Safety and Liveness

Defining Programs Variables with respective domain –State space of the program Program actions –Guarded commands Program computation – –(s j-1, s j ) is permitted by program actions Consider set of all program computations –Could depend upon the notion of fairness

Program Correctness How do we define that a program is correct with respect to its specification? –Intuition: A program is correct if all its computations are in the specification For above intuition to work, the specification should be the set of acceptable sequences of program states –Note that the program does not have to exhibit all behaviors in the specification –It just should not exhibit anything that it is not permitted by the specification

Hence, From now on, let specification be a set of infinite sequences of states

Example Coke and Pepsi vending machine –Specification: pressing a button results in dispensation of a Coke or Pepsi

Consider Programs Program 1 ButtonPressed  Dispense Coke Program 2 ButtonPressed  Dispense Pepsi Program 3 ButtonPressed  Dispense Coke ButtonPressed  Dispense Pepsi

Consider Programs Program 4 ButtonPressed  Dispense Sprite

Observations about Programs and Specifications Suppose that you do not have access to code of program P. You can only observe its behavior. –Observed behavior is one state at a time –Observed behavior is finite Looking at a finite prefix, we can never say that the specification is satisfied We may be able to say that the specification is NOT satisfied.

Specification 1 Vending machine only dispenses coke or pepsi Consider the behavior c,p,c,p,s,c,p, … Suppose a program behavior violates a specification, will you always be able to detect it at some finite point? –What do we mean that we detected safety violation at a finite point? It means that no matter what future states are the specification cannot be satisfied by that sequence. This is the intuition behind safety specification.

Specification 2 Vending machine is guaranteed to dispense pepsi Consider the finite behavior c,c,c,c,s,s,7 Given any finite behavior, can you say that the specification cannot be satisfied This is the intuition behind liveness specification

Specification 2 continued Suppose the infinite sequence were c,c,c,c,c, … Even though this sequence does not satisfy specification 2, we cannot conclude this at any finite point.

Specification 3 Dispense only coke or pepsi and that eventually dispense pepsi –Is this safety, liveness, both or neither This color is black This color is white This color is neither black nor white although it is a combination of the two

Safety and Liveness Safety –Intuition: Nothing bad happens Intuition: If something bad happens, it cannot be fixed Intuition: if a sequence violates specification then it does so at some finite point after which it cannot be fixed. –  :  SafetySpec : (  :  is a prefix of    ::   SafetySpec)

Safety and Liveness Liveness –Intuition: Something good happens eventually Intuition: No matter what has happened so far, the specification can be met  :  is finite sequence of states:  ::   LivenessSpec

Recalling weak fairness and strong fairness Are these safety properties? Are these liveness properties? What is a good fairness property?

Examples of Properties Invariant (S) : Predicate S is true in every state Closed (S) : If predicate S is true in some state, it will remain true in the next P Leads to Q : If P is ever true in some state then Q will be true in that or some future state P Converges to Q : Closed(P) and Closed(Q) and P leads to Q

–Consider sequenec P, p, p, … Violates specificatin Cannot say that at any finite point –Not a safety specification –Is there any finite prefix alpha such that alpha cannot be extended to satisfy the specification?

To show that P conv to Q is not a safety property Create a sequence that violates P converges to Q such that –At finite point, you cannot say that spec is violated –(P&NotQ), (P&NotQ) …

To show that P converges to Q is not a liveness property Find some alpha such that it cannot be extended to satisfy the specification P, NotP,

Specification 3 For vending machine: For every 10 consecutive button pressed, dispense at least 4 coke and at least 4 pepsi This is a safety specification

c Consider sequence –C, c, c, c, c, c, c

Specification 4 Pepsi must be dispensed at least once in 10 steps

Specification 4 After some point, the machine will only dispense pepsi This is a liveness specification

Sf1 & Sf2 Given Sf1, Sf2 is a safety specificaiton Show Sf1 & Sf2 is a safety specification For all sigma : sigma not in Sf1 & Sf2 : Take any sigma not in Sf1 and Sf2 –Case 1: sigma not in Sf1 –Case 2: sigma not in Sf2

Given –  :  Sf1 : (  :  is a prefix of    ::   Sf1) –  :  Sf2 : (  :  is a prefix of    ::   Sf2) To prove –  :  Sf1 & Sf2 : (  :  is a prefix of    ::   Sf1 & Sf2)

Case 1 Sigma not in Sf1 –There exists alpha : for all beta : Alpha beta is not in sf1 ==> there exists alpha : for all beta : alpha beta is not in sf1 & sf2 Same for Case 2 : Completes proof for showing that sf1 & sf2 is a safety property

Observation Some properties are neither safety properties nor liveness properties. They appear to be a combination of the two. Goal: prove that any property can be expressed as an intersection of a safety property and a liveness property

Spec1 = Always dispense coke or pepsi Spec2 = always dispense coke Spec3 = Always dispense coke and pepsi and eventually dispense pepsi Spec4 = dispense coke and pepsi in an alternating manner –Spec4 subset of spec1 –Spec2 is not a subset of spec4 and vice versa –Spec2 is a subset of spec1 but not of spec3 –Spec3 is a subset of spec1

Manipulation of Safety/Liveness Properties Intersection of safety and liveness properties –Step 1: Intersection of any number of safety properties is a safety property –Step 2: Given a specification, spec, find the smallest safety specification sf such that spec  sf –Step 3: spec = sf  (spec  (S w – sf)) –Step 4: (spec  (S w – sf)) is a liveness specification

Let sigma be some sequence Suppose spec = { sigma }, spec only contains one sequence

Towards Proving spec = safety  liveness S w denotes the set of all computations  S w denotes the set of all computations with prefix  (S w -  S w ) is a safety specification

Towards Proving spec = safety  liveness Consider (infinitely many) safety properties sf1, sf2, … –Is the union of them a safety specification? –Is the intersection of them a safety specification?

Towards Proving spec = safety  liveness Let spec be the given specification –Consider the set of safety properties sf 1, sf 2, … such that spec  sf i –Consider the intersection of these safety properties Let sf denote this intersection Observe: spec  sf sf is a safety specification

` P converges to Q is subset of closed(P) P converges to Q is a subset of closed(Q) P converges to Q is a subset of invariant(true) …

Properties of sf Consider a sequence   sf – spec –Let  be any prefix of  –There must exist  such that   spec –If not spec  (sf  (S w -  S w )), which is a safety specification This is a contradiction as sf is supposed to smallest safety specification containing spec

Towards Proving spec = safety  liveness spec = sf  (spec  (S w – sf)) Safety specification Liveness specification

To prove sf  (spec  (S w – sf)) = Sf  spec  ( sf  (S w – sf)) = spec

To show that (spec  (S w – sf)) is a liveness specification: For any , some extension of  is in (spec  (S w – sf)) Let  be any infinite extension of  Case 1:   spec : trivial Case 2:   (S w – sf) : trivial Case 3:   sf – spec: –Every prefix of  has an extension that satisfies spec –By construction  is a prefix of 

(x > 0) converges to (x > 5) –(x > 0) is closed, i.e., if x is 1 or higher, x can never become 0 or negative –(x > 5) is closed –If (x > 0) is reached then eventually (x > 5) would be reached Safety specification –x is always equal to 10 (not a superset of converges because –X is always greater than 0 (superset of converges) –Closed (x > 0) (superset of converges) –Closed (x > 5) (superset of converges) –Closed (x > 0) & Closed (x > 5) (superset of converges), … This is the smallest safety specification for converges

What happens if the sequence satisfies –Closed (x > 0) & Closed (x > 5) But violates (x > 0) congerges to (x > 5) –For any such sequence, at a finite point, there is a hope of satisfying the (x > 0) congerges to (x > 5)

Topology based explanation

Use of Safety and Liveness in Designing Programs Techniques for satisfying safety –Invariants –Closure We will discuss these next. Techniques for satisfying liveness –Variant functions We will discuss these briefly

Revisiting Fairness Properties What observation can you make about –Weak fairness –Strong fairness

Some Comments about this Framework Safety liveness framework discussed here relies on certain assumptions –A computation is correct if is included in the specification –More specifically, correctness of one computation does not depend on other computations –In other words, whether a computation satisfies the specification or not can be deduced solely from the computation and the specification

Comments (Continued) In some situations, this does not work –Example: Average response time for a request is 10 steps