Linear-Time Properties

Definition 3.33. Liveness Property

3.4.2 Safety vs. Liveness Properties

This section studies the relationship between liveness and safety properties. In particular, it provides answers to the following questions:

• Are safety and liveness properties disjoint?, and

Liveness Properties 123

• Is any linear-time property a safety or liveness property?

As we will see, the first question will be answered affirmatively while the second question will result in a negative answer. Interestingly enough, though, for any LT propertyP an equivalent LT propertyP does exist which is a combination (i.e., intersection) of a safety and a liveness property. All in all, one could say that the identification of safety and liveness properties thus provides an essential characterization of linear-time properties.

The first result states that safety and liveness properties are indeed almost disjoint. More precisely, it states that the only property that is both a safety and a liveness property is nonrestrictive, i.e., allows all possible behaviors. Logically speaking, this is the equivalent of “true”.

Lemma 3.35. Intersection of Safety and Liveness Properties

The only LT property over AP that is both a safety and a liveness property is (2^AP)^ω. Proof: Assume P is a liveness property over AP. By definition, pref(P) = (2^AP)^∗. It follows that closure(P) = (2^AP)^ω. If P is a safety property too, closure(P) = P, and hence P = (2^AP)^ω.

Recall that the closure of property P (over AP) is the set of infinite words (over 2^AP) for which all prefixes are also prefixes of P. In order to show that an LT property can be considered as a conjunction of a liveness and a safety property, the following result is helpful. It states that the closure of the union of two properties equals the union of their closures.

Lemma 3.36. Distributivity of Union over Closure For any LT properties P andP:

closure(P) ∪ closure(P) =closure(P ∪ P).

Proof: ⊆: As P ⊆ P implies closure(P) ⊆ closure(P), we have P ⊆ P ∪P implies closure(P)⊆closure(P∪P). In a similar way it follows thatclosure(P)⊆closure(P∪P).

Thus,closure(P) ∪ closure(P)⊆closure(P ∪ P).

⊇: Letσ∈closure(P∪P). By definition of closure, pref(σ)⊆pref(P∪P). Aspref(P∪ P) = pref(P)∪pref(P), any finite prefix of σ is in pref(P) or in pref(P) (or in both).

As σ ∈ (2^AP)^ω, σ has infinitely many prefixes. Thus, infinitely many finite prefixes of σ belong to pref(P) or to pref(P) (or to both). W.l.o.g., assume pref(σ)∩pref(P) to be infinite. Then pref(σ) ⊆ pref(P), which yields σ ∈ closure(P), and thus σ ∈ closure(P)∪closure(P). The fact thatpref(σ)⊆pref(P) can be shown by contraposition.

Assume σ ∈ pref(σ)\pref(P). Let |σ| =k. As pref(σ)∩pref(P) is infinite, there exists σ ∈ pref(σ) ∩pref(P) with length larger than k. But then, there exists σ ∈ P with σ ∈pref(σ). It then follows thatσ∈pref(σ) (as bothσ and σ are prefixes ofσ) and as pref(σ)⊆pref(P), it follows that σ∈pref(P). This contradicts σ∈pref(σ)\pref(P).

Consider the beverage vending machine of Figure 3.5 (on page 97), and the following property:

“the machine provides beer infinitely often after initially providing soda three times in a row”

In fact, this property consists of two parts. On the one hand, it requires beer to be provided infinitely often. As any finite trace can be extended to an infinite trace that enjoys this property it is a liveness property. On the other hand, the first three drinks it provides should all be soda. This is a safety property, since any finite trace in which one of the first three drinks provided is beer violates it. The property is thus a combination (in fact, a conjunction) of a safety and a liveness property. The following result shows that every LT property can be decomposed in this way.

Theorem 3.37. Decomposition Theorem

For any LT property P over APthere exists a safety propertyPsafe and a liveness property P_live (both over AP) such that

P =Psafe ∩ Plive.

Proof: Let P be an LT property over AP. It is easy to see that P ⊆ closure(P). Thus:

P =closure(P) ∩ P, which by set calculus can be rewritten into:

P = closure(P)

=P_safe

∩ P ∪

(2^AP)^ω\closure(P)

=P_live

By definition, Psafe = closure(P) is a safety property. It remains to prove that Plive = P ∪

(2^AP)^ω\closure(P)

is a liveness property. By definition,Plive is a liveness property whenever pref(P_live) = (2^AP)^∗. This is equivalent to closure(P_live) = (2^AP)^ω. As for any

Liveness Properties 125 LT property P, closure(P) ⊆ (2^AP)^ω holds true, it suffices to showing that (2^AP)^ω ⊆ closure(Plive). This goes as follows:

closure(P_live) = closure

P ∪ ((2^AP)^ω\closure(P))

Lemma 3.36

= closure(P) ∪ closure

(2^AP)^ω\closure(P)

⊇ closure(P) ∪

(2^AP)^ω\closure(P)

= (2^AP)^ω

where in the one-but-last step in the derivation, we exploit the fact thatclosure(P)⊇P for all LT properties P.

The proof of Theorem 3.37 shows that Psafe = closure(P) is a safety property and Plive = P ∪ ((2^AP)^ω \closure(P)) a liveness property with P = Psafe ∩Plive. In fact, this decomposition is the ”sharpest” one for P sincePsafe is thestrongest safety property and Plive theweakest liveness property that can serve for a decomposition of P:

Lemma 3.38. Sharpest Decomposition

Let P be an LT property and P =Psafe ∩ Plive where Psafe is a safety property and Plive

a liveness property. We then have 1. closure(P) ⊆ Psafe,

2. Plive ⊆ P ∪ ((2^AP)^ω\closure(P)).

Proof: See Exercise 3.12, page 147.

A summary of the classification of LT properties is depicted as a Venn diagram in Fig- ure 3.11. The circle denotes the set of all LT properties over a given set of atomic propo- sitions.

Remark 3.39. Topological Characterizations of Safety and Liveness

Let us conclude this section with a remark for readers who are familiar with basic notions of topological spaces. The set (2^AP)^ωcan be equipped with the distance function given by d(σ1, σ2) = 1/2ⁿ if σ1, σ2 are two distinct infinite words σ1 =A1A2. . .and σ2=B1B2. . . and n is the length of the longest common prefix. Moreover, we put d(σ, σ) = 0. Then, d is a metric on (2^AP)^ω, and hence induces a topology on (2^AP)^ω. Under this topology,

liveness properties

neither liveness nor safety properties invariants

safety properties

safety and liveness property (2^AP)^ω

Figure 3.11: Classification of linear-time properties.

the safety properties are exactly the closed sets, while the liveness properties agree with the dense sets. In fact, closure(P) is the topological closure ofP, i.e., the smallest closed set that contains P. The result stated in Theorem 3.37 then follows from the well-known fact that any subset of a topological space (of the kind described above) can be written as the intersection of its closure and a dense set.