Questions: Runtime Verification

LTL semantics are defined over infinite traces. A finite trace with a pending request has not yet violated G(request -> F grant) because a future extension could still provide the grant. It has not satisfied it either, because the trace might end without granting. This is the fundamental challenge of runtime verification: finite observations of potentially infinite behaviors. Three-valued LTL (LTL3) extends classical LTL with a third truth value 'inconclusive' (or 'unknown') for exactly these cases. A property is violated only when NO possible extension of the current trace can satisfy it; it is satisfied only when ALL extensions satisfy it.

Answer: True

Safety properties have the characteristic that any violation occurs at a finite prefix: if 'nothing bad happens' is violated, there is a specific finite point where the bad thing occurred, and no future extension can undo it. A runtime monitor can detect this immediately. Liveness properties (G(request -> F grant), for example) require something to happen eventually -- a finite trace where it has not yet happened is always potentially satisfiable by a future extension. A monitor can report 'not yet violated' but never 'definitely satisfied' for an unrestricted liveness property. This safety/liveness distinction is fundamental to understanding what runtime verification can and cannot guarantee.

The choice depends on the application domain. Safety-critical systems (avionics, medical devices) typically use online monitoring for immediate hazard detection. Performance analysis, debugging, and compliance auditing typically use offline monitoring. Hybrid approaches log events in a low-overhead buffer and process them in a separate thread or on a separate machine, combining the benefits of both.

Specification mining addresses the specification bottleneck -- the difficulty of writing formal specifications for complex systems. In practice, many teams adopt runtime verification without complete formal specs by mining specifications from test suite runs, then monitoring production executions against these mined properties. Anomalies (violations of mined properties) become bug reports. This pragmatic approach has been adopted in industry, notably by Amazon (for AWS service monitoring) and Google (for distributed system invariant checking).

Predictive runtime verification goes beyond checking the single observed trace. It extracts a partial order of events from the trace (using happens-before relations from locks, thread joins, etc.) and checks whether any linearization of this partial order consistent with the program's synchronization semantics violates the property. This dramatically increases the coverage of a single execution. Tools like RV-Predict and Java PathFinder's runtime analysis use SMT solvers or specialized algorithms to explore the space of feasible reorderings. The cost is higher analysis time per trace, but the coverage approaches that of systematic concurrency testing while requiring only a single execution.