In Perfect Harmony: Orchestrating Causality in Actor-Based Systems

Runtime verification has gained popularity as a lightweight approach for increasing assurance in systems under scrutiny. Performing runtime checks enables dynamic monitoring and alerts for unexpected behavior, thereby improving reliability and correctness. Actor-based systems present significant challenges for runtime verification. Properties frequently span multiple actors with complex causal dependencies, while nondeterministic message interleavings can obscure execution semantics. Moreover, most existing monitoring tools are designed for single-process behavior. This paper presents ACTORCHESTRA, a runtime verification framework for Erlang that automatically tracks causality across multi-actor interactions. The framework instruments Erlang systems that comply with OTP guidelines via targeted code injection. This method establishes the orchestration infrastructure required to track causal relationships between actors without requiring manual modifications to the target system. To ease the specification of multi-actor properties, the framework provides WALTZ, a specification language that automatically compiles properties into executable Erlang monitors that integrate with the instrumented system. Three case studies demonstrate ACTORCHESTRA’s effectiveness in detecting complex behavioral violations in real-world actor systems. A performance evaluation quantifies the runtime overhead of the monitoring infrastructure and analyzes the trade-offs between added safety guarantees and execution costs.

💡 Research Summary

The paper introduces ACTORCHESTRA, a runtime verification framework specifically designed for Erlang systems that follow the Open Telecom Platform (OTP) client‑server model. The authors identify three core research questions: (RQ1) can causality across multiple actors be tracked automatically; (RQ2) can a specification language express properties that span several actors while abstracting away nondeterministic interleavings; and (RQ3) what performance cost does such tracking incur. To answer these, ACTORCHESTRA combines three main components.

First, the Conductor acts as an external oracle that intercepts every message exchanged between actors. Using a function γ, it assigns a unique causality token (context) to each message chain. If a message already carries a token, the Conductor reuses it; otherwise it generates a fresh reference via make_ref(). The Conductor then forwards the message to its intended recipient and simultaneously notifies the monitor. To avoid deadlocks, the forwarding is performed by spawning lightweight worker processes, ensuring that the Conductor remains responsive even under high concurrency.

Second, the Context Injector operates at compile time. It rewrites the abstract syntax tree (AST) of Erlang modules to insert calls to the Conductor wherever inter‑process communication occurs. This transformation is fully automatic, requiring no manual code changes and preserving OTP’s supervision and fault‑tolerance guarantees.

Third, the WALTZ language provides a domain‑specific way to write causality‑aware specifications. Users describe logical message chains (e.g., “client request → server processing → final response”) and constraints on payloads. The WALTZ compiler translates these specifications into Erlang monitor processes that consume the enriched trace (messages plus their causality tokens) produced by the Conductor. Because the monitor sees a globally consistent view of causally related events, it can detect violations that would be invisible to single‑process monitors, such as mismatched request‑response pairs or missing intermediate steps.

The authors evaluate ACTORCHESTRA on three real‑world case studies: an HTTP API server, a data‑processing pipeline, and a microservice‑based system. In each scenario the framework successfully identified complex behavioral violations that involve multiple actors. Performance measurements show an average runtime overhead of 12 %–18 % compared to the uninstrumented baseline. The overhead stems mainly from token management and the extra worker processes, but the design’s asynchronous nature keeps it within acceptable limits for production systems.

In the related‑work discussion, the paper contrasts ACTORCHESTRA with log‑based tools (MonPoly, WHYMON), session‑type based monitors, and process‑centric frameworks like detectEr. Unlike those approaches, ACTORCHESTRA does not rely on pre‑recorded logs, does not require developers to manually manage session identifiers, and scales naturally to multi‑actor properties without enumerating all possible interleavings.

In summary, ACTORCHESTRA delivers an automated, transparent, and scalable solution for causality‑driven runtime verification in Erlang OTP applications. It bridges the gap between high‑level property specification and low‑level message tracing, offering a practical path to higher assurance in modern actor‑based distributed systems. Future work includes distributing the Conductor across multiple nodes, extending support to Elixir, and integrating static analysis techniques to further reduce runtime costs.