1 / 21

Recognizing safety and liveness

Recognizing safety and liveness. Presented by Qian Huang. Introduction. a safety property means that "bad things" do not happen during execution of a program

lloyd
Download Presentation

Recognizing safety and liveness

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Recognizing safety and liveness Presented by Qian Huang

  2. Introduction • a safety property means that "bad things" do not happen during execution of a program • a liveness property means that "good things” will eventually happen • They were supported by practical experience and informal definitions • This paperformalized the safety property and liveness property and their relationship.

  3. Histories and properties • An execution of program can be represented as an infinite sequence σ of program states σ= s0, s1, s2, …… • We call this infinite sequence a history • A property is a set of infinite sequences of program states. • If σ is in property P, σ⊧P • If every histories of a program satisfy a property P, we can say this program satisfy the property P.

  4. Specify a property • This paper use Buchi automata to specify properties • Buchi automata are more expressive than most temporal logic specification languages • Mechanical procedures can translate linear-time and branching-time temporal formulas into Buchi automata

  5. Buchi automata • If a Buchi automaton specifiesthe property L(m), this Buchi automatonm will accept the sequences of program states in L(m)

  6. Buchi automata • transition predicates define transitions between automaton states based on the next symbol read from the input • If the next symbol read by a Buchi automaton satisfies no transition predicate on any path, the input is rejected. In this case, we say the transition is undefined transition

  7. Reduced Buchi automata • ABuchi automaton is reduced if from every state there is a path to an accepting state • Form an arbitrary Buchi automaton, we can always obtain its equivalent reduced Buchi automaton

  8. Buchi automata for property • Formally, a Buchi automaton m for a property of a program π is a five-tuple (S, Q, Q0, Q∞, δ) • S is the set of program states of πQ is the set of automaton states of mQ0is the set of start states of mQ∞ is the set of accepting states of m δis the transition function of m • For the path from automaton state qi to qj , qj ∈ δ(qi, s)

  9. Buchi automata for property • For any sequence of program statesσ= s0, s1, s2, ……, σ[i] = si σ[..i] =s0...si σ[i..] =sisi+1... lσl = the length of σ (ω if σ is infinite) • Transition function δcan be extended to handle finite sequences of program states

  10. Safety and liveness • The "bad thing” : attempting an undefined transition, because if such a "bad thing" happens while reading an input, the Buchi automaton will not accept that input. • The "good thing" : entering an accepting state infinitely • Describe safety and liveness separately • Only consider reduced Buchi automaton

  11. Recognizing safety • If a "bad thing" happens in an infinite sequence σ, then it must do so after some finite prefix, if for the prefix of σ, there exists an extension to an infinite sequence which will satisfy a safety property P • Formal definition of a safety property P

  12. Closure of Buchi automaton • For a reduced Buchi automaton m, its closure cl(m) is to make every state into an accepting state

  13. Closure of Buchi automaton • every state of cl(m) is accepting state • cl(m) accepts a safety property, it never rejects an input • rejects only an undefined transition • if m and cl(m) accept the same language then m recognizes a safety property. • The closure of m can be used to determine whether the property specified by m is a safety property

  14. Theorem 1 • A reduced Buchi automaton m specifies a safety property if and only if L(m) = L(cl(m)) Proof: First, assume m specifies a safety property. Since cl(m) is obtained from m by making all states accepting, every sequence accepted by m is also accepted by cl(m).

  15. Theorem 1 Proof: Next assume L(m) = L(cl(m)) if we choose β= σ[i+1….] cl(m) rejects σbecause of undefined transition is required for m to specify a safety property

  16. Recognizing liveness • Formal definition of a livenessproperty P • For every finite sequence, there exists an extension to an infinite sequence which will satisfy a liveness property P • if m specifies a liveness property, cl(m) must accept every input. A liveness property never proscribes a "bad thing”

  17. Theorem 2 • A reduced Buchi automaton m specifies a liveness property if and only if L(cl(m))= Sω Proof: First, assume m specifies a liveness property cl(m) accept every input. Each of the states of cl(m) is accepting, thus cl(m) accepts α Which is equivalent to L(cl(m))= Sω

  18. Theorem 2 Proof: Next, assume L(cl(m))= Sω cl(m) acceptsα, Since cl(m) has the same transition function as m, m accept α, m accept α[….i] Supposeα[….i] leaves m in automation state qi. Since m is reduced, there exists a path from qito some accepting state qj, from qjto some accepting state qk, etc. Let β0 takes m from qi to qj, β1takes m from qjto qk…. so L(m) is a liveness property

  19. Partitioning into safety and liveness Every property specified by a Buchi automaton is equivalent to the conjunction of a safety property and a liveness property, each of which can be specified by a Buchi automaton. • Theorem 3. Safe (m) specifies a safety property. • Theorem 4. Live(m) specifies a liveness property. For Safe(m), we use cl(m)For Live(m) , we use

  20. Partitioning into safety and liveness The property specified by m is the intersection of those specified by Safe(m) and Live(m). Theorem 5. Given a reduced Buchi automaton m, Total Correctness is the intersection of Partial Correctness and Termination.

  21. conclusion • Give tests to determine whether a property specified by a Buchi automaton is safety or liveness. • show how to extract automata Safe(m) and Live(m) from a Buchi automaton m • The extraction prove that Total Correctness is the conjunction of safety property Partial Correctness and liveness property Termination.

More Related