Linear-Time Properties

Hao Zheng

Department of Computer Science and Engineering University of South Florida Tampa, FL 33620 Email: [email protected] Phone: (813)974-4757 Fax: (813)974-5456

Hao Zheng (CSE, USF) Comp Sys Veriﬁcation 1 / 53 Recall Model Checking Recall Model Checking

requirements system

Formalizing Modeling

property system model speciﬁcation

Model Checking

violated + location satisﬁed Simulation counterexample error

We now consider the properties. We now consider the properties.

Chris J. Myers (Lecture 3: Linear-Time Prop.) Veriﬁcation of Cyber-Physical Systems 2 / 80 Hao Zheng (CSE, USF) Comp Sys Veriﬁcation 2 / 53 Overview

1 Deadlock (Section 3.1)

2 Linear Time Behavior (Section 3.2) Executions, Paths, and Traces (Section 3.2.1 -3.2.2) Linear-time Properties (Section 3.2.3 - 3.2.4)

3 Safety and Invariants (Section 3.3.1 - 3.3.2)

4 Liveness Properties (Section 3.4.1)

5 Fairness (Section 3.5.1)

Hao Zheng (CSE, USF) Comp Sys Veriﬁcation 3 / 53 Contents

1 Deadlock (Section 3.1)

2 Linear Time Behavior (Section 3.2) Executions, Paths, and Traces (Section 3.2.1 -3.2.2) Linear-time Properties (Section 3.2.3 - 3.2.4)

3 Safety and Invariants (Section 3.3.1 - 3.3.2)

4 Liveness Properties (Section 3.4.1)

5 Fairness (Section 3.5.1)

Hao Zheng (CSE, USF) Comp Sys Veriﬁcation 4 / 53 Deadlock

Sequential programs without inﬁnite loops terminate. • For reactive systems, terminal states are undesirable and represent an • error. • Embedded controllers need to operate without interruption for a long time. A deadlock occurs if a system stops while at least one component is in • a (local) nonterminal state. • System has halted when at least one component should continue. Typically occurs when components mutually wait for each other. •

Hao Zheng (CSE, USF) Comp Sys Veriﬁcation 5 / 53 90 Linear-Time Properties Example Deadlock Situation

TrLight 1 red α β green

TrLight2 red α β TrLight 1 TrLight 2 || green red , red ⟨ ⟩

Hao Zheng (CSE, USF) Comp Sys Veriﬁcation 6 / 53 Figure 3.1: An example of a deadlock situation.

Example 3.1. Deadlock for Fault Designed TraﬃcLights Consider the parallel composition of two transition systems

TrLight TrLight 1 ∥ 2 modeling the trafficlightsoftwointersectingroads.Bothtrafficlightssynchronizeby means of the actions α and β that indicate the change of light (see Figure 3.1). The apparently trivial error to let both trafficlightsstartwitharedlightresultsinadeadlock. While the first trafficlightiswaitingtobesynchronizedonactionα,thesecondtraffic light is blocked, since it is waiting to be synchronized with action β.

Example 3.2. Dining Philosophers This example, originated by Dijkstra, is one of the most prominent examples in the ﬁeld of concurrent systems. Deadlock 91 The Dining Philosophers

Stick1 P 1 P2

Stick 0 Stick2

P0 P3

Stick4 Stick3 P4 Design a protocol which is deadlock-free. • Design a protocol which is free of starvation. Five philosophers• are sitting at a round table with a bowl of rice in the middle. For the philosophers (beingHao Zhenga little (CSE, USF) unworldly)Comp life Sys consists Veriﬁcation of thinking and eating7 / 53 (and waiting, as we will see). To take some rice out of the bowl, a philosopher needs two chopsticks. In between two neighboring philosophers, however, there is only a single chopstick. Thus, at any time only one of two neighboring philosophers can eat. Of course, the use of the chopsticks is exclusive and eating with hands is forbidden.

Note that a deadlock scenario occurs when all philosophers possess a single chopstick. The problem is to design a protocol for the philosophers, such that the complete system is deadlock-free, i.e., at least one philosopher can eat and think inﬁnitely often. Additionally, afairsolutionmayberequiredwitheachphilosopherbeingabletothinkandeatinﬁnitely often. The latter characteristic is called freedom of individual starvation.

The following obvious design cannot ensure deadlock freedom. Assume the philosophers and the chopsticks are numbered from 0 to 4. Furthermore, assume all following calcula- tions be “modulo 5”, e.g., chopstick i 1fori=0 denotes chopstick 4, and so on. − Philosopher i has stick i on his left and stick i 1onhisrightside.Theactionrequest − i,i express that stick i is picked up by philosopher i.Accordingly,request i 1,i denotes the action by means of which philosopher i picks up the (i 1)th stick. The actions− release − i,i and release i 1,i have a corresponding meaning. −

The behavior of philosopher i (called process Phil i)isspeciﬁedbythetransitionsystem depicted in the left part of Figure 3.2. Solid arrows depict the synchronizations with the i-th stick, dashed arrows refer to communications with the i 1th stick. The sticks are − modeled as independent processes (called Stick i)withwhichthephilosopherssynchronize via actions request and release;seetherightpartofFigure3.2thatrepresentstheprocess of stick i.Astickprocesspreventsphilosopheri from picking up the ith stick when philosopher i+1 is using it. A Transition92 System for the Dining PhilosophersLinear-Time Properties

think releasei i releasei 1 i

requesti 1 i requesti i

available wait for wait for left stick right stick reqi i reqi i 1

requesti i requesti 1 i reli i reli i 1 eat occupied occupied

releasei 1 i releasei i

return the return the left stick right stick

Figure 3.2: Transition systems for the ith philosopher and the ith stick.

The complete system is of the form: Phil4 Stick3 Phil3 Stick2 Phil2 Stick1 Phil1 Stick0 Phil0 Stick4 Phil Stick Phil Stick Phil Stick Phil Stick Phil Stick k k4 ∥ 3 ∥k 3 ∥ k 2 ∥ 2k∥ 1 ∥ k 1 ∥ k0 ∥ 0 ∥ k 4 k HaoThis Zheng (initially (CSE, obvious)USF) design leadsComp to a Sys deadlock Veriﬁcation situation, e.g., if all philosophers pick 8 / 53 up their left stick at the same time. A corresponding execution leads from the initial state

think , avail , think , avail , think , avail , think , avail , think , avail ⟨ 4 3 3 2 2 1 1 0 0 4⟩

by means of the action sequence request 4, request 3, request 2, request 1, request 0 (or any other permutation of these 5 request actions) to the terminal state

wait , occ , wait , occ , wait , occ , wait , occ , wait , occ . ⟨ 4,0 4,4 3,4 3,3 2,3 2,2 1,2 1,1 0,1 0,0⟩ This terminal state represents a deadlock with each philosopher waiting for the needed stick to be released.

Apossiblesolutiontothisproblemistomakethesticksavailableforonlyonephilosopher at a time. The corresponding chopstick process is depicted in the right part of Figure 3.3. In state availablei,j only philosopher j is allowed to pick up the ith stick. The above- mentioned deadlock situation can be avoided by the fact that some sticks (e.g., the first, the third, and the fifth stick) start in state availablei,i,whiletheremainingsticksstartin state availablei,i+1.Itcanbeverifiedthatthissolutionisdeadlock-andstarvation-free. A Transition92 System for the Dining PhilosophersLinear-Time Properties

think releasei i releasei 1 i

requesti 1 i requesti i

available wait for wait for left stick right stick reqi i reqi i 1

requesti i requesti 1 i reli i reli i 1 eat occupied occupied

releasei 1 i releasei i

return the return the left stick right stick

Figure 3.2: Transition systems for the ith philosopher and the ith stick.

The complete system is of the form: Phil4 Stick3 Phil3 Stick2 Phil2 Stick1 Phil1 Stick0 Phil0 Stick4 k Philk Stick kPhil Stickk Phil kStick Philk Stickk Phil Stickk k req4 ∥,4 , req3 ∥3 ,3 , req3 ∥ 2 ,2 ,2 req∥ 1 ,21∥, req01,∥0 leads1 ∥ to0 a∥ deadlock.0 ∥ 4

HaoThis Zheng (initially (CSE, obvious)USF) design leadsComp to a Sys deadlock Veriﬁcation situation, e.g., if all philosophers pick 8 / 53 up their left stick at the same time. A corresponding execution leads from the initial state

think , avail , think , avail , think , avail , think , avail , think , avail ⟨ 4 3 3 2 2 1 1 0 0 4⟩

by means of the action sequence request 4, request 3, request 2, request 1, request 0 (or any other permutation of these 5 request actions) to the terminal state

Apossiblesolutiontothisproblemistomakethesticksavailableforonlyonephilosopher at a time. The corresponding chopstick process is depicted in the right part of Figure 3.3. In state availablei,j only philosopher j is allowed to pick up the ith stick. The above- mentioned deadlock situation can be avoided by the fact that some sticks (e.g., the first, the third, and the fifth stick) start in state availablei,i,whiletheremainingsticksstartin state availablei,i+1.Itcanbeverifiedthatthissolutionisdeadlock-andstarvation-free. ImprovedDeadlock Transition System for the Stick 93

think reli i reli 1 i

reqi 1 i reqi i

availablei wait for wait for reli i 1 left stick right stick

reqi i reqi i reqi 1 i occupied occupied eat

reli 1 i reli i req return the return the reli i i i 1 left stick right stick availablei 1

Figure 3.3: Improved variant of the ith philosopher and the ith stick.

AfurthercharacteristicoftenrequiredforconcurrentsystemsisrobustnessagainstfailureEven and odd numbered sticks start in diﬀerent available states. •of their components. In the case of the dining philosophers, robustness can be formulated

inHao a way Zheng that (CSE, ensures USF) deadlock andComp starvation Sys Veriﬁcation freedom even if one of the philosophers is9 / 53 “defective” (i.e., does not leave the think phase anymore).1 The above-sketched deadlock- and starvation-free solution can be modiﬁed to a fault-tolerant solution by changing the transition systems of philosophers and sticks such that philosopher i+1 can pick up the ith stick even if philosopher i is thinking (i.e., does not need stick i)independentofwhether stick i is in state availablei,i or availablei,i+1.Thecorrespondingisalsotruewhentheroles of philosopher i and i+1 are reversed. This can be established by adding a single Boolean variable xi to philosopher i (see Figure 3.4). The variable xi informs the neighboring philosophers about the current location of philosopher i.Intheindicatedsketch,xi is a Boolean variable which is true if and only if the ith philosopher is thinking. Stick i is made available to philosopher i if stick i is in location availablei (as before), or if stick i is in location availablei+1 while philosopher i+1 is thinking.

Note that the above description is at the level of program graphs. The complete system is achannelsystemwithrequest and release actions standing for handshaking over a channel of capacity 0.

1 Formally, we add a loop to the transition system of a defective philosopher at state think i. Contents

1 Deadlock (Section 3.1)

2 Linear Time Behavior (Section 3.2) Executions, Paths, and Traces (Section 3.2.1 -3.2.2) Linear-time Properties (Section 3.2.3 - 3.2.4)

3 Safety and Invariants (Section 3.3.1 - 3.3.2)

4 Liveness Properties (Section 3.4.1)

5 Fairness (Section 3.5.1)

Hao Zheng (CSE, USF) Comp Sys Veriﬁcation 10 / 53 Recall Executions

A ﬁnite execution fragment % of TS is an alternating sequence of states • and actions ending with a state:

α % = s α s α . . . α s such that s i+1 s for all 0 i < n. 0 1 1 2 n n i −−−→ i+1 ≤ An inﬁnite execution fragment ρ of TS is an inﬁnite, alternating • sequence of states and actions:

α ρ = s α s α s α ... such that s i+1 s for all 0 i. 0 1 1 2 2 3 i −−−→ i+1 ≤ An execution of TS is an initial, maximal execution fragment • • An execution fragment is initial if s0 I. • A maximal execution fragment can be∈ ﬁnite, ending in a terminal state, or inﬁnite.

Hao Zheng (CSE, USF) Comp Sys Veriﬁcation 11 / 53 Traces

Let transition system TS = (S, Act, ,I, AP,L) without terminal • states (i.e., all executions are inﬁnite).→ • Terminal states are assumed to have self-loop transitions. The trace of execution ρ = s α s α ... is • 0 0 1 1

trace(π) = L(s0) L(s1) ....

The trace of s α s α . . . s is • 0 0 1 1 n

trace(πb) = L(s0) L(s1) ...L(sn). Traces of a TS are inﬁnite words over the alphabet 2AP, i.e., • Traces(TS) 2APω. ⊆

Hao Zheng (CSE, USF) Comp Sys Veriﬁcation 12 / 53 Semaphore-Based Mutual Exclusion Semaphore-Based Mutual Exclusion

PG1 : PG2 :

noncrit1 noncrit2

y := y+1 wait1 y := y+1 wait2

y > 0 : y > 0 : y := y 1 y := y 1 − − crit1 crit2

y=0 meansy=0 means “lock “lock is currentlyis currently possessed”; y=y1=1 meansmeans “lock “lock is free” is free”

Chris J. Myers (Lecture 3: Linear-Time Prop.) Veriﬁcation of Cyber-Physical Systems 13 / 80

Hao Zheng (CSE, USF) Comp Sys Veriﬁcation 13 / 53 TS(PG PG ) 1 2 TS(PG PG ) ||| 1 ||| 2

n ,n ,y=1 ⟨ 1 2 ⟩ y := y+1

y := y+1 w ,n ,y=1 n ,w ,y=1 ⟨ 1 2 ⟩ ⟨ 1 2 ⟩

c ,n ,y=0 w ,w ,y=1 n ,c ,y=0 ⟨ 1 2 ⟩ ⟨ 1 2 ⟩ ⟨ 1 2 ⟩ y := y 1 − y := y 1 − c ,w ,y=0 w ,c ,y=0 ⟨ 1 2 ⟩ ⟨ 1 2 ⟩

Chris J.Hao Myers Zheng (Lecture (CSE, 3: Linear-Time USF) Prop.) VeriﬁcationComp of Sys Cyber-Physical Veriﬁcation Systems 1414 / / 80 53 TS(PG PG ) Example Traces 1 ||| 2

n ,n ,y=1 ⟨ 1 2 ⟩ y := y+1

y := y+1 w ,n ,y=1 n ,w ,y=1 ⟨ 1 2 ⟩ ⟨ 1 2 ⟩

c ,n ,y=0 w ,w ,y=1 n ,c ,y=0 ⟨ 1 2 ⟩ ⟨ 1 2 ⟩ ⟨ 1 2 ⟩ y := y 1 − y := y 1 − c ,w ,y=0 w ,c ,y=0 ⟨ 1 2 ⟩ ⟨ 1 2 ⟩

Let AP = crit , crit { 1 2 } The traceChris of J. Myers the (Lecture ﬁnite 3: Linear-Time execution: Prop.) Veriﬁcation of Cyber-Physical Systems 14 / 80

π = n1, n2, y = 1 w1, n2, y = 1 w1, w2, y = 1 b h i → h i → h i → w1, c2, y = 0 w1, n2, y = 1 c1, n2, y = 0 h i → h i → h i is: trace(π) = crit crit b ∅ ∅ ∅ { 2 } ∅ { 1 } Hao Zheng (CSE, USF) Comp Sys Veriﬁcation 15 / 53 TS(PG PG ) Example Traces 1 ||| 2

n ,n ,y=1 ⟨ 1 2 ⟩ y := y+1

y := y+1 w ,n ,y=1 n ,w ,y=1 ⟨ 1 2 ⟩ ⟨ 1 2 ⟩

c ,n ,y=0 w ,w ,y=1 n ,c ,y=0 ⟨ 1 2 ⟩ ⟨ 1 2 ⟩ ⟨ 1 2 ⟩ y := y 1 − y := y 1 − c ,w ,y=0 w ,c ,y=0 ⟨ 1 2 ⟩ ⟨ 1 2 ⟩

Let AP = crit , crit { 1 2 } The traceChris of J. Myers the (Lecture inﬁnite 3: Linear-Time Prop.) execution:Veriﬁcation of Cyber-Physical Systems 14 / 80

π = n1, n2, y = 1 w1, n2, y = 1 c1, n2, y = 0 h i → h i → h i → n1, n2, y = 1 n1, w2, y = 1 n1, c2, y = 0 ... h i → h i → h i → is: trace(π) = crit crit crit crit ... ∅ ∅ { 1 } ∅ ∅ { 2 } ∅ ∅ { 1 } ∅ ∅ { 2 } Hao Zheng (CSE, USF) Comp Sys Veriﬁcation 15 / 53 Linear-Time Properties

Linear-time properties specify the traces that a TS should only exhibit. • A linear-time property (LT property) P over AP is a subset of 2APω • Finite words are not needed assuming there are no terminal states. • A trace satisﬁes LT property P if it is included in P .

TS (over AP) satisﬁes LT property P (over AP): TS = P if and only if Traces(TS) P | ⊆ • TS satisﬁes the LT property P if all its traces are admissible.

Later, a logic will be introduced for specifying LT properties. •

Hao Zheng (CSE, USF) Comp Sys Veriﬁcation 16 / 53

How to Specify Mutual Exclusion?

Always at most one process is in its critical section.

Let AP = crit , crit • { 1 2 } • Other atomic propositions are not relevant for this property. Formalization as LT property: • Pmutex = set of infinite words A0 A1 A2 ... with crit1, crit2 Ai for all 0 i { } 6⊆ ≤ Which of the following infinite words satisfies Pmutex ? • ω • ( crit1 crit2 ) { }{ } • crit1 crit1 crit1 ... • { ...}{ }{ } ∅ ∅ ∅ • crit1 crit1, crit2 ... { } ∅ { } • crit1 crit1, crit2 ... ∅ { }∅ ∅ { }∅

Hao Zheng (CSE, USF) Comp Sys Veriﬁcation 17 / 53 How to Specify Mutual Exclusion?

Always at most one process is in its critical section.

Hao Zheng (CSE, USF) Comp Sys Veriﬁcation 17 / 53 Does the Semaphore-Based Algorithm Satisfy TS(PG1 PG2) Pmutex ? |||

n ,n ,y=1 ⟨ 1 2 ⟩ y := y+1

y := y+1 w ,n ,y=1 n ,w ,y=1 ⟨ 1 2 ⟩ ⟨ 1 2 ⟩

c ,n ,y=0 w ,w ,y=1 n ,c ,y=0 ⟨ 1 2 ⟩ ⟨ 1 2 ⟩ ⟨ 1 2 ⟩ y := y 1 − y := y 1 − c ,w ,y=0 w ,c ,y=0 ⟨ 1 2 ⟩ ⟨ 1 2 ⟩

Chris J.Hao Myers Zheng (Lecture (CSE, 3: Linear-Time USF) Prop.) VeriﬁcationComp of Sys Cyber-Physical Veriﬁcation Systems 1814 / / 80 53 Does the Semaphore-Based Algorithm Satisfy TS(PG1 PG2) Pmutex ? |||

n ,n ,y=1 ⟨ 1 2 ⟩ y := y+1

y := y+1 w ,n ,y=1 n ,w ,y=1 ⟨ 1 2 ⟩ ⟨ 1 2 ⟩

c ,n ,y=0 w ,w ,y=1 n ,c ,y=0 ⟨ 1 2 ⟩ ⟨ 1 2 ⟩ ⟨ 1 2 ⟩ y := y 1 − y := y 1 − c ,w ,y=0 w ,c ,y=0 ⟨ 1 2 ⟩ ⟨ 1 2 ⟩

Yes as there is no reachable state labeled with crit , crit . { 1 2 }

Chris J.Hao Myers Zheng (Lecture (CSE, 3: Linear-Time USF) Prop.) VeriﬁcationComp of Sys Cyber-Physical Veriﬁcation Systems 1814 / / 80 53 How to Specify Starvation Freedom?

A process that wants to enter the critical section is eventually able to do so.

Let AP = wait , crit , wait , crit • { 1 1 2 2 } Formalization #1: •

Pﬁnwait = set of inﬁnite words A0 A1 A2 ... such that:

j. (wait A k j. crit A ) for each i 1, 2 ∀ i ∈ j ⇒ ∃ ≥ i ∈ k ∈ { }

• However, it does not specify that a process should wait often. • This property holds if process i never wants to enter the critical section!

Hao Zheng (CSE, USF) Comp Sys Veriﬁcation 19 / 53 ω No. ( wait2 wait1, wait2 crit1, wait2 ) Traces(TS), but Pnostarve . ∅ { }{ }{ } ∈ 6∈

Does the Semaphore-Based Algorithm Satisfy TS(PG1 PG2) Pnostarve? |||

n ,n ,y=1 ⟨ 1 2 ⟩ y := y+1

y := y+1 w ,n ,y=1 n ,w ,y=1 ⟨ 1 2 ⟩ ⟨ 1 2 ⟩

c ,n ,y=0 w ,w ,y=1 n ,c ,y=0 ⟨ 1 2 ⟩ ⟨ 1 2 ⟩ ⟨ 1 2 ⟩ y := y 1 − y := y 1 − c ,w ,y=0 w ,c ,y=0 ⟨ 1 2 ⟩ ⟨ 1 2 ⟩

Chris J.Hao Myers Zheng (Lecture (CSE, 3: Linear-Time USF) Prop.) VeriﬁcationComp of Sys Cyber-Physical Veriﬁcation Systems 2014 / / 80 53 Does the Semaphore-Based Algorithm Satisfy TS(PG1 PG2) Pnostarve? |||

n ,n ,y=1 ⟨ 1 2 ⟩ y := y+1

y := y+1 w ,n ,y=1 n ,w ,y=1 ⟨ 1 2 ⟩ ⟨ 1 2 ⟩

c ,n ,y=0 w ,w ,y=1 n ,c ,y=0 ⟨ 1 2 ⟩ ⟨ 1 2 ⟩ ⟨ 1 2 ⟩ y := y 1 − y := y 1 − c ,w ,y=0 w ,c ,y=0 ⟨ 1 2 ⟩ ⟨ 1 2 ⟩

ω No. ( wait2 wait1, wait2 crit1, wait2 ) Traces(TS), but Pnostarve . ∅ { }{ }{ } ∈ 6∈

Chris J.Hao Myers Zheng (Lecture (CSE, 3: Linear-Time USF) Prop.) VeriﬁcationComp of Sys Cyber-Physical Veriﬁcation Systems 2014 / / 80 53 3.2.4 Trace Inclusion and LT Properties

Theorem 3.15

Let TS and TS0 be transition systems (over AP) without terminal states:

Traces(TS) Traces(TS0) ⊆ if and only if

for any LT property P : TS0 = P implies TS = P | |

Traces(TS) Traces(TS0) means that TS is an implementation of TS0 • ⊆ • TS is also referred to as reﬁnement of TS0.

Hao Zheng (CSE, USF) Comp Sys Veriﬁcation 21 / 53 Mutual Exclusion AlgorithmTS(PG PG Revisited) TS0 1 ||| 2

n ,n ,y=1 ⟨ 1 2 ⟩ y := y+1

y := y+1 w ,n ,y=1 n ,w ,y=1 ⟨ 1 2 ⟩ ⟨ 1 2 ⟩

c ,n ,y=0 w ,w ,y=1 n ,c ,y=0 ⟨ 1 2 ⟩ ⟨ 1 2 ⟩ ⟨ 1 2 ⟩ y := y 1 − y := y 1 − c ,w ,y=0 w ,c ,y=0 ⟨ 1 2 ⟩ ⟨ 1 2 ⟩

Chris J. Myers (Lecture 3: Linear-Time Prop.) Veriﬁcation of Cyber-Physical Systems 14 / 80 Hao Zheng (CSE, USF) Comp Sys Veriﬁcation 22 / 53 TS(PG1 PG2) Mutual Exclusion Algorithm||| Revisited TS

n ,n ,y=1 ⟨ 1 2 ⟩ y := y+1

y := y+1 w ,n ,y=1 n ,w ,y=1 ⟨ 1 2 ⟩ ⟨ 1 2 ⟩

c ,n ,y=0 w ,w ,y=1 n ,c ,y=0 ⟨ 1 2 ⟩ ⟨ 1 2 ⟩ ⟨ 1 2 ⟩ y := y 1 − y := y 1 − c ,w ,y=0 w ,c ,y=0 ⟨ 1 2 ⟩ ⟨ 1 2 ⟩

This algorithm satisﬁes Pmutex as T races(TS) T races(TS0) and TS0 = Pmutex . Chris J. Myers (Lecture 3: Linear-Time Prop.) ⊂Veriﬁcation of Cyber-Physical Systems | 14 / 80

Hao Zheng (CSE, USF) Comp Sys Veriﬁcation 22 / 53 Corollary 3.18 Trace Equivalence and LT Properties

Let TS and TS0 be transition systems (over AP) without terminal states:

Traces(TS) = Traces(TS0) if and only if

TS and TS0 satisfy the same LT properties

TS and TS cannot be distinguished by any LT properties. • 0

Hao Zheng (CSE, USF) Comp Sys Veriﬁcation 23 / 53 Two BeverageTwo Vending Beverage VendingMachines Machines

pay pay ττ ττ

τ soda select beer select soda beer select ττ 1 2

AP = pay,soda,beer AP ={ pay, soda, beer} There is no LT-property that can{ distinguish between} these machines. There is no LT-property that can distinguish between these machines.

Chris J. Myers (Lecture 3: Linear-Time Prop.) Veriﬁcation of Cyber-Physical Systems 28 / 80

Hao Zheng (CSE, USF) Comp Sys Veriﬁcation 24 / 53 Contents

1 Deadlock (Section 3.1)

2 Linear Time Behavior (Section 3.2) Executions, Paths, and Traces (Section 3.2.1 -3.2.2) Linear-time Properties (Section 3.2.3 - 3.2.4)

3 Safety and Invariants (Section 3.3.1 - 3.3.2)

4 Liveness Properties (Section 3.4.1)

5 Fairness (Section 3.5.1)

Hao Zheng (CSE, USF) Comp Sys Veriﬁcation 25 / 53 3.3 Safety and Invariants

Safety properties “nothing bad should happen”. [Lamport 1977] • ≈ Typical safety property: mutual exclusion property. • • The bad thing (having > 1 process in the critical section) never occurs. Another typical safety property is deadlock freedom. • These properties are in fact invariants. ⇒ An invariant is an LT property that is given by a condition Φ for the • states and requires that Φ holds for all reachable states (e.g., for mutex property Φ crit crit ). ≡ ¬ 1 ∨ ¬ 2

Read section 3.3.1. Skim over 3.3.2. Ignore 3.3.3.

Hao Zheng (CSE, USF) Comp Sys Veriﬁcation 26 / 53 3.3.1 Invariants

Deﬁnition 3.20 Invariant

An LT property Pinv over AP is an invariant if there is a propositional logic formula Φ over AP such that:

n APω o Pinv = A A A ... 2 j 0. A = Φ 0 1 2 ∈ | ∀ ≥ j |

where Φ is called an invariant condition of Pinv .

Hao Zheng (CSE, USF) Comp Sys Veriﬁcation 27 / 53 Example Invariants

Mutual exclusion • Φ = crit crit ¬ 1 ∨ ¬ 2 Deadlock freedom in Dining Philosophers • Φ = wait ... wait ¬ 0 ∨ ∨ ¬ 4 Deadlock is avoided if at least one philosopher is not waiting to pick up sticks.

Hao Zheng (CSE, USF) Comp Sys Veriﬁcation 28 / 53 Notes on Invariants

TS = Pinv iff trace(π) Pinv for all paths π in TS | ∈ iff L(s) = Φ for all states s that belong to a path of TS | iff L(s) = Φ for all states s Reach(TS) | ∈

Φ has to be fulﬁlled by all initial states and satisfaction of Φ is invariant • under all transitions in the reachable fragment of TS.

Hao Zheng (CSE, USF) Comp Sys Veriﬁcation 29 / 53 Checking an Invariant

Checking an invariant for the propositional formula Φ • = Check the validity of Φ in every reachable state. Use a slight modification of standard graph traversal algorithms (i.e., ⇒ depth-first search (DFS) and breadth-first search (BFS)). • Provided that the given transition system TS is finite. Perform a forward depth-first search: • • If any state s is found with s = Φ the invariance of Φ is violated. 6| ⇒ Alternative is to perform a backward search: • • Starts with all states where Φ does not hold. S ∗ • Calculates (by a DFS or BFS) the set s∈S,s6|=Φ Pre (s). • If there is a init I such that init S Pre∗(s), then Φ is violated. ∈ ∈ s∈S,s6|=Φ

Hao Zheng (CSE, USF) Comp Sys Veriﬁcation 30 / 53 Algorithm 3: A Naive Invariant Checking Algorithm R = ; // Set of reachable states ∅ U = ; // Stack of states ∅ bool b := true; // All states in R satisﬁes Φ foreach s I do ∈ if s R then visit6∈ (s); // visit(s) shown on the next slide return b;

Hao Zheng (CSE, USF) Comp Sys Veriﬁcation 31 / 53 The visit(s) Procedure

push(s, U); // Set of reachable states R := R s ; // Stack of states ∪ { } bool b := true; // All states in R satisﬁes Φ while U = do 6 ∅ s0 = top(U); if P ost(s ) R then 0 ⊆ pop(U); b := b (s = Φ); ∧ 0 | else Let s P ost(s ) R; 00 ∈ 0 \ push(s00,U); R := R s ; ∪ { 00} return b;

Error indication is state that refutes Φ. s0 s1 . . . sn with si = Φ (i = n) and sn = Φ is a counter-example. | 6 6|

Hao Zheng (CSE, USF) Comp Sys Veriﬁcation 32 / 53 DFS Illustration TS(PG PG ) 1 ||| 2

0 n ,n ,y=1 ⟨ 1 2 ⟩ y := y+1

y := y+1 1 w ,n ,y=1 2 n ,w ,y=1 ⟨ 1 2 ⟩ ⟨ 1 2 ⟩

4 c ,n ,y=0 3 w ,w ,y=1 5 n ,c ,y=0 ⟨ 1 2 ⟩ ⟨ 1 2 ⟩ ⟨ 1 2 ⟩ y := y 1 − y := y 1 − 6 c ,w ,y=0 w ,c ,y=0 7 ⟨ 1 2 ⟩ ⟨ 1 2 ⟩

Hao Zheng (CSE, USF) Comp Sys Veriﬁcation 33 / 53

Chris J. Myers (Lecture 3: Linear-Time Prop.) Veriﬁcation of Cyber-Physical Systems 14 / 80 Time Complexity

The time complexity for invariant checking is: • ( N (1 + Φ ) + M ) O ∗ | | where • N is the number of reachable states, • M is the number of transitions in the reachable fragment of TS, and • Φ is the length of Φ. | |

Hao Zheng (CSE, USF) Comp Sys Veriﬁcation 34 / 53 3.3.2 Safety Properties

Safety properties can be translated to invariants. • • Safety properties need to hold in every state! A TS violates a LT safety property P if there is a BadPref such that • safe AP ω BadP ref (2 ) Psafe . • 6∈

where BadPref is a ﬁnite trace that ends with a violation to Psafe . The idea is diﬀerent from what is given in the book. •

Psafe : red preceded immediately by yellow.

Counter-example for P : safe •••

Hao Zheng (CSE, USF) Comp Sys Veriﬁcation 35 / 53 Contents

1 Deadlock (Section 3.1)

2 Linear Time Behavior (Section 3.2) Executions, Paths, and Traces (Section 3.2.1 -3.2.2) Linear-time Properties (Section 3.2.3 - 3.2.4)

3 Safety and Invariants (Section 3.3.1 - 3.3.2)

4 Liveness Properties (Section 3.4.1)

5 Fairness (Section 3.5.1)

Hao Zheng (CSE, USF) Comp Sys Veriﬁcation 36 / 53 Liveness Properties

Safety properties specify that “something bad never happens”. • Doing nothing easily fulfills a safety property as this will never lead to a • “bad” situation. Safety properties are complemented by liveness properties that require • some progress. • Safety violations are characterized by finite traces. Liveness properties assert that ”something good will happen”. • • Liveness violations are characterized by infinite traces.

Hao Zheng (CSE, USF) Comp Sys Veriﬁcation 37 / 53 Example Liveness Properties

“If the tank is empty, the outlet valve will eventually be closed”. • “If the outlet valve is open and the request signal disappears, the outlet • valve will eventually be closed”. “If the tank is full and a request is present, the outlet valve will • eventually be opened”. “The program terminates within 31 computational steps”. • A ﬁnite trace may violate this; this is a safety property! ⇒ “The program eventually terminates”. •

Hao Zheng (CSE, USF) Comp Sys Veriﬁcation 38 / 53 Liveness Properties for Mutual Exclusion

Eventually: • • Each process will eventually enter its critical section. Repeated eventually: • • Each process will enter its critical section inﬁnitely often. Starvation freedom: • • Each waiting process will eventually enter its critical section.

How to formalize these properties?

Hao Zheng (CSE, USF) Comp Sys Veriﬁcation 39 / 53 Liveness Properties for Mutual Exclusion

P = A0 A1 A2 ... Aj AP & ... and AP = wait1, crit1, wait2, crit2 { | ⊆ } { } Eventually: • Each process will eventually enter its critical section.

( j 0. crit1 Aj) ( j 0. crit2 Aj) ∃ ≥ ∈ ∧ ∃ ≥ ∈ Repeated eventually: • Each process will enter its critical section inﬁnitely often.

∞ ∞ j 0. crit1 Aj j 0. crit2 Aj ∃ ≥ ∈ ∧ ∃ ≥ ∈ Starvation freedom: • Each waiting process will eventually enter its critical section.

j 0. (wait1 Aj ( k > j. crit1 Ak)) ∀ ≥ ∈ ⇒ ∃ ∈ ∧ j 0. (wait2 Aj ( k > j. crit2 Ak)) ∀ ≥ ∈ ⇒ ∃ ∈

Hao Zheng (CSE, USF) Comp Sys Veriﬁcation 40 / 53 Summary LT Properties

LT properties are finite sets of infinite words over 2AP (= traces). • An invariant requires a condition Φ to hold in any reachable state. • Each trace refuting a safety property has a finite prefix causing this. • • Invariants are safety properties with bad prefix Φ∗( Φ). • A safety property is regular iff its set of bad prefixes¬ is a regular language. Safety properties constrain finite behaviors. ⇒ A liveness property does not rule out finite behavior, liveness properties • constrain infinite behaviors.

Hao Zheng (CSE, USF) Comp Sys Veriﬁcation 41 / 53 Contents

1 Deadlock (Section 3.1)

2 Linear Time Behavior (Section 3.2) Executions, Paths, and Traces (Section 3.2.1 -3.2.2) Linear-time Properties (Section 3.2.3 - 3.2.4)

3 Safety and Invariants (Section 3.3.1 - 3.3.2)

4 Liveness Properties (Section 3.4.1)

5 Fairness (Section 3.5.1)

Hao Zheng (CSE, USF) Comp Sys Veriﬁcation 42 / 53 Does this Program Always Terminate?

Inc Reset |||

where proc Inc = while x 0 do x := x + 1 od ≥ proc Reset = x := 1 − x is a shared integer variable that initially has value 0

Hao Zheng (CSE, USF) Comp Sys Veriﬁcation 43 / 53 TS(PG PG ) Is it Possible to Starve? 1 ||| 2

n ,n ,y=1 ⟨ 1 2 ⟩ y := y+1

y := y+1 w ,n ,y=1 n ,w ,y=1 ⟨ 1 2 ⟩ ⟨ 1 2 ⟩

c ,n ,y=0 w ,w ,y=1 n ,c ,y=0 ⟨ 1 2 ⟩ ⟨ 1 2 ⟩ ⟨ 1 2 ⟩ y := y 1 − y := y 1 − c ,w ,y=0 w ,c ,y=0 ⟨ 1 2 ⟩ ⟨ 1 2 ⟩

Can either process enter its critical section if it wants to?

Chris J. Myers (Lecture 3: Linear-Time Prop.) Veriﬁcation of Cyber-Physical Systems 14 / 80

Hao Zheng (CSE, USF) Comp Sys Veriﬁcation 44 / 53 Fairness

Starvation freedom is often considered under process fairness. • There is a fair scheduling of the execution of processes. ⇒ Fairness is typically needed to prove liveness. • • Not needed for safety properties! • To prove liveness or some form of progress, progress needs to be possible. Fairness is concerned with a fair resolution of nondeterminism such that • it is not biased to consistently ignore a possible option. Problem: liveness properties constrain inﬁnite behaviors, but some • traces—that are unfair—refute the liveness property.

Hao Zheng (CSE, USF) Comp Sys Veriﬁcation 45 / 53 3.5.1 Fairness Constraints

Unconditional fairness • An activity is executed infinitely often. Strong fairness (compassion) • If an activity is infinitely often enabled (not necessarily always!) then it has to be executed infinitely often. Weak fairness (justice) • If an activity is continuously enabled (no temporary disabling!) then it has to be executed infinitely often.

We will use actions to distinguish fair and unfair behaviors. A state-based notion of fairness could also be deﬁned.

Hao Zheng (CSE, USF) Comp Sys Veriﬁcation 46 / 53 Fairness Deﬁnition

For TS = (S, Act, ,I, AP,L) without terminal states, A Act, → ⊆ α0 α1 and inﬁnite execution fragment ρ = s0 s1 ... of TS: −→ −→ 1 ρ is unconditionally A-fair whenever:

true = k 0. j k. αj A ⇒ ∀| ≥ ∃ {z≥ ∈ } inﬁnitely often A is taken

2 ρ is strongly A-fair whenever:

( k 0. j k. Act(sj) A = ) = k 0. j k. αj A |∀ ≥ ∃ ≥ {z ∩ 6 ∅} ⇒ ∀| ≥ ∃ {z≥ ∈ } inﬁnitely often A is enabled inﬁnitely often A is taken

3 ρ is weakly A-fair whenever:

( k 0. j k. Act(sj) A = ) = k 0. j k. αj A |∃ ≥ ∀ ≥ {z ∩ 6 ∅} ⇒ ∀| ≥ ∃ {z≥ ∈ } A is eventually always enabled inﬁnitely often A is taken

where Act(s) = α ∈ Act | ∃s0 ∈ S. s −→α s0

Hao Zheng (CSE, USF) Comp Sys Veriﬁcation 47 / 53 Fairness Example

This program terminates under unconditional (process) fairness on process IDs:

proc Inc = while x 0 do x := x + 1 od ≥ proc Reset = x := 1 − x is a shared integer variable that initially has value 0

Hao Zheng (CSE, USF) Comp Sys Veriﬁcation 48 / 53 Another Fairness Example

Does the following property holds?

x eventually becomes negative.

proc Inc = while x 0 do α : x := x + 1 od ≥ 1 proc Reset = while x < 0 do α : x := 1 od 2 − x is a shared integer variable that initially has value 0

1 Using unconditional fairness on α1 and α2.

2 Using strong fairness on α1 and α2.

Hao Zheng (CSE, USF) Comp Sys Veriﬁcation 49 / 53 Which Fairness Notion to Use?

unconditional A-fairness = strong A-fairness = weak A-fairness ⇒ ⇒

Fairness constraints aim to rule out “unreasonable” executions. • Too strong? relevant computations ruled out, veriﬁcation yields: • ⇒ • “false”: error found. • “true”: don’t know as some relevant execution may refute it. Too weak? too many computations considered, veriﬁcation yields: • ⇒ • “true”: property holds. • “false”: don’t know, as refutation may be due to some unreasonable run.

Hao Zheng (CSE, USF) Comp Sys Veriﬁcation 50 / 53 Example (Un)fair Executions TS(PG PG ) 1 ||| 2

n ,n ,y=1 ⟨ 1 2 ⟩ y := y+1

y := y+1 w ,n ,y=1 n ,w ,y=1 ⟨ 1 2 ⟩ ⟨ 1 2 ⟩

c ,n ,y=0 w ,w ,y=1 n ,c ,y=0 ⟨ 1 2 ⟩ ⟨ 1 2 ⟩ ⟨ 1 2 ⟩ y := y 1 − y := y 1 − c ,w ,y=0 w ,c ,y=0 ⟨ 1 2 ⟩ ⟨ 1 2 ⟩

Chris J.Hao Myers Zheng (Lecture (CSE, 3: Linear-Time USF) Prop.) VeriﬁcationComp of Sys Cyber-Physical Veriﬁcation Systems 5114 / / 80 53 TS(PG PG ) Fairness for Mutual Exclusion1 ||| 2

n ,n ,y=1 ⟨ 1 2 ⟩ y := y+1

y := y+1 w ,n ,y=1 n ,w ,y=1 ⟨ 1 2 ⟩ ⟨ 1 2 ⟩

c ,n ,y=0 w ,w ,y=1 n ,c ,y=0 ⟨ 1 2 ⟩ ⟨ 1 2 ⟩ ⟨ 1 2 ⟩ y := y 1 − y := y 1 − c ,w ,y=0 w ,c ,y=0 ⟨ 1 2 ⟩ ⟨ 1 2 ⟩ = ( enter1, enter2 , , ) F | {z } ∅ ∅ Funcondirional

Chris J. Myers (Lecture 3: Linear-Time Prop.) Veriﬁcation of Cyber-Physical Systems 14 / 80

Hao Zheng (CSE, USF) Comp Sys Veriﬁcation 52 / 53 TS(PG PG ) Fairness for Mutual Exclusion1 ||| 2

n ,n ,y=1 ⟨ 1 2 ⟩ y := y+1

y := y+1 w ,n ,y=1 n ,w ,y=1 ⟨ 1 2 ⟩ ⟨ 1 2 ⟩

c ,n ,y=0 w ,w ,y=1 n ,c ,y=0 ⟨ 1 2 ⟩ ⟨ 1 2 ⟩ ⟨ 1 2 ⟩ y := y 1 − y := y 1 − c ,w ,y=0 w ,c ,y=0 ⟨ 1 2 ⟩ ⟨ 1 2 ⟩ = ( , enter1, enter2 , ) F ∅ | {z } ∅ Fstrong

Chris J. Myers (Lecture 3: Linear-Time Prop.) Veriﬁcation of Cyber-Physical Systems 14 / 80

Hao Zheng (CSE, USF) Comp Sys Veriﬁcation 52 / 53