Lecture 11 Safety, Liveness, and Regular Expression Logics

Transcription

1 Lecture 11 Safety, Liveness, and Regular Expression Logics Safety and Liveness Regular Expressions w-regular Expressions Programs, Computations, and Properties Guarantee, Response, and Persistance Properties.

2 Key Reference Edward Chang, Zohar Manna and Amir Pnueli, The Safety-Progress Classification, Paper proposes a classification of temporal properties called the safety-progress hierarchy. Four perspectives: Language theoretic, Topological, Temporal logical, and Automata theoretic. Will focus on the language theoretic view in these notes.

3 Temporal Properties Why specify a program in terms of properties? Since the specifier lists several properties and is not required to show how they can be integrated or worry about how they interact with on another, he is not tempted to overspecify or actually design the system. This approach leads to specifications which are considerably free of implementation bias.

4 Safety Properties A safety property states that some bad thing never happens. Safety properties represent requirements that should be continuously maintained by the system. They often express invariance properties.

5 Liveness Properties A liveness property states that some good thing eventually happens. Liveness properties represent requirements that need not hold continuously but whose eventual (or repeated) realization must be ensured.

6 Safety and Liveness (cont.) A safety property correspnds to partial correctness which does not ensure termination, but only that all terminating computations produce correct results. Liveness properties correspond to total correctness which guarantees termination.

7 Extended Regular Expressions Let S be a set of events or states. If f 1 and f 2 are regular expressions, then so are 1. e( the empty string) 2. a, where a is an element of S 3. f 1 + f 2 4. f 1 ; f 2 5. f 1 * 6. f 1 f 2 7. φ 1

8 w-regular Expressions ; ; Also allow f w where f is a regular expression. For example, a b* represents a set of sequences. Each sequence consists of an a followed by a finite number of b s: {a, ab, abb, abbb, } (a + c)* b w represents the set of sequences that begin with a prefix consisting of a s and c s of arbitrary length---followed by an infinite number of b s: {bb b, abb b, cbb b, acbb b, }

9 Motivation Folklore: you need w-regular expressions to deal with liveness properties. Question: Doesn t the ordinary regular expression S*b express the inevitability of b (i.e. F b)? Why aren t ordinary regular expressions sufficient for expressing temporal properties?

10 Motivation Part of the Answer We have to be careful about when we say that a w- sequence of events matches a regular expression. If we mean the regular expression matches some prefix of the sequence, then S*b does express F b. The problem is not with F but with G. How do we specify Gb? The obvious choice b* doesn t work because the empty sequence (a prefix of every sequence) matches it.

11 Part of the Answer (cont.) Let s be an w-sequence of events representing the infinite future. Let F be a regular expression. The property A(F) represents all sequences s such that all prefixes of s belong to F. The property E(F) represents all sequences s such that some prefix of s belongs to F. Then A(b*) corresponds to Gb and E(S*b) corresponds to F b. (note that A and E are not path quantifiers!!)

12 Programs, Computations, and Properties reactive program P -- generator of computations. computation s -- infinite sequence of states or events S. property P -- set of computations. A program P satisfies a property P if all of the computations s of P belong to P.

13 Some Terminology S* is the set of all finite length sequences over. S + is the set of all non-empty finite length sequences over. If s is a finite sequence then s will denote its length. S w will denote the set of all infinite length sequences over.

14 More Terminology For a finite sequence s in S* and any sequence s we will write s < s if s is a prefix of s. We will write s s if (s < s ) (s = s ). The sequence s s is obtained by concatenating s to the end of s. If F and P are sets of sequences, then F P consists of all infinite sequences in F as well as s s where s in F is a finite sequence and s in P.

15 Four Operators The property A(F) consists of all infinite sequences s such that all prefixes of s belong to F The property E(F) consists of all infinite sequences s such that some prefix belong to F The property R(F) consists of all infinite sequences s such that infinitely many prefixes of s belong to F The property P(F) consists of all infinite sequences s such that all but finitely many prefixes of s belong to F The motivation for denoting the last two operators by R and P is that prefixes belonging to F occur recurrently in R(F) and persistently in P(F)

16 Still More Terminology A set F S + of non-empty finite words is called a finitary property. Pref (P) will denote the finitary property consisting of all finite prefixes of sequences in P. If F is a finitary property, then its complement is denoted by Φ = Σ + Φ If P is an infinitary property, then its complement is denoted by ω Π = Σ Π

17 Duality properties A( Φ ) = E ( Φ) 1. We have s A(F) iff all prefixes of s belong to F. 2. Thus, s ˇ A(F) iff there exists at least one prefix s of s that does not belong to F. 3. This means that s has a prefix s that belongs to σ E(Φ) which is true iff. Likewise, it is easy to show that R( Φ ) = P( Φ) Φ

18 Basic Property Classes An infinitary property P is defined to be a safety property if P = A(F) for some finitary property F. a guarantee property if P = E(F) for some finitary property F. A response property if P = R(F) for some finitary property F. A persistance property if P = P(F) for some finitary property F.

19 Examples of Basic Properties A( a + b*) = a w + a + b w so this property is a safety property. E(a + b*) = a + b* S w so this property is a guarantee property. R(S * b) = (S * b) w so this property is a response property. P(S * b) = S * b w so this property is a persistence property.

20 Inclusion among classes The class of response properties properly contains the classes of safety and guarantee properties. The class of persistence properties also contains both of these classes.

21 The Obligation Class Unrestricted boolean combinations of safety properties Unrestricted boolean combinations of guarantee properties Positive boolean combinations of safety and guarantee properties A example of an obligation property is a ω + Σ c Σ ω

22 The Reactivity Class Similar to the Obligation Class except that response and persistence take the place of safety and guarantee. Every Reactivity can be expressed as a boolean combination of response and persistence properties.

23 Hierarchy of classes Reactivity Response Persistence Obligation Safety Guarantee

24 Liveness An infinitary property P is aliveness property if every sequence s in S + is a prefix of a word in : Pref (P) = S + Thus, a S* b S w would not be a liveness property. However, S* b S w would be a liveness property It is easy to prove that liveness properties are upward closed, i.e. every superset of a liveness property is a liveness property.

25 Safety and Liveness again The classes of safety and liveness properties are disjoint except for the trivial properties f and S w Every property can be written as the intersection of a safety and liveness property For example a S* b is neither a safety nor liveness ω ω property. But, a S* b = aσ Σ bσ

26 Yet Another Quote If we are willing to restrict ourselves to expressing safety then a languages of predicates over finite behaviors (or prefixes of infinite behaviors) suffices. The only justification for using temporal logic or equivalent formalizations, which are considerably more complex since they define predicates over infinite behaviors, is for expressing liveness properties.

27 Another Quote One of the major drawbacks of this property based appproach to specification is that while it discourages overspecification, it may lead to underspecification. Thus a constant concern in working with such specifications is that of completeness. (This is where existential path quantifiers can help.)