mc2022 Lec3 Slides

Safety and Liveness Properties
Model Checking
Lecture #3: Linear-Time Properties
[Baier & Katoen, Chapter 3]
Joost-Pieter Katoen and Tim Quatmann

& ] :p Spel
Software Modeling and Verification Group
Model Checking Course, RWTH Aachen, SoSe 2022
Joost-Pieter Katoen and Tim Quatmann Lecture 1/45

Overview
1 Recapitulation: Traces
2 Linear-Time Properties
3 Safety Properties
4 Liveness Properties
5 Safety versus Liveness


Safety and Liveness Properties Recapitulation: Traces
Overview
3 Safety Properties

Traces
Z Actions are mainly used to model the (possibility of) interaction

synchronous or asynchronous communication
Z Here, focus on the states that are visited during executions

the states themselves are not “observable”, but just their atomic
propositions
Z Traces are sequences of the form L(s0 ) L(s1 ) L(s2 ) . . .

record the (sets of) atomic propositions along an execution
Z For transition systems without terminal states1 :

traces are infinite words over the alphabet 2 , i.e., they are in 2 ⌥
AP AP Ê
1
This is an assumption commonly used throughout this lecture.
Traces
Definition: Traces
Let TS = (S, Act, , I, AP, L) be transition system without terminal states.
Z The trace of execution
fl = s0 –1
s1 –2
s2 –3
...
is the infinite word trace(fl) = L(s0 ) L(s1 ) L(s2 ) . . . over 2 ⌥ .

AP Ê
Prefixes of traces are finite traces.

Traces
Definition: Traces
fl = s0 –1
s1 –2
s2 –3
...

AP Ê

Z The traces of a set of executions (or paths) is defined by:
trace( ) = { trace(fi) ∂ fi " }.

Traces
Definition: Traces
fl = s0 –1
s1 –2
s2 –3
...

AP Ê

Z The traces of a set of executions (or paths) is defined by:
trace( ) = { trace(fi) ∂ fi " }.
Z The traces of state s are Traces(s) = trace(Paths(s)).

Z The traces of transition system TS: Traces(TS) = s"I Traces(s).

Example
Consider the mutex transition system. Let AP = { crit1 , crit2 }.
The trace of the path:
= Ön1 , n2 , y = 1ã Öw1 , n2 , y = 1ã Öc1 , n2 , y = 0ã
Õ““ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ — “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ œ Õ““ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “—“ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ œ Õ““ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ —““ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “œ
fi
L=o L=o L={ crit1 }
Ön1 , n2 , y = 1ã Ön1 , w2 , y = 1ã Ön1 , c2 , y = 0ã
Õ““ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ — “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ œ Õ““ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “—“ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ œ Õ““ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ —““ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “œ
...
L=o L=o L={ crit2 }

Example
Õ““ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ — “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ œ Õ““ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “—“ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ œ Õ““ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ —““ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “œ
fi
L=o L=o L={ crit1 }
Õ““ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ — “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ œ Õ““ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “—“ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ œ Õ““ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ —““ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “œ
...
L=o L=o L={ crit2 }
is:
trace(fi) = o o { crit1 } o o { crit2 } o o { crit1 } o o { crit2 } . . .

Example
Õ““ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ — “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ œ Õ““ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “—“ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ œ Õ““ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ —““ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “œ
fi
L=o L=o L={ crit1 }
Õ““ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ — “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ œ Õ““ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “—“ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ œ Õ““ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ —““ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “œ
...
L=o L=o L={ crit2 }
is:
trace(fi) = o o { crit1 } o o { crit2 } o o { crit1 } o o { crit2 } . . .
Or expressed using Ê-regular expressions:
trace(fi) = o o { crit1 } o o { crit2 }⌥

Ê

Regular Expressions
Z Let be an alphabet, i.e. countable set of symbols, with A "

Regular Expressions
Z Regular expressions over have syntax:
E ⇥⇥= o ∂ ∂ A ∂ E+E ∂ E.E ∂ E

¨ ¨ ò
Á

Regular Expressions
E ⇥⇥= o ∂ ∂ A ∂ E+E ∂ E.E ∂ E

¨ ¨ ò
Á
ò
Z The semantics of regular expression E is a language L(E) N :
L(o) = o, L(Á) = { Á }, L(A) = { A }
L(E+E ) = L(E) < L(E ) L(E.E ) = L(E).L(E ) L(E ) = L(E)

¨ ¨ ¨ ¨ ò ò

Regular Expressions
E ⇥⇥= o ∂ ∂ A ∂ E+E ∂ E.E ∂ E

¨ ¨ ò
Á
ò
Z The semantics of regular expression E is a language L(E) N :
L(o) = o, L(Á) = { Á }, L(A) = { A }
L(E+E ) = L(E) < L(E ) L(E.E ) = L(E).L(E ) L(E ) = L(E)

¨ ¨ ¨ ¨ ò ò
Z Regular expressions denote languages of finite words

Ê-Regular Expressions: Syntax

Definition: Ê-regular expression
An Ê-regular expression G over the alphabet has the form:
G = E1 .F1 + . . . + En .Fn for n " N>0

Ê Ê
where Ei , Fi are regular expressions over with Á ä L(Fi ).


G = E1 .F1 + . . . + En .Fn for n " N>0

Ê Ê
Z Ê-Regular expressions denote languages of infinite words


G = E1 .F1 + . . . + En .Fn for n " N>0

Ê Ê
Z Examples over the alphabet = { A, B }:

Z language of all words with infinitely many As: (B .A)
ò Ê


G = E1 .F1 + . . . + En .Fn for n " N>0

Ê Ê

ò Ê
Z language of all words with finitely many As: (A + B) .B

ò Ê


G = E1 .F1 + . . . + En .Fn for n " N>0

Ê Ê

ò Ê
Z language of all words with finitely many As: (A + B) .B

ò Ê
Z the empty language o

Ê

Ê-Regular Expressions: Semantics
Definition: semantics of Ê-regular expressions

The semantics of Ê-regular expression G = E1 .F1 + . . . + En .Fn is the
Ê Ê
language L(G) N defined by:

Ê
LÊ (G) = L(E1 ).L(F1 ) < . . . < L(En ).L(Fn ) .

Ê Ê
= { w1 w2 w3 . . . ∂ ºi ' 0. wi " L }.
ò
where for L N , we have L
Ê

Ê-Regular Expressions: Semantics
Definition: semantics of Ê-regular expressions

The semantics of Ê-regular expression G = E1 .F1 + . . . + En .Fn is the
Ê Ê
language L(G) N defined by:

Ê
LÊ (G) = L(E1 ).L(F1 ) < . . . < L(En ).L(Fn ) .

Ê Ê
= { w1 w2 w3 . . . ∂ ºi ' 0. wi " L }.
ò
where for L N , we have L
Ê
The Ê-regular expression G1 and G2 are equivalent,

denoted G1 G2 , if LÊ (G1 ) = LÊ (G2 ).

Safety and Liveness Properties Linear-Time Properties
Overview
3 Safety Properties

Linear-Time Properties
Definition: Linear-Time Property
A linear-time property (LT property) over AP is a subset of 2 ⌥ .
AP Ê

AP Ê
Z Linear-time properties specify desirable traces of a transition system

Z They are infinite words A0 A1 A2 . . . with Ai N AP, i.e. traces
Z No finite words, as TS is assumed to have no terminal states
Z TS satisfies property P if all its “observable” behaviours are admitted
by P

AP Ê
Z Linear-time properties specify desirable traces of a transition system

Z They are infinite words A0 A1 A2 . . . with Ai N AP, i.e. traces
Z No finite words, as TS is assumed to have no terminal states
Z TS satisfies property P if all its “observable” behaviours are admitted
by P
Satisfaction relation for LT properties

Transition system TS (over AP) satisfies LT property P (over AP):
TS Ï P if and only if Traces(TS) N P.

Mutual Exclusion as LT Property

“Always at most one thread is in its critical section”

Z Let AP = { crit1 , crit2 }

other atomic propositions are not of any relevance for this property


Z Formalization as LT property
Pmutex = set of infinite words A0 A1 A2 . . .
with { crit1 , crit2 } N
/ Ai for all 0 & i


/ Ai for all 0 & i
Z Contained in Pmutex are e.g., the infinite words:

Z ({ crit1 } { crit2 })Ê and ({ crit1 })Ê and oÊ


/ Ai for all 0 & i
Z Contained in Pmutex are e.g., the infinite words:

Z ({ crit1 } { crit2 })Ê and ({ crit1 })Ê and oÊ
Z but not { crit1 } o { crit1 , crit2 } . . . or o { crit1 }, (o o { crit1 , crit2 })Ê

Mutual Exclusion by Semaphores
Yes, the semaphore-based algorithm satisfies Pmutex .

Starvation Freedom as LT Property
“A thread that wants to enter the critical section is eventually able

to do so‘”

Starvation Freedom as LT Property
“A thread that wants to enter the critical section is eventually able

to do so‘”
Z Let AP = { wait1 , crit1 , wait2 , crit2 }
Z Formalization as LT-property
Pnostarve = set of infinite words A0 A1 A2 . . . such that:
⌅ Ω j. waiti " Aj ⌦ ⌅ Ω j. criti " Aj ⌦ for each i " { 1, 2 }

ô ô
where: ⌅ Ω j. waiti " Aj ⌦ abbreviates (ºk ' 0. Ωj > k. waiti " Aj )

ô

Starvation Freedom by Semaphores

Does the semaphore-based algorithm satisfy Pnostarve ?

Does the semaphore-based algorithm satisfy Pnostarve ?

No. Trace o ({ wait2 } { wait1 , wait2 } { crit1 , wait2 } ) " Traces(TS), but "
/ Pnostarve
Ê

Trace Inclusion and LT Properties
¨
For TS and TS be transition systems (over AP) without terminal states:
Traces(TS) N Traces(TS )
¨
if and only if
¨
for any LT property P: TS Ï P implies TS Ï P.

¨
¨
if and only if
¨
“ ”:

¨
¨
if and only if
¨
“⌦”:

¨
¨
if and only if
¨
Corollary
Traces(TS) = Traces(TS ) iff TS and TS satisfy the same LT properties.
¨ ¨

Safety and Liveness Properties Safety Properties
Overview
3 Safety Properties

Invariants
Z LT property Einv over AP is an invariant if it has the form:
Einv = t A0 A1 A2 . . . " 2 ⌥ ∂ ºj ' 0. Aj Ï z

AP Ê
where (invariant condition) is a propositional logic formula over AP

Invariants
Einv = t A0 A1 A2 . . . " 2 ⌥ ∂ ºj ' 0. Aj Ï z

AP Ê
Z Note that
TS Ï Einv iff trace(fi) " Einv for all paths fi in TS

iff L(s) Ï for all states s that belong to a path of TS
iff L(s) Ï for all states s " Reach(TS)

Invariants
Einv = t A0 A1 A2 . . . " 2 ⌥ ∂ ºj ' 0. Aj Ï z

AP Ê
Z Note that
TS Ï Einv iff trace(fi) " Einv for all paths fi in TS

iff L(s) Ï for all states s that belong to a path of TS
iff L(s) Ï for all states s " Reach(TS)
Z all initial states fulfil and all transitions in the reachable fragment
of TS preserve

Example Invariants

Safety Properties
Z Safety properties may impose requirements on finite path fragments
Z and cannot be verified by considering the reachable states individually

Safety Properties
Z Every invariant is a safety property, but not the reverse

Safety Properties
Z A safety property which is not an invariant:

Z consider a cash dispenser, aka: automated teller machine (ATM)
Z property “money can only be withdrawn once a correct PIN has been
provided”
not an invariant, since it is not a state property

Safety Properties
Z A safety property which is not an invariant:

Z consider a cash dispenser, aka: automated teller machine (ATM)
Z property “money can only be withdrawn once a correct PIN has been
provided”
not an invariant, since it is not a state property
Z But a safety property:

Z any infinite run violating the property has a finite prefix that is “bad”
Z i.e., in which money is withdrawn without issuing a PIN before

Safety Properties
Definition: Safety Property

LT property Esafe over AP is a safety property if for all ‡ " 2 ⌥ \ Esafe :
AP Ê
Esafe = t‡ " 2 ⌥ ∂ ‡r is a prefix of ‡ z = o.

¨ AP Ê ¨
for some prefix ‡r of ‡.

Safety Properties
Definition: Safety Property

LT property Esafe over AP is a safety property if for all ‡ " 2 ⌥ \ Esafe :
AP Ê
Esafe = t‡ " 2 ⌥ ∂ ‡r is a prefix of ‡ z = o.

¨ AP Ê ¨
for some prefix ‡r of ‡.
Z Path fragment ‡r is called a bad prefix of Esafe
Z Let BadPref(Esafe ) denote the set of bad prefixes of Esafe
Z ‡r " Esafe is minimal if no proper prefix of it is in BadPref(Esafe )

Examples

Safety Properties and Finite Traces
For transition system TS without terminal states

and safety property Esafe :
TS Ï Esafe if and only if Tracesfin (TS) = BadPref(Esafe ) = o.

Finite Prefixes
Z For trace ‡ " 2AP ⌥Ê , let pref(‡) be the set of finite prefixes of ‡:
pref(‡) = { ‡r " 2 ⌥ ∂ ‡r is a finite prefix of ‡ }

AP ò
Z if ‡ = A0 A1 . . . then pref(‡) = sÁ, A0 , A0 A1 , A0 A1 A2 , . . . y

Finite Prefixes

AP ò
Z For property P this is lifted as follows:
pref(P) = ⌫ pref(‡)
‡"P

Finite Prefixes

AP ò
Z For property P this is lifted as follows:
pref(P) = ⌫ pref(‡)
‡"P
Z For transition system TS we have:
Tracesfin (TS) = pref(Traces(TS))

Closure
Definition: closure of a property

The closure of LT property P is defined as:
cl(P) = s‡ " 2 ⌥ ∂ every prefix of ‡ is a prefix of Py

AP Ê
Z cl(P) contains the set of infinite traces whose finite prefixes are also
prefixes of P, or equivalently
Z infinite traces in the closure of P do not have a prefix that is not a

prefix of P

Safety Properties and Closure
For any LT property P over AP:

P is a safety property if and only if cl(P) = P.


“ ”:


“⌦”:

Safety Properties and Finite Trace Equivalence

¨
Let TS and TS be transition systems (over AP) without terminal states.
Tracesfin (TS) N Tracesfin (TS )

¨
if and only if
¨
for any safety property Esafe ⇥ TS Ï Esafe TS Ï Esafe .

Safety Properties and Finite Trace Equivalence

¨
Let TS and TS be transition systems (over AP) without terminal states.
Tracesfin (TS) N Tracesfin (TS )

¨
if and only if
¨
for any safety property Esafe ⇥ TS Ï Esafe TS Ï Esafe .
Tracesfin (TS) = Tracesfin (TS )

¨
if and only if
¨
TS and TS satisfy the same safety properties.

Finite versus Infinite Traces
¨
For TS without terminal states and finite TS :
Traces(TS) N Traces(TS ) Tracesfin (TS) N Tracesfin (TS )

¨ ¨
iff
2
Transition systems in which each state has finitely many direct successors.
Finite versus Infinite Traces
¨
For TS without terminal states and finite TS :
Traces(TS) N Traces(TS ) Tracesfin (TS) N Tracesfin (TS )

¨ ¨
iff
¨
this does not hold for infinite TS (cf. next slide)
¨ 2
but also holds for image-finite TS .
2
Transition systems in which each state has finitely many direct successors.
Trace Equivalence j Finite Trace Equivalence

Safety and Liveness Properties Liveness Properties
Overview
3 Safety Properties

Why Liveness?
Z Safety properties specify that:

“something bad never happens” [Lamport 1977]

Why Liveness?

Z Doing nothing easily fulfils a safety property

as this will never lead to a “bad” situation

Why Liveness?


Safety properties are complemented by liveness properties

that require some progress

Why Liveness?


Safety properties are complemented by liveness properties

that require some progress
Z Liveness properties assert that:

”something good” will happen eventually [Lamport 1977]

The Meaning of Liveness
The question of whether a real system satisfies a liveness property

is meaningless; it can be answered only by observing the system for
an infinite length of time, and real systems don’t run forever.
Liveness is always an approximation to the property we really care about.
We want a program to terminate within 100 years, but proving that it does
would require addition of distracting timing assumptions.
So, we prove the weaker condition that the program eventually terminates.
This doesn’t prove that the program will terminate within our lifetimes,
but it does demonstrate the absence of infinite loops.
[Lamport 2000]

Liveness Properties
Definition: Liveness property
LT property Elive over AP is a liveness property whenever
pref(Elive ) = 2 ⌥ .
AP ò

Liveness Properties
AP ò
Z A liveness property does not rule out any prefix
Z Liveness properties are violated in “infinite time”

Z whereas safety properties are violated in finite time
Z finite traces are of no use to decide whether Elive holds or not
Z any finite prefix can be extended such that the resulting infinite trace
satisfies Elive

Liveness Properties
AP ò
Z A liveness property does not rule out any prefix
Z Liveness properties are violated in “infinite time”

Z whereas safety properties are violated in finite time
Z finite traces are of no use to decide whether Elive holds or not
Z any finite prefix can be extended such that the resulting infinite trace
satisfies Elive
Z Equivalently, Elive is a liveness property iff cl(Elive ) = 2AP ⌥Ê

Example Liveness Properties for Mutual Exclusion

P = { A0 A1 A2 . . . ∂ Aj N AP & . . . } and AP = {wait1 , crit1 , wait2 , crit2 }.


Z Any thread eventually is in its critical section:
(Ωj ' 0. crit1 " Aj ) 0 (Ωj ' 0. crit2 " Aj )


Z Any thread is infinitely often in its critical section:
⌅ Ω j ' 0. crit1 " Aj ⌦ 0 ⌅ Ω j ' 0. crit2 " Aj ⌦

ô ô


Z Any thread is infinitely often in its critical section:
⌅ Ω j ' 0. crit1 " Aj ⌦ 0 ⌅ Ω j ' 0. crit2 " Aj ⌦

ô ô
Z Starvation freedom — no thread is "starving”:
ºj ' 0. wait1 " Aj (Ωk > j. crit1 " Ak )⌥ 0

ºj ' 0. wait2 " Aj (Ωk > j. crit2 " Ak )⌥

Safety and Liveness Properties Safety versus Liveness
Overview
3 Safety Properties

Safety versus Liveness
Z Are safety and liveness properties disjoint? Yes, almost

Z The property 2AP ⌥Ê is both a safety and a liveness property

Z Is any linear-time property a safety or liveness property? No

Z But:
¨
for any LT property P there exists an equivalent LT property P
which is a conjunction of a safety and a liveness property

Z But:
¨
for any LT property P there exists an equivalent LT property P
which is a conjunction of a safety and a liveness property
safety and liveness provide a complete characterization of LT properties

Alpern-Schneider Characterisation
Bowen Alpern Fred B. Schneider

Neither Safe nor Live
“the machine provides infinitely often beer

after initially providing sprite three times in a row”


Z This property consists of two parts:

Z it requires beer to be provided infinitely often
as any finite trace fulfills this, it is a liveness property
Z the first three drinks it provides should all be sprite
bad prefix = one of first three drinks is beer; this is a safety property


Z This property consists of two parts:

Z it requires beer to be provided infinitely often
as any finite trace fulfills this, it is a liveness property
Z the first three drinks it provides should all be sprite
bad prefix = one of first three drinks is beer; this is a safety property
Z This property is thus a conjunction of a safety and a liveness property
does this apply to all such properties?

Decomposition Theorem
Decomposition theorem for LT properties
For any LT property P over AP there exists a safety property Esafe and a
liveness property Elive (both over AP) such that:
P = Esafe = Elive .

Decomposition Theorem
Decomposition theorem for LT properties
For any LT property P over AP there exists a safety property Esafe and a
liveness property Elive (both over AP) such that:
P = Esafe = Elive .
Proposal: P = cl(P) = P < 2 ⌥ \ cl(P)⌥⌥

AP Ê
Õ““ “ “ “— “ “ “ “ œ Õ““ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “—“ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ “ œ
=Esafe =Elive

Proof
Let P be an LT Property over AP.
Show:
1) P = cl(P) = P < 2 ⌥ \ cl(P)⌥⌥
AP Ê
2) cl(P) is a safety property
3) P < 2 ⌥ \ cl(P)⌥⌥ is a liveness property

AP Ê

Proof
Show: P = cl(P) = P < 2 ⌥ \ cl(P)⌥⌥
AP Ê

Proof
Show: cl(P) is a safety property

Proof
Show: P < 2 ⌥ \ cl(P)⌥⌥ is a liveness property
AP Ê

"Sharpest" Decomposition
Let P be an LT property and P = Esafe = Elive where Esafe is a safety

property and Elive a liveness property.
Then:
1. cl(P) N Esafe , and
2. Elive N P < 2 ⌥ \ cl(P)⌥.

AP Ê

"Sharpest" Decomposition
Let P be an LT property and P = Esafe = Elive where Esafe is a safety

property and Elive a liveness property.
Then:
1. cl(P) N Esafe , and
2. Elive N P < 2 ⌥ \ cl(P)⌥.

AP Ê
cl(P) is the strongest safety property and

2 ⌥ \ cl(P)⌥ the weakest liveness property
AP Ê

Classification of LT Properties
[Alpern and Schneider, 1987]

Summary
Z LT properties are finite sets of infinite words over 2AP (= traces)
Z An invariant requires a condition to hold in any reachable state
Z Each trace refuting a safety property has a finite prefix causing this
Z invariants are safety properties with bad prefix (¬ )
ò
safety properties constrain finite behaviours
Z A liveness property does not rule out any finite behaviour

liveness properties constrain infinite behaviours
Z Any LT property is equivalent to a conjunction of a safety and a

liveness property

Next Lecture
Monday April 25, 10:30

mc2022 Lec3 Slides

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

mc2022 Lec3 Slides

Uploaded by

Copyright:

Available Formats

Safety and Liveness Properties

Joost-Pieter Katoen and Tim Quatmann

Model Checking Course, RWTH Aachen, SoSe 2022

Joost-Pieter Katoen and Tim Quatmann Lecture 1/45

5 Safety versus Liveness

Joost-Pieter Katoen and Tim Quatmann Lecture 2/45

Joost-Pieter Katoen and Tim Quatmann Lecture 3/45

5 Safety versus Liveness

Joost-Pieter Katoen and Tim Quatmann Lecture 4/45

Z Actions are mainly used to model the (possibility of) interaction

Z Here, focus on the states that are visited during executions

Z Traces are sequences of the form L(s0 ) L(s1 ) L(s2 ) . . .

Z For transition systems without terminal states1 :

is the infinite word trace(ﬂ) = L(s0 ) L(s1 ) L(s2 ) . . . over 2 ⌥ .

Prefixes of traces are finite traces.

Joost-Pieter Katoen and Tim Quatmann Lecture 6/45

is the infinite word trace(ﬂ) = L(s0 ) L(s1 ) L(s2 ) . . . over 2 ⌥ .

Prefixes of traces are finite traces.

trace( ) = { trace(ﬁ) ∂ ﬁ " }.

Joost-Pieter Katoen and Tim Quatmann Lecture 6/45

is the infinite word trace(ﬂ) = L(s0 ) L(s1 ) L(s2 ) . . . over 2 ⌥ .

Prefixes of traces are finite traces.

trace( ) = { trace(ﬁ) ∂ ﬁ " }.

Z The traces of state s are Traces(s) = trace(Paths(s)).

Joost-Pieter Katoen and Tim Quatmann Lecture 6/45

Joost-Pieter Katoen and Tim Quatmann Lecture 7/45

trace(ﬁ) = o o { crit1 } o o { crit2 } o o { crit1 } o o { crit2 } . . .

Joost-Pieter Katoen and Tim Quatmann Lecture 7/45

trace(ﬁ) = o o { crit1 } o o { crit2 } o o { crit1 } o o { crit2 } . . .

Or expressed using Ê-regular expressions:

trace(ﬁ) = o o { crit1 } o o { crit2 }⌥

Joost-Pieter Katoen and Tim Quatmann Lecture 7/45

Joost-Pieter Katoen and Tim Quatmann Lecture 8/45

Z Regular expressions over have syntax:

E ⇥⇥= o ∂ ∂ A ∂ E+E ∂ E.E ∂ E

Joost-Pieter Katoen and Tim Quatmann Lecture 8/45

Z Regular expressions over have syntax:

E ⇥⇥= o ∂ ∂ A ∂ E+E ∂ E.E ∂ E

L(o) = o, L(Á) = { Á }, L(A) = { A }

L(E+E ) = L(E) < L(E ) L(E.E ) = L(E).L(E ) L(E ) = L(E)

Joost-Pieter Katoen and Tim Quatmann Lecture 8/45

Z Regular expressions over have syntax:

E ⇥⇥= o ∂ ∂ A ∂ E+E ∂ E.E ∂ E

L(o) = o, L(Á) = { Á }, L(A) = { A }

L(E+E ) = L(E) < L(E ) L(E.E ) = L(E).L(E ) L(E ) = L(E)

Z Regular expressions denote languages of finite words

Joost-Pieter Katoen and Tim Quatmann Lecture 8/45

Ê-Regular Expressions: Syntax

G = E1 .F1 + . . . + En .Fn for n " N>0

where Ei , Fi are regular expressions over with Á ä L(Fi ).

Joost-Pieter Katoen and Tim Quatmann Lecture 9/45

Ê-Regular Expressions: Syntax

G = E1 .F1 + . . . + En .Fn for n " N>0

where Ei , Fi are regular expressions over with Á ä L(Fi ).

Z Ê-Regular expressions denote languages of infinite words

Joost-Pieter Katoen and Tim Quatmann Lecture 9/45

Ê-Regular Expressions: Syntax

G = E1 .F1 + . . . + En .Fn for n " N>0

where Ei , Fi are regular expressions over with Á ä L(Fi ).

Z Ê-Regular expressions denote languages of infinite words

Z Examples over the alphabet = { A, B }:

Joost-Pieter Katoen and Tim Quatmann Lecture 9/45