Introduction Model checking (MC) [ 17 ] is a widely accepted pre-deployment verification technique that checks whether a system satisfies or violates a property by potentially analysing all the possible system behaviours. By contrast, runtime verification (RV) [ 30, 11 ] is a lightweight verification technique aimed at mitigating scalability issues, such as the state explosion problem, typically associated with traditional verification techniques like MC. RV attempts to infer the satisfaction (or violation) of a correctness property from the analysis of the current execution of the system under scrutiny using monitors [ 22, 23 ]. It is thus performed post-deployment (on actual system execution), which is appealing for component-based applications (parts of which may not be available for analysis pre-deployment), as well as for dynamic settings such as mobile computing (where components are downloaded and installed at runtime). The technique has fostered a number of verification tools, e.g., [ 9, 10, 18, 20, 27, 29, 32, 7, 8, 34 ] to name but a few, and has proved effective in various real-world scenarios [ 14, 37, 21 ].

Despite its advantages, RV is limited when compared to verification techniques such as MC because certain correctness properties cannot be verified at runtime [ 31, 33, 16, 26, 2, 3, 4 ]. For instance, MC makes it possible to check for both safety and liveness properties, by providing either a positive or a negative answer, according to whether the system conforms with the specifications; RV, on the other hand, can only return a positive verdict for certain liveness properties (called co-safety properties [ 15, 4 ]) or a negative one for safety conditions. Moreover, RV induces a runtime overhead over the execution of a monitored system, which should ideally be kept to a minimum [ 30, 11 ].

Monitorable Fragments ϕ, φ ∈ μHML ::= tt | ϕ ∨ φ | hαiϕ | min X.ϕ | X (truth) (disjunction) (possibility) (min. fixpoint) (rec. variable)

Jtt, ρK Jϕ1∨ϕ2, ρK

Jhαiϕ, ρK JminX.ϕ, ρK

JX, ρK d=ef Sta ddeeff Jϕ1, ρK ∪ Jϕ2, ρK = = s | ∃r.s −α→ r and r ∈ Jϕ, ρK d=ef T {S ∈ Sta | Jϕ, ρ[X 7→ S]K ⊆ S} d=ef ρ(X) | ff | ϕ ∧ φ | [α]ϕ | max X.ϕ (falsehood) (conjunction) (necessity) (max. fixpoint)

Jff, ρK Jϕ1∧ϕ2, ρK

J[α]ϕ, ρK JmaxX.ϕ, ρK def = ∅ ddeeff Jϕ1, ρK ∩ Jϕ2, ρK = = s | ∀r.s −α→ r implies r ∈ Jϕ, ρK d=ef S {S ∈ Sta | S ⊆ Jϕ, ρ[X 7→ S]K} θ, ϑ ∈ sHML ::= tt π, $ ∈ cHML ::= tt | ff | ff | [α]θ | hαiπ | θ∧ϑ | π∨$ | max X.θ | min X.π | X | X Syntax Semantics Hennessy-Milner Logic with Recursion (μHML) RV’s limits in terms of verifiable properties is evidenced more for branching-time logics, that are able to express properties describing behaviour over multiple system executions. In recent work [ 25, 26, 1, 3 ], one such branching-time logic called μHML [ 13, 5 ] is studied from an RV perspective. Figure 1 outlines the syntax of the logic μHML, along with its semantics, defined over a Labelled Transition System (LTS), i.e., triples hSta, Act, −−→i consisting of a set of states s, r ∈ Sta, a set of actions α ∈ Act, and a transition relation between states labelled by actions, s −→α r; as in [ 5, 26 ], the semantic definition employs an environment from μHML logical variables, Vars, to sets of states, ρ ∈ (Vars * P(Sta)) (see Figure 1). One of the main contributions of [ 25 ] is the identification of an expressively maximal, runtime-verifiable subset of the logic, reported in Figure 1 as the grammar for sHML and cHML (see also [ 26, 24 ]); the authors show how these classes provide an easy syntactic check for determining whether a property satisfaction (or violation) can be determined using the RV technique. The cHML (resp., sHML) fragment of μHML is said to be positively monitorable (resp., negatively monitorable) [ 26, 4 ].

Extending the applicability of monitoring towards a combined verification We build on the findings of [ 25 ], with the aim of extending the applicability of RV to a larger class of μHML properties other than sHML ∪ cHML from Figure 1. Specifically, we propose a combined approach that permits automated formal verification to be spread across the pre- and post-deployment phases of a system development, with the aim of calibrating the management of the verification burden while combining the strengths of MC with those of RV. As an illustrative example, consider the μHML property (1) below, describing systems that can perform action a, prefix hai(. . .), and reach a state from where they can either perform action b, subformula hbitt, or else can never perform action c, subformula [c]ff. (1) (2) According to Figure 1, (1) turns out not to be runtime-verifiable because of the subformula [c]ff; intuitively, whereas a system execution exhibiting action a followed by action b suffices to prove that the system satisfies (1), an RV monitor cannot determine whether a system can never produce action c after performing action a from the observation of only a single system execution [ 25 ]. However, property (1) can be expressed as the (logically equivalent) formula

(haihbitt) ∨ (hai[c]ff) whereby we note that the subformula haihbitt is runtime verifiable, according to [ 25, 26, 3 ]. We argue that reformulations such as (2) allow for a combined approach to verification, where part of the property, e.g., the (smaller) subformula hai[c]ff, can be checked prior system deployment using MC, and the remaining part of the property, e.g., haihbitt, can be runtime-verified during system execution.

We therefore aim to devise general analysis techniques that reformulate any μHML formula into either conjunctions or disjunctions, i.e., ϕRV ∧ ϕMC or ϕRV ∨ ϕMC, where ϕRV and ϕMC denote the runtime-verifiable and model-checkable formula components, respectively. From a software engineering perspective, we envisage at least two ways how this decomposition between pre- and post-deployment verification can be fruitful: 1. The ensuing combined approach may be used as a means to minimise the verification effort required prior to the deployment of a system. E.g., in the case of (2), the model-checked subformula ϕMC = hai[c]ff is smaller than the full formula (1), since we would be offloading a degree of verification onto the runtime phase when runtime-verifying for ϕRV = haihbitt. Moreover, for disjunction decompositions such as (2), the satisfaction of ϕMC prior to deployment obviates the need for any runtime analysis, minimising runtime overheads (a dual argument applies for conjunction decompositions and ϕMC violations). 2. In settings where software correctness is desirable but not essential, a combined approach can be used as a means to circumvent full-blown MC. Specifically, instead of model-checking for (1), a system may be runtime-verified for ϕRV = haihbitt during its pilot launch, acting as a vetting phase: if ϕRV is satisfied during RV, this means that, by (2), (1) is satisfied as well; if not, we then proceed to model-check the system offline wrt. ϕMC = hai[c]ff.

A partial solution based on modal transition systems and modal refinement From a technical point of view, the problem amounts, to computing the maximal monitorable semantic fragment of a given μHML formula ϕ, that is, the formula ψ such that • ψ ∈ cHML (ψ is positively monitorable), • JψK ⊆ JϕK (every process that satisfies ψ also satisfies ϕ, i.e, ψ is a semantic fragment of ϕ), • for every ψ0 ∈ cHML, we have that Jψ0K ⊆ J K ψ (ψ is maximal) ϕ implies Jψ0K ⊆ J K Dually, for the case of negatively monitorable formulas (fragment sHML), we are interested in the minimal monitorable formula of which ϕ is a semantic fragment; we focus on the former formulation only since the latter one can be solved by exploiting the duality between the two fragments (as in [ 2 ]).

Instead of trying to obtain the desired formula through syntactic transformations, we adopt a semantic approach that proved itself successful for the logic HML, i.e., the fragment of μHML devoid of fixpoint operators. We first transform the input formula into a modal transition system (MTS ) [ 12 ], which can be thought of as graphical representations of formulas: MTSs suit our purpose particularly well because they are amenable to manipulations while preserving the information about the meaning of the formula. By using this technique, we can inherit known results from concurrency theory, such as the characterization and classification of several process semantics [ 19, 35, 36 ]. In particular, back and forth translations between HML formulas and MTSs are known [ 12 ], and a preorder over MTSs, called modal refinement, has been defined that captures the semantic relationship between HML specifications: an MTS M1 precedes another MTS M2 in this modal refinement preorder whenever the set of processes that satisfy ϕM1 (the translation of M1 into an HML formula) contains set of processes that satisfy ϕM2 . Using such results we are able to identify the class of MTSs corresponding to the monitorable fragment of HML and to single out the MTS corresponding to the maximal monitorable semantic fragment of a given HML formula. Then, by employing the translation from MTSs back to HML formulas, we obtain the monitorable specification that we are looking for.

Future directions Extending our approach to the full μHML remains an open issue: for this purpose, MTSs should be extended with cycles so as to enable them to “mimic” fixpoint operators, which somehow correspond to recursion. Once this obstacle is solved, we can also investigate the application of our methods to the linear-time setting, where there are still formulas that are not monitorable [ 3, 4 ].

Another direction we intend to pursue is that of extending our techniques to settings with enriched monitoring capabilities. A number of these settings have recently been investigated for the logic μHML in the work [ 2 ] by considering monitoring setups with the ability to recognize when a process terminates, or the ability to infer the possible (1-step) actions from a specific state (even though the computation will then continue executing along only one of these actions). Using some of the aforementioned results from the field of concurrency theory and process semantics, our approach should extend in a straightforward manner to cope with the enhanced monitoring capabilities. More importantly, this study marries well with our aims for a multi-pronged verification methodology along the lines advocated in [ 6, 21, 28 ].