Runtime monitoring is generally considered a light-weight alternative to formal verification. In safety-critical systems, however, the monitor itself is a critical component. For example, if the monitor is responsible for initiating emergency protocols, as proposed in a recent aviation standard, then the safety of the entire system critically depends on guarantees of the correctness of the monitor. In this paper, we present a verification extension to the Lola monitoring language that integrates the efficient specification of the monitor with Hoare-style annotations that guarantee the correctness of the monitor specification. We add two new operators, assume and assert, which specify assumptions of the monitor and expectations on its output, respectively. The validity of the annotations is established by an integrated SMT solver. We report on experience in applying the approach to specifications from the avionics domain, where the annotation with assumptions and assertions has lead to the discovery of safety-critical errors in the specifications. The errors range from incorrect default values in offset computations to complex algorithmic errors that result in unexpected temporal patterns.
翻译:运行时间监测一般被认为是正式核查的一种轻量的替代物。 但是,在安全临界系统中,监测器本身是一个关键组成部分。例如,如果监测器负责启动最近的航空标准所建议的紧急协议,那么整个系统的安全就关键地取决于对监测器正确性的保证。在本文件中,我们为罗拉监测语言提供了一个核查扩展,该语言将监测器的有效规格与Hoare式说明结合起来,从而保证监测器规格的正确性。我们增加了两个新的操作器,即假设和主张,分别具体说明监测器的假设和输出的预期。说明的有效性是由一个综合的SMT解答器确定的。我们报告在对Avionics域的规格应用方法方面的经验,在这些域中,对假设和主张的注释导致发现规格中的安全关键错误。错误包括不正确的默认值抵消计算和复杂的算法错误,这些错误导致出意想不到的时间模式。