26
Part 3: Safety and liveness

Part 3: Safety and liveness. Safety vs. liveness Safety: something “bad” will never happen Liveness: something “good” will happen (but we don’t know when)

Embed Size (px)

Citation preview

Page 1: Part 3: Safety and liveness. Safety vs. liveness Safety: something “bad” will never happen Liveness: something “good” will happen (but we don’t know when)

Part 3: Safety and liveness

Page 2: Part 3: Safety and liveness. Safety vs. liveness Safety: something “bad” will never happen Liveness: something “good” will happen (but we don’t know when)

Safety vs. liveness

Safety: something “bad” will never happen

Liveness: something “good” will happen (but we don’t know when)

Page 3: Part 3: Safety and liveness. Safety vs. liveness Safety: something “bad” will never happen Liveness: something “good” will happen (but we don’t know when)

Safety vs. liveness for sequential programs

Safety: the program will never produce a wrong result (“partial

correctness”)

Liveness: the program will produce a result (“termination”)

Page 4: Part 3: Safety and liveness. Safety vs. liveness Safety: something “bad” will never happen Liveness: something “good” will happen (but we don’t know when)

Safety vs. liveness for sequential programs

Safety: the program will never produce a wrong result (“partial

correctness”)

Liveness: the program will produce a result (“termination”)

Page 5: Part 3: Safety and liveness. Safety vs. liveness Safety: something “bad” will never happen Liveness: something “good” will happen (but we don’t know when)

Safety vs. liveness for state-transition graphs

Safety: those properties whose violation always has a finite witness

(“if something bad happens on an infinite run, then it happens already on some finite prefix”)

Liveness: those properties whose violation never has a finite witness (“no matter what happens along a finite run, something good could still happen later”)

Page 6: Part 3: Safety and liveness. Safety vs. liveness Safety: something “bad” will never happen Liveness: something “good” will happen (but we don’t know when)

Safety: the properties that can be checked on finite executions

Liveness: the properties that cannot be checked on finite executions

(they need to be checked on infinite executions)

This is much easier.

Page 7: Part 3: Safety and liveness. Safety vs. liveness Safety: something “bad” will never happen Liveness: something “good” will happen (but we don’t know when)

Example: Mutual exclusion

It cannot happen that both processes are in their critical sections simultaneously.

Page 8: Part 3: Safety and liveness. Safety vs. liveness Safety: something “bad” will never happen Liveness: something “good” will happen (but we don’t know when)

Example: Mutual exclusion

It cannot happen that both processes are in their critical sections simultaneously.

Safety

Page 9: Part 3: Safety and liveness. Safety vs. liveness Safety: something “bad” will never happen Liveness: something “good” will happen (but we don’t know when)

Example: Bounded overtaking

Whenever process P1 wants to enter the critical section, then process P2 gets to enter at most once before process P1 gets to enter.

Page 10: Part 3: Safety and liveness. Safety vs. liveness Safety: something “bad” will never happen Liveness: something “good” will happen (but we don’t know when)

Example: Bounded overtaking

Whenever process P1 wants to enter the critical section, then process P2 gets to enter at most once before process P1 gets to enter.

Safety

Page 11: Part 3: Safety and liveness. Safety vs. liveness Safety: something “bad” will never happen Liveness: something “good” will happen (but we don’t know when)

Example: Starvation freedom

Whenever process P1 wants to enter the critical section, provided process P2 never stays in the critical section forever, P1 gets to enter eventually.

Page 12: Part 3: Safety and liveness. Safety vs. liveness Safety: something “bad” will never happen Liveness: something “good” will happen (but we don’t know when)

Example: Starvation freedom

Whenever process P1 wants to enter the critical section, provided process P2 never stays in the critical section forever, P1 gets to enter eventually.

Liveness

Page 13: Part 3: Safety and liveness. Safety vs. liveness Safety: something “bad” will never happen Liveness: something “good” will happen (but we don’t know when)

Example: Starvation freedom

Whenever process P1 wants to enter the critical section, provided process P2 never stays in the critical section forever, P1 gets to enter eventually.

Liveness

Page 14: Part 3: Safety and liveness. Safety vs. liveness Safety: something “bad” will never happen Liveness: something “good” will happen (but we don’t know when)

LTL (Linear Temporal Logic)

-safety & liveness

-linear time

[Pnueli 1977; Lichtenstein & Pnueli 1982]

Page 15: Part 3: Safety and liveness. Safety vs. liveness Safety: something “bad” will never happen Liveness: something “good” will happen (but we don’t know when)

LTL Syntax

::= a | | | | U

Page 16: Part 3: Safety and liveness. Safety vs. liveness Safety: something “bad” will never happen Liveness: something “good” will happen (but we don’t know when)

LTL Model

infinite trace t = t0 t1 t2 ... (sequence of observations)

Page 17: Part 3: Safety and liveness. Safety vs. liveness Safety: something “bad” will never happen Liveness: something “good” will happen (but we don’t know when)

a

a,b b

q1

q3q2

Run: q1 q3 q1 q3 q1 q2 q2

Trace: a b a b a a,b a,b

Page 18: Part 3: Safety and liveness. Safety vs. liveness Safety: something “bad” will never happen Liveness: something “good” will happen (but we don’t know when)

(K,q) |= iff for all t L(K,q), t |=

(K,q) |= iff exists t L(K,q), t |=

Language of deadlock-free state-transition graph K at state q :

L(K,q) = set of infinite traces of K starting at q

Page 19: Part 3: Safety and liveness. Safety vs. liveness Safety: something “bad” will never happen Liveness: something “good” will happen (but we don’t know when)

LTL Semantics

t |= a iff a t0

t |= iff t |= and t |=

t |= iff not t |=

t |= iff t1 t2 ... |=

t |= U iff exists n 0 s.t.1. for all 0 i < n, ti ti+1 ... |

= 2. tn tn+1 ... |=

(K,q) |= iff (K,q) |=

Page 20: Part 3: Safety and liveness. Safety vs. liveness Safety: something “bad” will never happen Liveness: something “good” will happen (but we don’t know when)

X next

U U until

= true U F eventually

= G always

W = ( U ) W waiting-for (weak-until)

Defined modalities

Page 21: Part 3: Safety and liveness. Safety vs. liveness Safety: something “bad” will never happen Liveness: something “good” will happen (but we don’t know when)

Important properties

Invariance a safety

(pc1=in pc2=in)

Sequencing a W b W c W dsafety

(pc1=req

(pc2in) W (pc2=in) W (pc2in) W (pc1=in))

Response (a b) liveness

(pc1=req (pc1=in))

Page 22: Part 3: Safety and liveness. Safety vs. liveness Safety: something “bad” will never happen Liveness: something “good” will happen (but we don’t know when)

Composed modalities

a infinitely often a

a almost always a

Page 23: Part 3: Safety and liveness. Safety vs. liveness Safety: something “bad” will never happen Liveness: something “good” will happen (but we don’t know when)

Example: Starvation freedom

Whenever process P1 wants to enter the critical section, provided process P2 never stays in the critical section forever, P1 gets to enter eventually.

(pc2=in (pc2=out))

(pc1=req (pc1=in))

Page 24: Part 3: Safety and liveness. Safety vs. liveness Safety: something “bad” will never happen Liveness: something “good” will happen (but we don’t know when)

State-transition graph

Q set of states {q1,q2,q3}

A set of atomic observations {a,b}

Q Q transition relation q1 q2

[ ]: Q 2A observation function [q1] = {a}

Page 25: Part 3: Safety and liveness. Safety vs. liveness Safety: something “bad” will never happen Liveness: something “good” will happen (but we don’t know when)

(K,q) |=

(K’, q’, BA) where BA K’ Is there an infinite path starting from q’

that hits BA infinitely often?

Tableau construction (Vardi-Wolper)

Is there a path from q’ to p BA such that p is a member of a strongly connnected component of K’?

Page 26: Part 3: Safety and liveness. Safety vs. liveness Safety: something “bad” will never happen Liveness: something “good” will happen (but we don’t know when)

dfs(s) { add s to dfsTable for each successor t of s if (t dfsTable) then dfs(t) if (s BA) then { seed := s; ndfs(s) }}

ndfs(s) { add s to ndfsTable for each successor t of s if (t ndfsTable) then ndfs(t) else if (t = seed) then report error}