recognizing safety and liveness presented by qian huang
TRANSCRIPT
Recognizing safety and liveness
Presented by Qian Huang
2
Introduction
a safety property means that "bad things" do not happen during execution of a program
a liveness property means that "good things” will eventually happen
They were supported by practical experience and informal definitions
This paper formalized the safety property and liveness property and their relationship.
Histories and properties
An execution of program can be represented as an infinite sequence σ of program states
σ = s0, s1, s2, ……
We call this infinite sequence a history
A property is a set of infinite sequences of program states.
If σ is in property P, σ⊧P
If every histories of a program satisfy a property P, we can say this program satisfy the property P.
3
4
Specify a property
This paper use Buchi automata to specify properties
Buchi automata are more expressive than most temporal logic specification languages
Mechanical procedures can translate linear-time and branching-time temporal formulas into Buchi automata
5
Buchi automata
If a Buchi automaton specifies the property L(m) , this Buchi automaton m will accept the sequences of program states in L(m)
6
Buchi automata
transition predicates define transitions between automaton states based on the next symbol read from the input
If the next symbol read by a Buchi automaton satisfies no transition predicate on any path, the input is rejected. In this case, we say the transition is undefined transition
7
Reduced Buchi automata A Buchi automaton is reduced if from every state there is
a path to an accepting state
Form an arbitrary Buchi automaton, we can always obtain its equivalent reduced Buchi automaton
8
Buchi automata for property
Formally, a Buchi automaton m for a property of a program π is a five-tuple (S, Q, Q0, Q∞, δ)
S is the set of program states of πQ is the set of automaton states of mQ0 is the set of start states of mQ∞ is the set of accepting states of m δis the transition function of m
For the path from automaton state qi to qj , qj ∈ δ(qi, s)
9
Buchi automata for property
For any sequence of program statesσ = s0, s1, s2, ……,
σ[i] = si
σ[..i] =s0 ...si
σ[i..] =sisi+1 ...
lσl = the length of σ (ω if σ is infinite)
Transition function δ can be extended to handle finite sequences of program states
10
Safety and liveness
The "bad thing” : attempting an undefined transition, because if such a "bad thing" happens while reading an input, the Buchi automaton will not accept that input.
The "good thing" : entering an accepting state infinitely
Describe safety and liveness separately
Only consider reduced Buchi automaton
11
Recognizing safety
If a "bad thing" happens in an infinite sequence σ, then it must do so after some finite prefix, if for the prefix of σ, there exists an extension to an infinite sequence which will satisfy a safety property P
Formal definition of a safety property P
12
Closure of Buchi automaton
For a reduced Buchi automaton m, its closure cl(m) is to make every state into an accepting state
13
Closure of Buchi automaton
every state of cl(m) is accepting state
cl(m) accepts a safety property, it never rejects an input
rejects only an undefined transition
if m and cl(m) accept the same language then m recognizes a safety property.
The closure of m can be used to determine whether the property specified by m is a safety property
14
Theorem 1
A reduced Buchi automaton m specifies a safety property if and only if L(m) = L(cl(m))
Proof: First, assume m specifies a safety property.
Since cl(m) is obtained from m by making all states accepting, every sequence accepted by m is also accepted by cl(m).
15
Theorem 1
Proof: Next assume L(m) = L(cl(m))
if we choose β= σ[i+1….]
cl(m) rejects σbecause of undefined transition
is required for m to specify a safety property
16
Recognizing liveness
Formal definition of a liveness property P
For every finite sequence, there exists an extension to an infinite sequence which will satisfy a liveness property P
if m specifies a liveness property, cl(m) must accept every input. A liveness property never proscribes a "bad thing”
17
Theorem 2
A reduced Buchi automaton m specifies a liveness property if and only if L(cl(m))= Sω
Proof: First, assume m specifies a liveness property
cl(m) accept every input. Each of the states of cl(m) is accepting, thus cl(m) accepts α
Which is equivalent to L(cl(m))= Sω
18
Theorem 2
Proof: Next, assume L(cl(m))= Sω
cl(m) acceptsα, Since cl(m) has the same transition function as m, m accept α, m accept α[….i]
Supposeα[….i] leaves m in automation state qi. Since m is reduced, there exists a path from qi to some accepting state qj, from qj to some accepting state qk, etc.
Let β0 takes m from qi to qj, β1 takes m from qj to qk….
so L(m) is a liveness property
19
Partitioning into safety and liveness
Every property specified by a Buchi automaton is equivalent to the conjunction of a safety property and a liveness property, each of which can be specified by a Buchi automaton.
Theorem 3. Safe (m) specifies a safety property.
Theorem 4. Live(m) specifies a liveness property.
For Safe(m), we use cl(m)For Live(m) , we use
20
Partitioning into safety and liveness
The property specified by m is the intersection of those specified by Safe(m) and Live(m).
Theorem 5. Given a reduced Buchi automaton m,
Total Correctness is the intersection of Partial Correctness and Termination.
21
conclusion
Give tests to determine whether a property specified by a Buchi automaton is safety or liveness.
show how to extract automata Safe(m) and Live(m) from a Buchi automaton m
The extraction prove that Total Correctness is the conjunction of safety property Partial Correctness and liveness property Termination.