Reactive Safety
📝 Abstract
The distinction between safety and liveness properties is a fundamental classification with immediate implications on the feasibility and complexity of various monitoring, model checking, and synthesis problems. In this paper, we revisit the notion of safety for reactive systems, i.e., for systems whose behavior is characterized by the interplay of uncontrolled environment inputs and controlled system outputs. We show that reactive safety is a strictly larger class of properties than standard safety. We provide algorithms for checking if a property, given as a temporal formula or as a word or tree automaton, is a reactive safety property and for translating such properties into safety automata. Based on this construction, the standard verification and synthesis algorithms for safety properties immediately extend to the larger class of reactive safety.
💡 Analysis
The distinction between safety and liveness properties is a fundamental classification with immediate implications on the feasibility and complexity of various monitoring, model checking, and synthesis problems. In this paper, we revisit the notion of safety for reactive systems, i.e., for systems whose behavior is characterized by the interplay of uncontrolled environment inputs and controlled system outputs. We show that reactive safety is a strictly larger class of properties than standard safety. We provide algorithms for checking if a property, given as a temporal formula or as a word or tree automaton, is a reactive safety property and for translating such properties into safety automata. Based on this construction, the standard verification and synthesis algorithms for safety properties immediately extend to the larger class of reactive safety.
📄 Content
Giovanna D’Agostino, Salvatore La Torre (Eds.): Proceedings of the Second International Symposium on “Games, Automata, Logics and Formal Verification” (GandALF 2011) EPTCS 54, 2011, pp. 178–191, doi:10.4204/EPTCS.54.13 c⃝R. Ehlers & B. Finkbeiner This work is licensed under the Creative Commons Attribution-No Derivative Works License. Reactive Safety∗ R¨udiger Ehlers Bernd Finkbeiner Reactive Systems Group Saarland University 66123 Saarbr¨ucken, Germany {ehlers,finkbeiner}@cs.uni-saarland.de The distinction between safety and liveness properties is a fundamental classification with immediate implications on the feasibility and complexity of various monitoring, model checking, and synthesis problems. In this paper, we revisit the notion of safety for reactive systems, i.e., for systems whose behavior is characterized by the interplay of uncontrolled environment inputs and controlled system outputs. We show that reactive safety is a strictly larger class of properties than standard safety. We provide algorithms for checking if a property, given as a temporal formula or as a word or tree automaton, is a reactive safety property and for translating such properties into safety automata. Based on this construction, the standard verification and synthesis algorithms for safety properties immediately extend to the larger class of reactive safety. 1 Introduction The question whether a certain specified property, given for example as a formula of a temporal logic, belongs to the class of safety properties, is of universal interest in verification, synthesis, and monitoring. Typically, it is much easier to reason about safety properties than about general temporal properties. In deductive verification, safety properties are typically proven by induction on the transition relation, while liveness properties require a ranking function that maps the states into a well-founded domain. In model checking, checking a safety property corresponds to simple reachability, liveness to the more complicated nested reachability. In synthesis, deriving a system that satisfies a safety property involves solving safety/reachability games, which is simpler and typically more scalable than solving games with more general winning conditions such as Muller or parity. Perhaps most significantly, in runtime analysis, safety properties can be checked with a runtime monitor, while one can never conclusively determine that a liveness property has been violated after observing only a finite trace. We will refer to the standard definition of safety [10, 1] as linear-time safety, because it is based on the linear-time semantics, where the system and the specification each define a set of infinite words over an alphabet of observations. A language of infinite words is a linear-time safety property iff for every word w that violates P (i.e., w ̸∈P), there exists a finite prefix w′ of w such that w′ also violates P, i.e., for all infinite extensions w′′ of w′ it holds that w′′ ̸∈P. In this paper, we show that the class of safety properties can be significantly extended if, rather than considering words over a single alphabet of observations, one explicitly distinguishes between the inputs and the outputs of a reactive system. We introduce our new notion of reactive safety by way of an example. Let us use linear-time tem- poral logic (LTL) to specify a simple coffee machine with two input bits c (the coffee button) and e ∗This work was supported by the German Research Foundation (DFG) within the program “Performance Guarantees for Computer Systems” and the Transregional Collaborative Research Center “Automatic Verification and Analysis of Complex Systems” (SFB/TR 14 AVACS). R. Ehlers & B. Finkbeiner 179 (emergency shutdown), and two outputs b (brewing coffee) and f (emitting a failure signal). We spec- ify that whenever the user presses the coffee button, brewing must eventually start or a failure must be signaled immediately. As an LTL formula, this property can be expressed as follows:1 ψ1 = G(c →X( f ∨Fb)). (1) Additionally, we require that whenever the emergency shutdown button is pressed, brewing stops imme- diately (i.e., when the system gives the next output) and permanently: ψ2 = G(e →XG(¬b)). (2) Clearly, ψ2 is a linear-time safety property and ψ1 ∧ψ2 is not, because there is no bound on the number of steps until the brewing starts after the coffee button was pressed. However, ψ1 ∧ψ2 is a reactive safety property: we can transform ψ1 ∧ψ2 into a linear-time safety property ψ′ 1 ∧ψ2 that is equivalent in the sense that any system with input 2{c,e} and output 2{b,f} satisfies ψ1 ∧ψ2 if and only if it satisfies ψ′ 1 ∧ψ2. For ψ′ 1, the safety formula G(c →X f) can be used. To see this, observe that ψ1 specifies that whenever the coffee machine does not immediately respond to a coffee request with a failure message, it must eventually brew coffee regardless of the further circumstances. However, if the user presses the emergency shutdown button, the system cannot fulfill
This content is AI-processed based on ArXiv data.