Decomposing Properties into Safety and Liveness Ali Ghodsi

Safety & Liveness All That Matters n This lecture: q “Any specification can be

Definitions n n S set of states of the distributed system An execution is

Definitions (2) n n A property P is a predicate over executions, i. e.

Definition of Safety n A property P is a safety property iff E S

Definition of Liveness n A property P is a liveness property iff E S

Main Theorem n Every property P is equivalent to the conjunction ( ) of

Baby steps… n First step… q P is always equivalent to the conjunction of

Baby steps… (2) n Let q q n safe. P(E) = P(E) MP(E) live.

Remaining steps… n Need to prove q q n safe. P is a safety

Intuition of safe. P(E) n safe. P adds to P all executions true under

Intuition of live. P(E) n live. P adds to P all executions true under

Remaining steps… n Recall q MP(E)= i ℕ : F S : P(E[. .

We are safe! n Claim q q n safe. P(E)=P(E) MP(E) is a safety

We are alive! n Claim q q n live. P(E)=P(E) MP(E) is a liveness

Slides: 15

Download presentation

Decomposing Properties into Safety and Liveness Ali Ghodsi – UC Berkeley / KTH alig(at)cs. berkeley. edu

Safety & Liveness All That Matters n This lecture: q “Any specification can be expressed as the conjunction of a safety property and a liveness property” - Alpern & Schneider, Inf. Proc. Letters 1985 n Example q P is that every message sent is delivered exactly once q Q is that every message sent it delivered at most once q R is that every message sent is delivered at least once n P is neither safety nor liveness q Q is safety, R is liveness, and P ↔ Q R n Rest of lecture: show that this can be done for any property P 2/23/2021 Ali Ghodsi, alig(at)cs. berkeley. edu 2

Definitions n n S set of states of the distributed system An execution is an infinite sequence of states q Assume E is an execution n q q E[. . i] is the finite prefix of size i of E E[i. . ] is the infinite suffix of E starting at the i: th state Concatenation is done with ◦, e. g. E[. . i]◦F S set of all possible executions S set of all prefixes of executions (finite strings) 2/23/2021 Ali Ghodsi, alig(at)cs. berkeley. edu 3

Definitions (2) n n A property P is a predicate over executions, i. e. a function retuning true/false (1/0) for every execution q Equivalently, P is the set of executions for which the property holds q We use former definition when using functional notation, e. g. P(E) = true Recall De Morgan’s Law for quantifiers q q X : P(X) ↔ X : P(X) 2/23/2021 Ali Ghodsi, alig(at)cs. berkeley. edu 4

Definition of Safety n A property P is a safety property iff E S : P(E) i ℕ : F S : P(E[. . i]◦F) n Equivalently, any execution not satisfying the property has some prefix, for which any infinite extension will not satisfy the property q If an execution E violates P, then some bad event happened so that every execution with the prefix of E containing the bad event must also violate P 2/23/2021 Ali Ghodsi, alig(at)cs. berkeley. edu 5

Definition of Liveness n A property P is a liveness property iff E S : F S : P(E◦F) n Every finite prefix must have an infinite extension in P q q For every prefix of an execution, there must exist some continuation where something good happens, making that execution satisfy P “As long as there is life, there is hope” - Cicero 2/23/2021 Ali Ghodsi, alig(at)cs. berkeley. edu 6

Main Theorem n Every property P is equivalent to the conjunction ( ) of two properties Q and R q q n n where Q is a safety property, and Where R is a liveness property Let safe. P denote Q Let live. P denote R 2/23/2021 Ali Ghodsi, alig(at)cs. berkeley. edu 7

Baby steps… n First step… q P is always equivalent to the conjunction of two properties safe. P and live. P n n n Let q q q n n NB: We haven’t claimed that safe. P is a safety property NB: We haven’t claimed that live. P is a liveness property safe. P(E) = P(E) MP(E) live. P(E) = P(E) MP(E) For some predicate MP which we define later Hence, safe. P is P with some additional executions Similarly, live. P is P with some additional executions 2/23/2021 Ali Ghodsi, alig(at)cs. berkeley. edu 8

Baby steps… (2) n Let q q n safe. P(E) = P(E) MP(E) live. P(E) = P(E) MP(E) Then P(E) ↔ safe. P(E) live. P(E) q q q i. e. P(E) ↔ [ P(E) MP(E) ] If P(E)=true, then both clauses become true [ ] If both clauses are true, then P(E) must be true since MP(E) and MP(E) cannot both be true [ ] 2/23/2021 Ali Ghodsi, alig(at)cs. berkeley. edu 9

Remaining steps… n Need to prove q q n safe. P is a safety property live. P is a liveness property Define q MP(E) = i ℕ : F S : P(E[. . i]◦F) n q q i. e. MP(E) is true if every prefix of E has some extension making it true under P Note that De Morgan’s gives MP(E) = i ℕ : F S : P(E[. . i]◦F) 2/23/2021 Ali Ghodsi, alig(at)cs. berkeley. edu 10

Intuition of safe. P(E) n safe. P adds to P all executions true under MP q MP(E) = i ℕ : F S : P(E[. . i]◦F) n n i. e. MP(E) is true if every prefix of E has some extension making it true under P Is it possible that P(E)=false but MP(E)=true? q Yes, let set of state S={0, 1}, n n n P={ E | E is execution with 0 everywhere but one position } The execution of all zeroes Z=000… isn’t in P MP(Z)=true since every prefix of Z has many extensions in P q 2/23/2021 Just add a 1 after the prefix, and then add infinite 0’s… Ali Ghodsi, alig(at)cs. berkeley. edu 11

Intuition of live. P(E) n live. P adds to P all executions true under MP q MP(E)= i ℕ : F S : P(E[. . i]◦F) n n i. e. MP(E) is true if there is a prefix of E, whose every extension is false under P Is it possible that P(E)=false but MP(E)=true? q Yes, let set of state S={0, 1}, n n n 2/23/2021 P={ E | E is execution with 0 everywhere but one position } The execution of all zeroes Z=1100000… isn’t in P MP(Z)=true since every extension of “ 11” is false under P Ali Ghodsi, alig(at)cs. berkeley. edu 12

Remaining steps… n Recall q MP(E)= i ℕ : F S : P(E[. . i]◦F) n n q i. e. MP(E) is true if every prefix of E has some extension making it true under P i. e. there is always “hope” for every prefix of E MP(E)= i ℕ : F S : P(E[. . i]◦F) n n 2/23/2021 i. e. MP(E) is true if there exists a prefix of E for which every extension is false under P i. e. some “bad” event happens in E after which we cannot recover Ali Ghodsi, alig(at)cs. berkeley. edu 13

We are safe! n Claim q q n safe. P(E)=P(E) MP(E) is a safety property where MP(E)= i ℕ : F S : E[. . i]◦F P Must prove that if E violates safep, any extension of some prefix of E will always violate safep q q q Assume safe. P(E)=false for some execution E Then P(E) and MP(E) false, and hence MP(E)=true Recall MP(E) = i ℕ : F S : E[. . i]◦F P Hence, there is some finite prefix G of E, for which any extension violates P But i ℕ : F S : E[. . i]◦F MP since MP(G◦F)=false Thus safe. P(E) is a safety property! 2/23/2021 Ali Ghodsi, alig(at)cs. berkeley. edu 14

We are alive! n Claim q q n live. P(E)=P(E) MP(E) is a liveness property where MP(E) = i ℕ : F S : E[. . i]◦F P Must prove that any prefix G has extension in live. P q q q For any extension E of G, either live. P(E) is true or false If live. P(E)=true then we are done If live. P(E)=false, then P(E)=false= MP(E), and MP(E)=true n Recall MP(E)= i ℕ : F S : E[. . i]◦F P n Hence, every prefix of E has some extension in P q q I. e. every prefix of E (in particular G) has some extension in livep Thus, every prefix G can be extended to true under live. P, making it liveness property 2/23/2021 Ali Ghodsi, alig(at)cs. berkeley. edu 15