Part 3: Safety and liveness. Safety vs. liveness Safety: something “bad” will never happen...
-
Upload
kory-seavers -
Category
Documents
-
view
255 -
download
1
Transcript of Part 3: Safety and liveness. Safety vs. liveness Safety: something “bad” will never happen...
![Page 1: Part 3: Safety and liveness. Safety vs. liveness Safety: something “bad” will never happen Liveness: something “good” will happen (but we don’t know when)](https://reader033.fdocuments.us/reader033/viewer/2022050908/56649c765503460f9492acb1/html5/thumbnails/1.jpg)
Part 3: Safety and liveness
![Page 2: Part 3: Safety and liveness. Safety vs. liveness Safety: something “bad” will never happen Liveness: something “good” will happen (but we don’t know when)](https://reader033.fdocuments.us/reader033/viewer/2022050908/56649c765503460f9492acb1/html5/thumbnails/2.jpg)
Safety vs. liveness
Safety: something “bad” will never happen
Liveness: something “good” will happen (but we don’t know when)
![Page 3: Part 3: Safety and liveness. Safety vs. liveness Safety: something “bad” will never happen Liveness: something “good” will happen (but we don’t know when)](https://reader033.fdocuments.us/reader033/viewer/2022050908/56649c765503460f9492acb1/html5/thumbnails/3.jpg)
Safety vs. liveness for sequential programs
Safety: the program will never produce a wrong result (“partial
correctness”)
Liveness: the program will produce a result (“termination”)
![Page 4: Part 3: Safety and liveness. Safety vs. liveness Safety: something “bad” will never happen Liveness: something “good” will happen (but we don’t know when)](https://reader033.fdocuments.us/reader033/viewer/2022050908/56649c765503460f9492acb1/html5/thumbnails/4.jpg)
Safety vs. liveness for sequential programs
Safety: the program will never produce a wrong result (“partial
correctness”)
Liveness: the program will produce a result (“termination”)
![Page 5: Part 3: Safety and liveness. Safety vs. liveness Safety: something “bad” will never happen Liveness: something “good” will happen (but we don’t know when)](https://reader033.fdocuments.us/reader033/viewer/2022050908/56649c765503460f9492acb1/html5/thumbnails/5.jpg)
Safety vs. liveness for state-transition graphs
Safety: those properties whose violation always has a finite witness
(“if something bad happens on an infinite run, then it happens already on some finite prefix”)
Liveness: those properties whose violation never has a finite witness (“no matter what happens along a finite run, something good could still happen later”)
![Page 6: Part 3: Safety and liveness. Safety vs. liveness Safety: something “bad” will never happen Liveness: something “good” will happen (but we don’t know when)](https://reader033.fdocuments.us/reader033/viewer/2022050908/56649c765503460f9492acb1/html5/thumbnails/6.jpg)
Safety: the properties that can be checked on finite executions
Liveness: the properties that cannot be checked on finite executions
(they need to be checked on infinite executions)
This is much easier.
![Page 7: Part 3: Safety and liveness. Safety vs. liveness Safety: something “bad” will never happen Liveness: something “good” will happen (but we don’t know when)](https://reader033.fdocuments.us/reader033/viewer/2022050908/56649c765503460f9492acb1/html5/thumbnails/7.jpg)
Example: Mutual exclusion
It cannot happen that both processes are in their critical sections simultaneously.
![Page 8: Part 3: Safety and liveness. Safety vs. liveness Safety: something “bad” will never happen Liveness: something “good” will happen (but we don’t know when)](https://reader033.fdocuments.us/reader033/viewer/2022050908/56649c765503460f9492acb1/html5/thumbnails/8.jpg)
Example: Mutual exclusion
It cannot happen that both processes are in their critical sections simultaneously.
Safety
![Page 9: Part 3: Safety and liveness. Safety vs. liveness Safety: something “bad” will never happen Liveness: something “good” will happen (but we don’t know when)](https://reader033.fdocuments.us/reader033/viewer/2022050908/56649c765503460f9492acb1/html5/thumbnails/9.jpg)
Example: Bounded overtaking
Whenever process P1 wants to enter the critical section, then process P2 gets to enter at most once before process P1 gets to enter.
![Page 10: Part 3: Safety and liveness. Safety vs. liveness Safety: something “bad” will never happen Liveness: something “good” will happen (but we don’t know when)](https://reader033.fdocuments.us/reader033/viewer/2022050908/56649c765503460f9492acb1/html5/thumbnails/10.jpg)
Example: Bounded overtaking
Whenever process P1 wants to enter the critical section, then process P2 gets to enter at most once before process P1 gets to enter.
Safety
![Page 11: Part 3: Safety and liveness. Safety vs. liveness Safety: something “bad” will never happen Liveness: something “good” will happen (but we don’t know when)](https://reader033.fdocuments.us/reader033/viewer/2022050908/56649c765503460f9492acb1/html5/thumbnails/11.jpg)
Example: Starvation freedom
Whenever process P1 wants to enter the critical section, provided process P2 never stays in the critical section forever, P1 gets to enter eventually.
![Page 12: Part 3: Safety and liveness. Safety vs. liveness Safety: something “bad” will never happen Liveness: something “good” will happen (but we don’t know when)](https://reader033.fdocuments.us/reader033/viewer/2022050908/56649c765503460f9492acb1/html5/thumbnails/12.jpg)
Example: Starvation freedom
Whenever process P1 wants to enter the critical section, provided process P2 never stays in the critical section forever, P1 gets to enter eventually.
Liveness
![Page 13: Part 3: Safety and liveness. Safety vs. liveness Safety: something “bad” will never happen Liveness: something “good” will happen (but we don’t know when)](https://reader033.fdocuments.us/reader033/viewer/2022050908/56649c765503460f9492acb1/html5/thumbnails/13.jpg)
Example: Starvation freedom
Whenever process P1 wants to enter the critical section, provided process P2 never stays in the critical section forever, P1 gets to enter eventually.
Liveness
![Page 14: Part 3: Safety and liveness. Safety vs. liveness Safety: something “bad” will never happen Liveness: something “good” will happen (but we don’t know when)](https://reader033.fdocuments.us/reader033/viewer/2022050908/56649c765503460f9492acb1/html5/thumbnails/14.jpg)
LTL (Linear Temporal Logic)
-safety & liveness
-linear time
[Pnueli 1977; Lichtenstein & Pnueli 1982]
![Page 15: Part 3: Safety and liveness. Safety vs. liveness Safety: something “bad” will never happen Liveness: something “good” will happen (but we don’t know when)](https://reader033.fdocuments.us/reader033/viewer/2022050908/56649c765503460f9492acb1/html5/thumbnails/15.jpg)
LTL Syntax
::= a | | | | U
![Page 16: Part 3: Safety and liveness. Safety vs. liveness Safety: something “bad” will never happen Liveness: something “good” will happen (but we don’t know when)](https://reader033.fdocuments.us/reader033/viewer/2022050908/56649c765503460f9492acb1/html5/thumbnails/16.jpg)
LTL Model
infinite trace t = t0 t1 t2 ... (sequence of observations)
![Page 17: Part 3: Safety and liveness. Safety vs. liveness Safety: something “bad” will never happen Liveness: something “good” will happen (but we don’t know when)](https://reader033.fdocuments.us/reader033/viewer/2022050908/56649c765503460f9492acb1/html5/thumbnails/17.jpg)
a
a,b b
q1
q3q2
Run: q1 q3 q1 q3 q1 q2 q2
Trace: a b a b a a,b a,b
![Page 18: Part 3: Safety and liveness. Safety vs. liveness Safety: something “bad” will never happen Liveness: something “good” will happen (but we don’t know when)](https://reader033.fdocuments.us/reader033/viewer/2022050908/56649c765503460f9492acb1/html5/thumbnails/18.jpg)
(K,q) |= iff for all t L(K,q), t |=
(K,q) |= iff exists t L(K,q), t |=
Language of deadlock-free state-transition graph K at state q :
L(K,q) = set of infinite traces of K starting at q
![Page 19: Part 3: Safety and liveness. Safety vs. liveness Safety: something “bad” will never happen Liveness: something “good” will happen (but we don’t know when)](https://reader033.fdocuments.us/reader033/viewer/2022050908/56649c765503460f9492acb1/html5/thumbnails/19.jpg)
LTL Semantics
t |= a iff a t0
t |= iff t |= and t |=
t |= iff not t |=
t |= iff t1 t2 ... |=
t |= U iff exists n 0 s.t.1. for all 0 i < n, ti ti+1 ... |
= 2. tn tn+1 ... |=
(K,q) |= iff (K,q) |=
![Page 20: Part 3: Safety and liveness. Safety vs. liveness Safety: something “bad” will never happen Liveness: something “good” will happen (but we don’t know when)](https://reader033.fdocuments.us/reader033/viewer/2022050908/56649c765503460f9492acb1/html5/thumbnails/20.jpg)
X next
U U until
= true U F eventually
= G always
W = ( U ) W waiting-for (weak-until)
Defined modalities
![Page 21: Part 3: Safety and liveness. Safety vs. liveness Safety: something “bad” will never happen Liveness: something “good” will happen (but we don’t know when)](https://reader033.fdocuments.us/reader033/viewer/2022050908/56649c765503460f9492acb1/html5/thumbnails/21.jpg)
Important properties
Invariance a safety
(pc1=in pc2=in)
Sequencing a W b W c W dsafety
(pc1=req
(pc2in) W (pc2=in) W (pc2in) W (pc1=in))
Response (a b) liveness
(pc1=req (pc1=in))
![Page 22: Part 3: Safety and liveness. Safety vs. liveness Safety: something “bad” will never happen Liveness: something “good” will happen (but we don’t know when)](https://reader033.fdocuments.us/reader033/viewer/2022050908/56649c765503460f9492acb1/html5/thumbnails/22.jpg)
Composed modalities
a infinitely often a
a almost always a
![Page 23: Part 3: Safety and liveness. Safety vs. liveness Safety: something “bad” will never happen Liveness: something “good” will happen (but we don’t know when)](https://reader033.fdocuments.us/reader033/viewer/2022050908/56649c765503460f9492acb1/html5/thumbnails/23.jpg)
Example: Starvation freedom
Whenever process P1 wants to enter the critical section, provided process P2 never stays in the critical section forever, P1 gets to enter eventually.
(pc2=in (pc2=out))
(pc1=req (pc1=in))
![Page 24: Part 3: Safety and liveness. Safety vs. liveness Safety: something “bad” will never happen Liveness: something “good” will happen (but we don’t know when)](https://reader033.fdocuments.us/reader033/viewer/2022050908/56649c765503460f9492acb1/html5/thumbnails/24.jpg)
State-transition graph
Q set of states {q1,q2,q3}
A set of atomic observations {a,b}
Q Q transition relation q1 q2
[ ]: Q 2A observation function [q1] = {a}
![Page 25: Part 3: Safety and liveness. Safety vs. liveness Safety: something “bad” will never happen Liveness: something “good” will happen (but we don’t know when)](https://reader033.fdocuments.us/reader033/viewer/2022050908/56649c765503460f9492acb1/html5/thumbnails/25.jpg)
(K,q) |=
(K’, q’, BA) where BA K’ Is there an infinite path starting from q’
that hits BA infinitely often?
Tableau construction (Vardi-Wolper)
Is there a path from q’ to p BA such that p is a member of a strongly connnected component of K’?
![Page 26: Part 3: Safety and liveness. Safety vs. liveness Safety: something “bad” will never happen Liveness: something “good” will happen (but we don’t know when)](https://reader033.fdocuments.us/reader033/viewer/2022050908/56649c765503460f9492acb1/html5/thumbnails/26.jpg)
dfs(s) { add s to dfsTable for each successor t of s if (t dfsTable) then dfs(t) if (s BA) then { seed := s; ndfs(s) }}
ndfs(s) { add s to ndfsTable for each successor t of s if (t ndfsTable) then ndfs(t) else if (t = seed) then report error}