Recognizing safety and liveness Presented by Qian Huang

Introduction  a safety property means that "bad things" do not happen during execution of a program  a liveness property means that "good things” will eventually happen  They were supported by practical experience and informal definitions  This paper formalized the safety property and liveness property and their relationship. 1

Histories and properties  An execution of program can be represented as an infinite sequence σ of program states σ = s 0, s 1, s 2, ……  We call this infinite sequence a history  A property is a set of infinite sequences of program states.  If σ is in property P, σ ⊧ P  If every histories of a program satisfy a property P, we can say this program satisfy the property P. 2

Specify a property  This paper use Buchi automata to specify properties  Buchi automata are more expressive than most temporal logic specification languages  Mechanical procedures can translate linear-time and branching-time temporal formulas into Buchi automata 3

Buchi automata  If a Buchi automaton specifies the property L(m) ， this Buchi automaton m will accept the sequences of program states in L(m) 4

Buchi automata  transition predicates define transitions between automaton states based on the next symbol read from the input  If the next symbol read by a Buchi automaton satisfies no transition predicate on any path, the input is rejected. In this case, we say the transition is undefined transition 5

Reduced Buchi automata  A Buchi automaton is reduced if from every state there is a path to an accepting state  Form an arbitrary Buchi automaton, we can always obtain its equivalent reduced Buchi automaton 6

Buchi automata for property  Formally, a Buchi automaton m for a property of a program π is a five-tuple (S, Q, Q 0, Q∞, δ)  S is the set of program states of π Q is the set of automaton states of m Q 0 is the set of start states of m Q∞ is the set of accepting states of m δis the transition function of m  For the path from automaton state q i to q j, q j ∈ δ(q i, s) 7

Buchi automata for property  For any sequence of program statesσ = s 0, s 1, s 2, ……, σ[i] = s i σ[..i] =s 0...s i σ[i..] =s i s i+1... lσl = the length of σ (ω if σ is infinite)  Transition function δ can be extended to handle finite sequences of program states 8

Safety and liveness  The "bad thing” : attempting an undefined transition, because if such a "bad thing" happens while reading an input, the Buchi automaton will not accept that input.  The "good thing" : entering an accepting state infinitely  Describe safety and liveness separately  Only consider reduced Buchi automaton 9

Recognizing safety  If a "bad thing" happens in an infinite sequence σ, then it must do so after some finite prefix, if for the prefix of σ, there exists an extension to an infinite sequence which will satisfy a safety property P  Formal definition of a safety property P 10

Closure of Buchi automaton  For a reduced Buchi automaton m, its closure cl(m) is to make every state into an accepting state 11

Closure of Buchi automaton  every state of cl(m) is accepting state  cl(m) accepts a safety property, it never rejects an input  rejects only an undefined transition  if m and cl(m) accept the same language then m recognizes a safety property.  The closure of m can be used to determine whether the property specified by m is a safety property 12

Theorem 1  A reduced Buchi automaton m specifies a safety property if and only if L(m) = L(cl(m)) Proof: First, assume m specifies a safety property. Since cl(m) is obtained from m by making all states accepting, every sequence accepted by m is also accepted by cl(m). 13

Theorem 1 Proof: Next assume L(m) = L(cl(m)) if we choose β= σ[i+1….] cl(m) rejects σbecause of undefined transition is required for m to specify a safety property 14

Recognizing liveness  Formal definition of a liveness property P  For every finite sequence, there exists an extension to an infinite sequence which will satisfy a liveness property P  if m specifies a liveness property, cl(m) must accept every input. A liveness property never proscribes a "bad thing” 15

Theorem 2  A reduced Buchi automaton m specifies a liveness property if and only if L(cl(m))= S ω Proof: First, assume m specifies a liveness property cl(m) accept every input. Each of the states of cl(m) is accepting, thus cl(m) accepts α Which is equivalent to L(cl(m))= S ω 16

Theorem 2 Proof: Next, assume L(cl(m))= S ω cl(m) acceptsα, Since cl(m) has the same transition function as m, m accept α, m accept α[….i] Supposeα[….i] leaves m in automation state q i. Since m is reduced, there exists a path from q i to some accepting state q j, from q j to some accepting state q k, etc. Let β 0 takes m from q i to q j, β 1 takes m from q j to q k …. so L(m) is a liveness property 17

Partitioning into safety and liveness Every property specified by a Buchi automaton is equivalent to the conjunction of a safety property and a liveness property, each of which can be specified by a Buchi automaton.  Theorem 3. Safe (m) specifies a safety property.  Theorem 4. Live(m) specifies a liveness property. For Safe(m), we use cl(m) For Live(m), we use 18

Partitioning into safety and liveness The property specified by m is the intersection of those specified by Safe(m) and Live(m). Theorem 5. Given a reduced Buchi automaton m, Total Correctness is the intersection of Partial Correctness and Termination. 19

conclusion  Give tests to determine whether a property specified by a Buchi automaton is safety or liveness.  show how to extract automata Safe(m) and Live(m) from a Buchi automaton m  The extraction prove that Total Correctness is the conjunction of safety property Partial Correctness and liveness property Termination. 20