced traces.
We have evaluated both implementations by analyzing the data traces of a real system, a testbed for mobile apps, against some non-functional properties. In particular, we analyze some traces produced during the testing of a streaming video app in different network scenarios (Panizo et al. 2020). Since the traces are published when the tests have completely finished, in the online implementation we have also included an auxiliary mechanism that emulates the reception of events. Both implementations have shown good performance in terms of execution time and memory (measured as states explored).
Although our objective is the analysis of data traces, the use of monitors can also be employed to model check a system against a set of properties described in eLTL. This also justifies the use of Spin as an underlying analysis engine. To model check a system against eLTL properties, we only need a Promela model of the system that is slightly instrumented to inject events in STAn. In addition, in order to model the evolution of real-valued variables, the model can be enriched with embedded C code. In Gallardo and Panizo (2014), we presented an extension of Promela and Spin to model some sub-classes of hybrid systems and analyze them against LTL properties. The combination of this previous work and the current eLTL monitors will allow the analysis of very interesting properties on hybrid systems.
We consider three main future lines of work. First, the integration of STAn in the new testing framework (Díaz Zayas et al. 2020), which is an evolution of TRIANGLE. The objective is to use the results of STAn analysis to refine the generation of new tests. This future work will require enriching STAn results with some degree of quality, similar to the robustness degree introduced in Donzé et al. (2013) to avoid running new tests that will produce the same quality or performance indicators. Second, we would like to improve the reports of STAn in such a way the user has a better understanding of the causes of properties failure. Finally, inspired by related works (Barringer et al. 2004Havelund and Pressburger 2000;Convent et al. 2018;Faymonville et al. 2019), we would like to extend eLTL and the monitoring algorithms to support parameterized formulae and also to produce the verdict as a Boolean output stream to perform SRV analysis.
Funding Open Access funding provided thanks to the CRUE-CSIC agreement with Springer Nature.
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.

Appendix A Offline and online monitors of eLTL operators
This appendix presents the online and offline monitors for different eLTL operators that are used in STAn. We do not explicitly present the monitors of operators over single events (e.g. p ), since they are simplifications of the monitors over intervals of events.
Interval formula φ Listing 4 shows the offline (left) and online (right) Promela monitor templates of the interval formula φ. An interval formula is evaluated on a time interval [ti,tf] that is communicated via the channel cm.
In the offline case, the complete time interval is received through channel cm (line 4), while in the online case the interval is received in two distinct messages when the subtrace is identified (lines 4 and 5). In these simple implementations, after receiving the end of the interval, the monitor calls the C function phi (line 7), which implements the evaluation of the interval formula, and the returned value is propagated as the monitor result through the corresponding rd channel.
As commented in Remark 3 in Sect. 2.1, phi hides the complexity of evaluating the behavior of real-valued variables in the interval, and in the implementation this is achieved by using external C code. For instance, we can define a function that determines the maximum or the average of the median value of a continuous variable in the interval, or we can call an external library that interpolates the dynamics of the variables of interest.

Not operator
Listing 5 shows the offline (left) and online (right) monitor templates of the negation operator.
In the offline implementation, the NOT monitor synchronizes with the monitor of the nested formula (ψ) as soon as its parent monitor sends the initial and final timestamps through channel cm (lines 5 and 6). When the nested formula ψ has been evaluated, the process NOT negates the result and sends it through the rd channel.
The online implementation behaves in a similar way. The only difference is that the synchronization with the outer and inner operators through channel cm consists of two messages with the START and STOP commands.

Or operator
Listings 6 and 7 present the online and offline monitor templates of the disjunction operator. The proctype OR monitors if any of the two sub-formulae ψ 1 and ψ 2 holds on the interval [ti,tf] over which OR monitor is being evaluated. In the online implementation, the OR monitor waits for the successive reception of the START and STOP commands and resends them to its sub-formulae monitors to start and stop their execution, respectively. Then, it waits for the result of the subformulae via channels rd[c1] and rd [c2]. If any of the sub-formulae monitors evaluate to true, the OR monitor propagates the result to its parent monitor; if not it waits until both monitors end and returns the disjunction. Observe that the proctype OR finishes its execution at line 6, which is labeled with end_or, in order to mark that it is a valid end state. This way, the monitor can observe new trace intervals, for instance in formulae of the form [ p,q] (φ1 ∨ φ2). Similarly to the NOT and φ monitor templates, the offline implementation of the OR monitor only differs from the online implementation in the synchronization with inner and outer operators in lines 6 and 8, which are replaced by the corresponding send and receive statements.

Eventually operator
The operator [ p,q] (and p ) have to scan the trace to find the sub-traces delimited by events p and q (or just p) in order to determine whether the sub-formula is satisfied. In both implementations, the monitor's parameters are its identifier (id), the identifier of the monitor for its sub-formula (c1), and the events p and q that delimit the time instants where the sub-formula must be evaluated. However, each implementation uses a different approach to find the sub-traces delimited by events p and q.
Listing 8 shows the offline implementation of the EVENTUALLY_PQ monitor. Similarly to other offline monitors, the time interval [ti,tf] is received in a single message through the channel cm[id] (line 4). In order to determine sub-traces delimited by [p,q], the monitor calls the function nextEv that, given an event e and a timestamp t, returns the timestamp of the next occurrence of e after t, or -1 if no event is found. For example, in line 9, variable tq stores the timestamp of the first event q that occurs after tp. In the label waitC1, the monitor receives the evaluation of the inner sub-formula. If it is true, the eventually formula is satisfied, and thus, it propagates this result to its parent monitor. Otherwise, the monitor continues analyzing the trace (line 18). Listing 9 shows the online monitor. The identification of the interval of events [p,q] is performed in the two states identified by labels waitP and waitQ. In waitP (lines 8-22), it waits for an event p or for the STOP message. When a valid event p is received (line 14), the monitor sends START to monitor c1 to start evaluating the inner formula. Then, it jumps to waitQ (line 23-35) to wait for the next event q (or STOP message). When a valid event q arrives (line 29), the monitor jumps to waitC1. At this label two tasks happen non-deterministically. On the one hand, the monitor receives the evaluation of the inner formula. On the other hand, the monitor sends the STOP message to c1 monitor. Similarly to the offline monitor, if the subformula evaluates to true, the eventually monitor propagates this result to its parent monitor and waits for the STOP message. Otherwise, the eventually monitor continues analyzing the trace.
The other branches in waitP and waitQ define the behavior of the monitor when the events and messages processed are not the expected ones, or when the STOP message is received and therefore there are no more events to process. For instance, in line 31, the monitor has previously received the STOP from its parent (stop is true) and is processing an event with the timestamp greater than tf. This means that no event p occurs in the interval [ti,tf], and consequently, the formula is false. This last event cannot be discarded, since it might be part of the next interval [ti,tf] analyzed by the monitor. For this reason, the event channel goes back to tf in line 62.
Observe that although the monitor c1 could evaluate its formula before EVENTUALLY_PQ receives the event q, the eventually monitor can not decide whether it evaluates true. If no q event occurs before the end of the trace, EVENTUALLY_PQ evaluates to false independently of the c1 result. For this reason, EVENTUALLY_PQ only receives the c1 evaluation when q arrives (line 45) or if the traces ends (line 38).
Clearly, the online implementation is more complex than the offline implementation due to the uncertainty of the end of the sub-trace. In addition, the use of two different channels, cm and the ev C channel, to obtain the end of the trace and the events requires checking whether or not a processed event is part of the current sub-trace.

Always operator
The Always operator over an interval of events is defined as [ p,q] ψ ≡ ¬( [ p,q] ¬ψ). Given the equivalence of eventually and always, the online and offline monitors of the Always operator are modified versions of the Eventually monitors. For example, the offline implementation shown in Listing 3 presents two differences with respect to the eventually monitor (Listing 8). The first one is that the Always operator evaluates to true when the end of the trace is reached and no interval of events is found (line 13). The second difference is in line 18, since the monitor has to continue the analysis of the trace if the sub-formula evaluates to true.

Until operator
The semantics of the Eventually operator relies on the Until operator. We can transform an eventually formula in terms of the Until operator, but the inverse is not possible in all cases. The online and offline monitors of the Eventually operator explained above are simplifications of the until monitor.
To make the presentation simpler, we will briefly explain the offline implementation (UNTIL_PQ) shown in Listing 10. A similar approach is followed in the online version. The UNTIL_PQ monitor (online or offline) has to identify the interval [tp,tq] and determines whether monitor c2 returns true in that interval. If not, the monitor has 1 proctype UNTIL_PQ ( int id ; int c1 ; int c2 ; mtype : event P to find the next interval of events. However, if on the contrary monitor c2 returns true, the UNTIL_PQ monitor returns the same response as monitor c1.

Appendix B Complexity
In this Appendix, we complete Sect. 5, giving all the definitions needed to prove Propositions 2 and 3.
In Sect. 5, we denoted the space and time complexities of the evaluation of an eLTL formula ψ over a trace π ∈ O f (H) with C s (ψ, π ) and C t (ψ, π ). In addition, we added super-indexes n and f as C n s (ψ, π )/C f s (ψ, π ) and C n t (ψ, π )/C f t (ψ, π ) to distinguish between the online and offline implementation of the operators, when necessary.
In Appendix A, we have presented the implementation of eLTL operators. Thus, we can now discuss in detail the calculation of these complexities. Recall that the calculation of the cost of each eLTL operator mainly resides in the cost of its nested interval formulae, which is a priori unknown. To get around this, in Sect. 5 we assumed that the worst case complexity of interval functions satisfies the so-called inverse triangular condition (ITC).
In the rest of the section, we study the time and space complexities of eLTL formulae that have Boolean and temporal operators. The space complexity of evaluating each operator depends not only on the monitor template described in Appendix A but also on the Spin memory used to implement the corresponding Promela process instance. Thus, in the following, given op ∈ {∨, ¬, [ p,q] , [ p,q] , U [ p,q] }, we denote with C s (M op ) the memory used by Spin to execute the process instance of the corresponding monitor template. In the following discussion, we assume that n is the length of the trace π being analyzed.

Complexities of Not and Or operators
As Listing 5 shows, the offline monitor of ¬ψ only has to wait for the evaluation of ψ to return the result. In contrast, the online monitor has to wait both the end of the trace π and the result provided by the monitor of formula ψ. In consequence, Thus, to simplify the calculations below, we choose the worst case time complexity as: Regarding, the space complexity, both the offline and online monitors of Listing 5 almost use the same memory: the space of the not monitor C s (M ¬ ) plus the space needed to calculate the nested formula ψ. Similarly, in order to evaluate ψ 1 ∨ ψ 2 , the monitor (Listings 6 and 7 depict the online/offline monitors) waits for the monitors of ψ 1 and ψ 2 to return the result. Thus, the time and space complexities are calculated similarly to those of the ¬ operator. Thus, C t (ψ 1 ∨ ψ 2 , π) ∈ O(max(C t (ψ 1 , π), C t (ψ 2 , π)) + n) (B.5) C s (ψ 1 ∨ ψ 2 , π) ∈ O(max(C s (ψ 1 , π), C s (ψ 2 , π)) + C s (M ∨ )) (B.6) where max is the maximum function.

Complexities of Eventually and Always operators
The monitors of [ p,q] ψ of Listings 8 and 9 mainly differ in that the online monitor has to wait for events p and q to occur in the data trace, which may affect the time complexity. In contrast, the offline monitor can directly access these events in constant time since they are stored in the memory.
Once a sub-trace π [i, j] satisfying the interval of events [ p, q] i.e. π [i, j] [ p, q] (Definition 3) is found, both monitors behave similarly. They check whether the corresponding timestamps are inside the trace π to detect if π [i, j] is not really a sub-trace of π . If the sub-trace is correct, they send the timestamps to the ψ monitor and wait for the result. They iterate by all the sub-traces of the type π [i, j] until they receive a positive answer from the ψ monitor or no more sub-traces are found.
According to this description, to calculate C s ( [ p,q] ψ, π) and C t ( [ p,q] ψ, π), we have to consider all the sub-traces of set S(π, [ p, q]) given in Definition 4. To simplify the following discussion, we denote S(π, [ p, q]) = k l=1 {ξ l }, with k ≥ 0 such that, for all 1 ≤ l ≤ k, ξ l [ p, q]. In addition, we assume that the sub-traces ξ l are ordered wrt the timestamps of their initial and ending states. Thus, C s ( [ p,q] ψ, π) ∈ O(Σ k l=1 C s (ψ, ξ l ) + C s (M [ p,q] )) (B.7) since the worst case occurs when all the sub-traces have to be analyzed to produce a result. As in the previous operators, it is necessary to include the memory cost associated to the monitor template instance. With respect to the time complexity, in the worst case, the offline/online monitors traverse the whole trace π searching for events p and q to occur. In addition, when a sub-trace determined by p and q has been found, they have to wait until the monitor of the nested formula finishes its evaluation. Thus, Now consider the eLTL formula [ p,q] ψ. As discussed in Appendix A, the online and offline monitors make use of the corresponding implementations of [ p,q] ψ monitors with minor changes (see Listing 3). Thus, the worst case time and space complexities of the always operator are similar to those of eventually, i.e., C t ( [ p,q] ψ, π) ∈ O(Σ k l=1 C t (ψ, ξ l ) + n) (B.9) C s ( [ p,q] ψ, π) ∈ O(Σ k l=1 C s (ψ, ξ l ) + C s (M [ p,q] )) (B.10)

Complexities of until operator
Assume that the eLTL formula ψ 1 U [ p,q] ψ 2 is evaluated on the data trace π . The until monitor, shown in Listing 10, searches for a sub-trace where ψ 2 holds (such as the eventually monitor template does) and, then, if the sub-trace is found, it checks whether ψ 1 is satisfied in the prefix sub-trace. As in the previous section, we use the notation S(π, [ p, q]) = k l=1 {ξ l }, with k ≥ 0 to represent the sub-traces of π that satisfy [ p, q] following Definition 4. Thus, C t (ψ 1 U [ p,q] ψ 2 , π) ∈ O(Σ k l=1 C t (ψ 2 , ξ l ) + C t (ψ 1 , π) + n) (B.11) C s (ψ 1 U [ p,q] ψ 2 , π) ∈ O(Σ k l=1 C s (ψ 2 , ξ l ) + C s (ψ 1 , π) + C s (M U [ p,q] )) (B.12) In consequence, the main difference with Eqs. B.7 and B.8 is the additional costs C s (ψ 1 , π) and C t (ψ 1 , π) to evaluate ψ 1 on π . Observe that these expressions are in fact upper bounds of the actual complexity, since ψ 1 is usually evaluated on a sub-trace of π .

Complexities of eLTL formulae
We can now prove Propositions 2 and 3 enunciated in Sect. 5.

Proposition 2
Given an eLTL formula ψ with m nested eLTL operators and a data trace π of length n, then if g φ is the asymptotically worst time complexity of the interval