Runtime verification bridges testing and formal verification by checking whether a single execution trace of a system satisfies a formal specification. Instead of exhaustively exploring all possible executions (model checking) or reasoning deductively about all inputs (theorem proving), runtime verification instruments the running system and monitors its behavior against temporal properties expressed in LTL, regular expressions, or other formalisms. This makes it applicable to systems too large or complex for static verification, including those with third-party components, nondeterministic environments, or incomplete models. The central challenge is that a finite trace may neither satisfy nor violate an LTL property (whose semantics are defined over infinite traces), requiring three-valued or predictive monitoring semantics.
Formal verification aims to prove that a system satisfies its specification for all possible executions. Model checking explores all reachable states; theorem proving reasons deductively about all inputs. Both face scalability limits: model checking hits state explosion, and theorem proving requires substantial manual effort. Runtime verification occupies a pragmatic middle ground: it checks whether one specific execution satisfies a formal property. This sacrifices completeness (you only check what actually happened, not what could happen) but gains scalability (the cost is proportional to the trace length, not the state space) and applicability (it works on systems that are too complex, too poorly modeled, or too reliant on external components for static analysis).
The technical core of runtime verification is monitor synthesis: given a temporal logic formula (typically LTL or a variant), automatically construct a finite-state machine that reads execution events and reports whether the property is satisfied, violated, or still undetermined. For safety properties ("nothing bad happens"), the monitor is straightforward: it tracks the property's automaton and reports a violation the instant a bad event pattern is observed. For liveness properties ("something good eventually happens"), finite traces create an inherent ambiguity -- a pending obligation might be fulfilled by a future event. Three-valued monitoring resolves this by reporting "inconclusive" when the current trace is consistent with both satisfaction and violation. The monitor reports "violated" only when no possible extension can satisfy the property, and "satisfied" only when all extensions must satisfy it.
Online monitoring instruments the running system (via code instrumentation, aspect-oriented programming, or OS-level hooks) and checks properties incrementally as events arrive. The monitor must process each event in bounded time to avoid perturbing the system's timing behavior -- a critical constraint for real-time systems. Efficient monitor constructions use deterministic finite automata derived from LTL formulas, achieving constant time per event after an initial automaton construction. Offline monitoring instead analyzes recorded logs, allowing more expensive algorithms (multi-pass analysis, pattern matching over the full trace) at the cost of delayed detection. The choice depends on whether immediate reaction is required (safety-critical systems favor online) or thoroughness is more important than speed (debugging and compliance favor offline).
Predictive runtime verification significantly extends the power of single-trace analysis for concurrent systems. A single execution of a concurrent program observes one interleaving of thread actions, but many alternative interleavings are consistent with the program's synchronization. Predictive techniques extract the happens-before partial order from the observed trace (using lock acquisitions, releases, thread forks, and joins as ordering constraints) and check whether any consistent total order violates the property. This can detect data races, deadlocks, and atomicity violations that did not manifest in the observed execution but could occur under a different scheduler. Tools like RV-Predict use SMT encodings to efficiently explore the space of feasible reorderings, turning a single test execution into a coverage amplifier.
The practical adoption of runtime verification is accelerating. In safety-critical domains, DO-178C (avionics) and ISO 26262 (automotive) increasingly recognize runtime monitoring as a complementary assurance technique. The Copilot framework generates constant-time, constant-space C monitors from temporal specifications for embedded systems. In distributed systems, companies like Amazon and Google use runtime verification techniques to monitor service-level agreements and detect anomalous behavior patterns in production. Specification mining -- inferring likely invariants from observed traces (Daikon, Texada, Synoptic) -- addresses the specification bottleneck by letting systems "tell you" their properties, which are then monitored and refined. This creates a virtuous cycle: observed behavior generates candidate specifications, monitoring catches deviations, and deviations refine the specifications.
No topics depend on this one yet.