Abstract
Safety and liveness are elementary concepts of computation, and the foundation of many verification paradigms. The safetyliveness classification of boolean properties characterizes whether a given property can be falsified by observing a finite prefix of an infinite computation trace (always for safety, never for liveness). In quantitative specification and verification, properties assign not truth values, but quantitative values to infinite traces (e.g., a cost, or the distance to a boolean property). We introduce quantitative safety and liveness, and we prove that our definitions induce conservative quantitative generalizations of both (1) the safetyprogress hierarchy of boolean properties and (2) the safetyliveness decomposition of boolean properties. In particular, we show that every quantitative property can be written as the pointwise minimum of a quantitative safety property and a quantitative liveness property. Consequently, like boolean properties, also quantitative properties can be \(\min \)decomposed into safety and liveness parts, or alternatively, \(\max \)decomposed into cosafety and coliveness parts. Moreover, quantitative properties can be approximated naturally. We prove that every quantitative property that has both safe and cosafe approximations can be monitored arbitrarily precisely by a monitor that uses only a finite number of states.
You have full access to this open access chapter, Download conference paper PDF
Similar content being viewed by others
1 Introduction
Safety and liveness are elementary concepts in the semantics of computation [39]. They can be explained through the thought experiment of a ghost monitor—an imaginary device that watches an infinite computation trace at runtime, one observation at a time, and always maintains the set of possible prediction values to reflect the satisfaction of a given property. Let \(\varPhi \) be a boolean property, meaning that \(\varPhi \) divides all infinite traces into those that satisfy \(\varPhi \), and those that violate \(\varPhi \). After any finite number of observations, True is a possible prediction value for \(\varPhi \) if the observations seen so far are consistent with an infinite trace that satisfies \(\varPhi \), and False is a possible prediction value for \(\varPhi \) if the observations seen so far are consistent with an infinite trace that violates \(\varPhi \). When True is no possible prediction value, the ghost monitor can reject the hypothesis that \(\varPhi \) is satisfied. The property \(\varPhi \) is safe if and only if the ghost monitor can always reject the hypothesis \(\varPhi \) after a finite number of observations: if the infinite trace that is being monitored violates \(\varPhi \), then after some finite number of observations, True is no possible prediction value for \(\varPhi \). Orthogonally, the property \(\varPhi \) is live if and only if the ghost monitor can never reject the hypothesis \(\varPhi \) after a finite number of observations: for all infinite traces, after every finite number of observations, True remains a possible prediction value for \(\varPhi \).
The safetyliveness classification of properties is fundamental in verification. In the natural topology on infinite traces—the “Cantor topology”—the safety properties are the closed sets, and the liveness properties are the dense sets [4]. For every property \(\varPhi \), the location of \(\varPhi \) within the Borel hierarchy that is induced by the Cantor topology—the socalled “safetyprogress hierarchy” [17]—indicates the level of difficulty encountered when verifying \(\varPhi \). On the first level, we find the safety and cosafety properties, the latter being the complements of safety properties, i.e., the properties whose falsehood (rather than truth) can always be rejected after a finite number of observations by the ghost monitor. More sophisticated verification techniques are needed for secondlevel properties, which are the countable boolean combinations of firstlevel properties—the socalled “response” and “persistence” properties [17]. Moreover, the orthogonality of safety and liveness leads to the following celebrated fact: every property can be written as the intersection of a safety property and a liveness property [4]. This means that every property \(\varPhi \) can be decomposed into two parts: a safety part—which is amenable to simple verification techniques, such as invariants—and a liveness part—which requires heavier verification paradigms, such as ranking functions. Dually, there is always a disjunctive decomposition of \(\varPhi \) into cosafety and coliveness.
So far, we have retold the wellknown story of safety and liveness for boolean properties. A boolean property \(\varPhi \) is formalized mathematically as the set of infinite computation traces that satisfy \(\varPhi \), or equivalently, the characteristic function that maps each infinite trace to a truth value. Quantitative generalizations of the boolean setting allow us to capture not only correctness properties, but also performance properties [31]. In this paper we reveal the story of safety and liveness for such quantitative properties, which are functions from infinite traces to an arbitrary set \(\mathbb {D}\) of values. In order to compare values, we equip the value domain \(\mathbb {D}\) with a partial order <, and we require \((\mathbb {D},<)\) to be a complete lattice. The membership problem [18] for an infinite trace f and a quantitative property \(\varPhi \) asks whether \(\varPhi (f)\ge v\) for a given threshold value \(v\in \mathbb {D}\). Correspondingly, in our thought experiment, the ghost monitor attempts to reject hypotheses of the form \(\varPhi (f)\ge v\), which cannot be rejected as long as all observations seen so far are consistent with an infinite trace f with \(\varPhi (f)\ge v\). We will define \(\varPhi \) to be a quantitative safety property if and only if every hypothesis of the form \(\varPhi (f)\ge v\) can always be rejected by the ghost monitor after a finite number of observations, and we will define \(\varPhi \) to be a quantitative liveness property if and only if some hypothesis of the form \(\varPhi (f)\ge v\) can never be rejected by the ghost monitor after any finite number of observations. We note that in the quantitative case, after every finite number of observations, the set of possible prediction values for \(\varPhi \) maintained by the ghost monitor may be finite or infinite, and in the latter case, it may not contain a minimal or maximal element.
Let us give a few examples. Suppose we have four observations: observation \(\texttt {rq}\) for “request a resource,” observation \(\texttt {gr}\) for “grant the resource,” observation \(\texttt {tk}\) for “clock tick,” and observation \(\texttt {oo}\) for “other.” The boolean property Resp requires that every occurrence of \(\texttt {rq}\) in an infinite trace is followed eventually by an occurrence of \(\texttt {gr}\). The boolean property NoDoubleReq requires that no occurrence of \(\texttt {rq}\) is followed by another \(\texttt {rq}\) without some \(\texttt {gr}\) in between. The quantitative property MinRespTime maps every infinite trace to the largest number k such that there are at least k occurrences of \(\texttt {tk}\) between each \(\texttt {rq}\) and the closest subsequent \(\texttt {gr}\). The quantitative property MaxRespTime maps every infinite trace to the smallest number k such that there are at most k occurrences of \(\texttt {tk}\) between each \(\texttt {rq}\) and the closest subsequent \(\texttt {gr}\). The quantitative property AvgRespTime maps every infinite trace to the lower limit value \(\liminf \) of the infinite sequence \((v_i)_{i \ge 1}\), where \(v_i\) is, for the first i occurrences of \(\texttt {tk}\), the average number of occurrences of \(\texttt {tk}\) between \(\texttt {rq}\) and the closest subsequent \(\texttt {gr}\). Note that the values of AvgRespTime can be \(\infty \) for some computations, including those for which the value of Resp is True. This highlights that boolean properties are not embedded in the limit behavior of quantitative properties.
The boolean property Resp is live because every finite observation sequence can be extended with an occurrence of \(\texttt {gr}\). In fact, Resp is a secondlevel liveness property (namely, a response property), because it can be written as a countable intersection of cosafety properties. The boolean property NoDoubleReq is safe because if it is violated, it will be rejected by the ghost monitor after a finite number of observations, namely, as soon as the ghost monitor sees a \(\texttt {rq}\) followed by another occurrence of \(\texttt {rq}\) without an intervening \(\texttt {gr}\). According to our quantitative generalization of safety, MinRespTime is a safety property. The ghost monitor always maintains the minimal number k of occurrences of \(\texttt {tk}\) between any past \(\texttt {rq}\) and the closest subsequent \(\texttt {gr}\) seen so far; the set of possible prediction values for MinRespTime is always \(\{0,1,\ldots ,k\}\). Every hypothesis of the form “the MinRespTimevalue is at least v” is rejected by the ghost monitor as soon as \(k<v\); if such a hypothesis is violated, this will happen after some finite number of observations. Symmetrically, the quantitative property MaxRespTime is cosafe, because every wrong hypothesis of the form “the MaxRespTimevalue is at most v” will be rejected by the ghost monitor as soon as the smallest possible prediction value for MaxRespTime, which is the maximal number of occurrences of \(\texttt {tk}\) between any past \(\texttt {rq}\) and the closest subsequent \(\texttt {gr}\) seen so far, goes above v. By contrast, the quantitative property AvgRespTime is both live and colive because no hypothesis of the form “the AvgRespTimevalue is at least v,” nor of the form “the AvgRespTimevalue is at most v,” can ever be rejected by the ghost monitor after a finite number of observations. All nonnegative real numbers and \(\infty \) always remain possible prediction values for AvgRespTime. Note that a ghost monitor that attempts to reject hypotheses of the form \(\varPhi (f) \ge v\) does not need to maintain the entire set of possible prediction values, but only the \(\sup \) of the set of possible prediction values, and whether or not the \(\sup \) is contained in the set. Dually, updating \(\inf \) (and whether it is contained) suffices to reject hypotheses of the form \(\varPhi (f) \le v\).
By defining quantitative safety and liveness via ghost monitors, we not only obtain a conservative and quantitative generalization of the boolean story, but also open up attractive frontiers for quantitative semantics, monitoring, and verification. For example, while the approximation of boolean properties reduces to adding and removing traces to and from a set, the approximation of quantitative properties offers a rich landscape of possibilities. In fact, we can approximate the notion of safety itself. Given an error bound \(\alpha \), the quantitative property \(\varPhi \) is \(\alpha \)safe if and only if for every value v and every infinite trace f whose value \(\varPhi (f)\) is less than v, all possible prediction values for \(\varPhi \) are less than \(v+\alpha \) after some finite prefix of f. This means that, for an \(\alpha \)safe property \(\varPhi \), the ghost monitor may not reject wrong hypotheses of the form \(\varPhi (f)\ge v\) after a finite number of observations, once the violation is below the error bound. We show that every quantitative property that is both \(\alpha \)safe and \(\beta \)cosafe, for any finite \(\alpha \) and \(\beta \), can be monitored arbitrarily precisely by a monitor that uses only a finite number of states.
We are not the first to define quantitative (or multivalued) definitions of safety and liveness [27, 41]. While the previously proposed quantitative generalizations of safety share strong similarities with our definition (without coinciding completely), our quantitative generalization of liveness is entirely new. The definitions of [27] do not support any safetyliveness decomposition, because their notion of safety is too permissive, and their liveness too restrictive. While the definitions of [41] admit a safetyliveness decomposition, our definition of liveness captures strictly fewer properties. Consequently, our definitions offer a stronger safetyliveness decomposition theorem. Our definitions also fit naturally with the definitions of emptiness, equivalence, and inclusion for quantitative languages [18].
Overview. In Section 2, we introduce quantitative properties. In Section 3, we define quantitative safety as well as safety closure, namely, the property that increases the value of each trace as little as possible to achieve safety. Then, we prove that our definitions preserve classical boolean facts. In particular, we show that a quantitative property \(\varPhi \) is safe if and only if \(\varPhi \) equals its safety closure if and only if \(\varPhi \) is upper semicontinuous. In Section 4, we generalize the safetyprogress hierarchy to quantitative properties. We first define limit properties. For \(\ell \in \{\inf , \sup , \liminf , \limsup \}\), the class of \(\ell \)properties captures those for which the value of each infinite trace can be derived by applying the limit function \(\ell \) to the infinite sequence of values of finite prefixes. We prove that \(\inf \)properties coincide with safety, \(\sup \)properties with cosafety, \(\liminf \)properties are suprema of countably many safety properties, and \(\limsup \)properties infima of countably many cosafety properties. The \(\liminf \)properties generalize the boolean persistence properties of [17]; the \(\limsup \)properties generalize their response properties. For example, AvgRespTime is a \(\liminf \)property. In Section 5, we introduce quantitative liveness and coliveness. We prove that our definitions preserve the classical boolean facts, and show that there is a unique property which is both safe and live. As main result, we provide a safetyliveness decomposition that holds for every quantitative property. In Section 6, we define approximate safety and cosafety. We generalize the wellknown unfolding approximation of discounted properties for approximate safety and cosafety properties over the extended reals. This allows us to provide a finitestate approximate monitor for these properties. In Section 7, we conclude with future research directions. For complete proofs of all results, we refer the reader to the full version of the paper.
Related Work. The notions of safety and liveness for boolean properties appeared first in [39] and were later formalized in [4], where safety properties were characterized as closed sets of the Cantor topology on infinite traces, and liveness properties as dense sets. As a consequence, the seminal decomposition theorem followed: every boolean property is an intersection of a safety property and a liveness property. A benefit of such a decomposition lies in the difference between the mathematical arguments used in their verification. While safety properties enable simpler methods such as invariants, liveness properties require more complex approaches such as wellfoundedness [5, 42]. These classes were characterized in terms of Büchi automata in [5] and in terms of linear temporal logic in [46].
The safetyprogress classification of boolean properties [17] proposes an orthogonal view: rather than partitioning the set of properties, it provides a hierarchy of properties starting from safety. This yields a more finegrained view of nonsafety properties which distinguishes whether a “good thing” happens at least once (cosafety or “guarantee”), infinitely many times (response), or eventually always (persistence). This classification follows the Borel hierarchy that is induced by the Cantor topology on infinite traces, and has corresponding projections within properties that are definable by finite automata and by formulas of linear temporal logic.
Runtime verification, or monitoring, is a lightweight, dynamic verification technique [6], where a monitor watches a system during its execution and tries to decide, after each finite sequence of observations, whether the observed finite computation trace or its unknown infinite extension satisfies a desired property. The safetyliveness dichotomy has profound implications for runtime verification as well: safety is easy to monitor [28], while liveness is not. An early definition of boolean monitorability was equivalent to safety with recursively enumerable sets of bad prefixes [35]. The monitoring of infinitestate boolean safety properties was later studied in [26]. A more popular definition of boolean monitorability [8, 44] accounts for both truth and falsehood, establishing the set of monitorable properties as a strict superset of finite boolean combinations of safety and cosafety [23]. Boolean monitors that use the set possible prediction values can be found in [7]. The notion of boolean monitorability was investigated through the safetyliveness lens in [43] and through the safetyprogress lens in [23].
Quantitative properties (a.k.a. “quantitative languages”) [18] extend their boolean counterparts by moving from the twovalued truth domain to richer domains such as real numbers. Such properties have been extensively studied from a static verification perspective in the past decade, e.g., in the context of modelchecking probabilistic properties [37, 38], games with quantitative objectives [10, 15], specifying quantitative properties [1, 11], measuring distances between systems [2, 16, 22, 29], besteffort synthesis and repair [9, 20], and quantitative analysis of transition systems [14, 19, 21, 47]. More recently, quantitative properties have been also studied from a runtime verification perspective, e.g., for limit monitoring of statistical indicators of infinite traces [25] and for analyzing resourceprecision tradeoffs in the design of quantitative monitors [30, 33].
To the best of our knowledge, previous definitions of (approximate) safety and liveness in nonboolean domains make implicit assumptions about the specification language [24, 34, 45, 48]. We identify two notable exceptions. In [27], the authors generalize the framework of [43] to nonboolean value domains. They provide neither a safetyliveness decomposition of quantitative properties, nor a finegrained classification of nonsafety properties. In [41], the authors present a safetyliveness decomposition and some levels of the safetyprogress hierarchy on multivalued truth domains, which are bounded distributive lattices. Their motivation is to provide algorithms for modelchecking properties on multivalued truth domains. We present the relationships between their definitions and ours in the relevant sections below.
2 Quantitative Properties
Let \(\varSigma = \{a,b,\ldots \}\) be a finite alphabet of observations. A trace is an infinite sequence of observations, denoted by \(f,g,h \in \varSigma ^\omega \), and a finite trace is a finite sequence of observations, denoted by \(s,r,t \in \varSigma ^*\). Given \(s \in \varSigma ^*\) and \(w \in \varSigma ^* \cup \varSigma ^\omega \), we denote by \(s \prec w\) (resp. \(s \preceq w\)) that s is a strict (resp. nonstrict) prefix of w. Furthermore, we denote by w the length of w and, given \(a \in \varSigma \), by \(w_a\) the number of occurrences of a in w.
A value domain \(\mathbb {D}\) is a poset. Unless otherwise stated, we assume that \(\mathbb {D}\) is a nontrivial (i.e., \(\bot \ne \top \)) complete lattice and, whenever appropriate, we write \(0, 1, \infty , \infty \) instead of \(\bot \) and \(\top \) for the least and the greatest elements. We respectively use the terms minimum and maximum for the greatest lower bound and the least upper bound of finitely many elements.
Definition 1 (Property)
A quantitative property (or simply property) is a function \(\varPhi : \varSigma ^\omega \rightarrow \mathbb {D}\) from the set of all traces to a value domain.
A boolean property \(P \subseteq \varSigma ^\omega \) is defined as a set of traces. We use the boolean domain \(\mathbb {B}= \{0,1\}\) with \(0 < 1\) and, in place of P, its characteristic property \(\varPhi _P : \varSigma ^\omega \rightarrow \mathbb {B}\), which is defined by \(\varPhi _P(f) = 1\) if \(f \in P\), and \(\varPhi _P(f) = 0\) if \(f \notin P\).
For all properties \(\varPhi _1,\varPhi _2\) on a domain \(\mathbb {D}\) and all traces \(f \in \varSigma ^\omega \), we let \(\min (\varPhi _1,\varPhi _2)(f) = \min (\varPhi _1(f),\varPhi _2(f))\) and \(\max (\varPhi _1,\varPhi _2)(f) = \max (\varPhi _1(f),\varPhi _2(f))\). For a domain \(\mathbb {D}\), the inverse of \(\mathbb {D}\) is the domain \(\overline{\mathbb {D}}\) that contains the same elements as \(\mathbb {D}\) but with the ordering reversed. For a property \(\varPhi \), we define its complement \(\overline{\varPhi } : \varSigma ^\omega \rightarrow \overline{\mathbb {D}}\) by \(\overline{\varPhi }(f) = \varPhi (f)\) for all \(f \in \varSigma ^\omega \).
Some properties can be defined as limits of value sequences. A finitary property \(\pi :\varSigma ^* \rightarrow \mathbb {D}\) associates a value with each finite trace. A value function \(\ell :\mathbb {D}^\omega \rightarrow \mathbb {D}\) condenses an infinite sequence of values to a single value. Given a finitary property \(\pi \), a value function \(\ell \), and a trace \(f \in \varSigma ^\omega \), we write \(\ell _{s \prec f} \pi (s)\) instead of \(\ell (\pi (s_0)\pi (s_1)\ldots )\), where each \(s_i\) fulfills \(s_i \prec f\) and \(s_i=i\).
3 Quantitative Safety
Given a property \(\varPhi : \varSigma ^\omega \rightarrow \mathbb {D}\), a trace \(f \in \varSigma ^\omega \), and a value \(v \in \mathbb {D}\), the quantitative membership problem [18] asks whether \(\varPhi (f) \ge v\). We define quantitative safety as follows: the property \(\varPhi \) is safe iff every wrong hypothesis of the form \(\varPhi (f) \ge v\) has a finite witness \(s \prec f\).
Definition 2 (Safety)
A property \(\varPhi : \varSigma ^\omega \rightarrow \mathbb {D}\) is safe iff for every \(f \in \varSigma ^\omega \) and value \(v \in \mathbb {D}\) with \(\varPhi (f) \not \ge v\), there is a prefix \(s \prec f\) such that \(\sup _{g \in \varSigma ^\omega } \varPhi (sg) \not \ge v\).
Let us illustrate this definition with the minimal responsetime property.
Example 3
Let \(\varSigma = \{\texttt {rq}, \texttt {gr}, \texttt {tk}, \texttt {oo}\}\) and \(\mathbb {D}= \mathbb {N}\cup \{\infty \}\). We define the minimal responsetime property \(\varPhi _{\min }\) through an auxiliary finitary property \(\pi _{\min }\) that computes the minimum response time so far. In a finite or infinite trace, an occurrence of \(\texttt {rq}\) is granted if it is followed, later, by a \(\texttt {gr}\), and otherwise it is pending. Let \(\pi _{\text {last}}(s) = \infty \) if the finite trace s contains a pending \(\texttt {rq}\), or no \(\texttt {rq}\), and \(\pi _{\text {last}}(s) = r_\texttt {tk} t_\texttt {tk}\) otherwise, where \(r \prec s\) is the longest prefix of s with a pending \(\texttt {rq}\), and \(t \prec r\) is the longest prefix of r without pending \(\texttt {rq}\). Intuitively, \(\pi _{\text {last}}\) provides the response time for the last request when all requests are granted, and \(\infty \) when there is a pending request or no request. Given \(s \in \varSigma ^*\), taking the minimum of the values of \(\pi _{\text {last}}\) over the prefixes \(r \preceq s\) gives us the minimum response time so far. Let \(\pi _{\min }(s) = \min _{r \preceq s} \pi _{\text {last}}(r)\) for all \(s \in \varSigma ^*\), and \(\varPhi _{\min }(f) = \lim _{s \prec f} \pi _{\min }(s)\) for all \(f\in \varSigma ^\omega \). The limit always exists because the minimum is monotonically decreasing.
The minimal responsetime property is safe. Let \(f \in \varSigma ^\omega \) and \(v \in \mathbb {D}\) such that \(\varPhi _{\min }(f) < v\). Then, some prefix \(s \prec f\) contains a \(\texttt {rq}\) that is granted after \(u < v\) ticks, in which case, no matter what happens in the future, the minimal response time is guaranteed to be at most u; that is, \(\sup _{g \in \varSigma ^\omega } \varPhi _{\min }(sg) \le u < v\). If you recall from the introduction the ghost monitor that maintains the \(\sup \) of possible prediction values for the minimal responsetime property, that value is always \(\pi _{\min }\); that is, \(\sup _{g \in \varSigma ^\omega } \varPhi _{\min }(sg) = \pi _{\min }(s)\) for all \(s\in \varSigma ^*\). Note that in the case of minimal response time, the \(\sup \) of possible prediction values is always realizable; that is, for all \(s\in \varSigma ^*\), there exists an \(f\in \varSigma ^{\omega }\) such that \(\sup _{g \in \varSigma ^\omega } \varPhi _{\min }(sg) = \varPhi _{\min }(sf)\). \(\square \)
Remark 4
Quantitative safety generalizes boolean safety. For every boolean property \(P \subseteq \varSigma ^\omega \), the following statements are equivalent: (i) P is safe according to the classical definition [4], (ii) its characteristic property \(\varPhi _P\) is safe, and (iii) for every \(f \in \varSigma ^\omega \) and \(v \in \mathbb {B}\) with \(\varPhi _P(f) < v\), there exists a prefix \(s \prec f\) such that for all \(g \in \varSigma ^\omega \), we have \(\varPhi _P(sg) < v\).
We now generalize the notion of safety closure and present an operation that makes a property safe by increasing the value of each trace as little as possible.
Definition 5 (Safety closure)
The safety closure of a property \(\varPhi \) is the property \(\varPhi ^*\) defined by \(\varPhi ^*(f) = \inf _{s \prec f} \sup _{g \in \varSigma ^\omega } \varPhi (sg)\) for all \(f\in \varSigma ^\omega \).
We can say the following about the safety closure operation.
Proposition 6
For every property \(\varPhi : \varSigma ^\omega \rightarrow \mathbb {D}\), the following statements hold.

1.
\(\varPhi ^*\) is safe.

2.
\(\varPhi ^*(f) \ge \varPhi (f)\) for all \(f\in \varSigma ^\omega \).

3.
\(\varPhi ^*(f) = {\varPhi ^*}^*(f)\) for all \(f\in \varSigma ^\omega \).

4.
For every safety property \(\varPsi : \varSigma ^\omega \rightarrow \mathbb {D}\), if \(\varPhi (f) \le \varPsi (f)\) for all \(f\in \varSigma ^\omega \), then \(\varPsi (g) \not < \varPhi ^*(g)\) for all \(g\in \varSigma ^\omega \).
3.1 Alternative Characterizations of Quantitative Safety
Consider a trace and its prefixes of increasing length. For a given property, the ghost monitor from the introduction maintains, for each prefix, the \(\sup \) of possible prediction values, i.e., the least upper bound of the property values for all possible infinite continuations. The resulting sequence of monotonically decreasing suprema provides an upper bound on the eventual property value. Moreover, for some properties, this sequence always converges to the property value. If this is the case, then the ghost monitor can always dismiss wrong lowerbound hypotheses after finite prefixes, and vice versa. This gives us an alternative definition for the safety of quantitative properties which, inspired by the notion of Scott continuity, was called continuity [33]. We now believe that upper semicontinuity is a more appropriate term, as becomes clear when we consider the Cantor topology on \(\varSigma ^\omega \) and the value domain \(\mathbb {R}\cup \{\infty , +\infty \}\).
Definition 7
(Upper semicontinuity [33]). A property \(\varPhi \) is upper semicontinuous iff \(\varPhi (f) = \lim _{s \prec f} \sup _{g \in \varSigma ^\omega } \varPhi (sg)\) for all \(f \in \varSigma ^\omega \).
We note that the minimal responsetime property is upper semicontinuous.
Example 8
Recall the minimal responsetime property \(\varPhi _{\min }\) from Example 3. For every trace \(f\in \varSigma ^\omega \), the \(\varPhi _{\min }\) value is the limit of the \(\pi _{\min }\) values for the prefixes of f. Therefore, \(\varPhi _{\min }\) is upper semicontinuous. \(\square \)
In general, a property is safe iff it maps every trace to the limit of the suprema of possible prediction values. Moreover, we can also characterize safety properties as the properties that are equal to their safety closure.
Theorem 9
For every property \(\varPhi \), the following statements are equivalent:
1. \(\varPhi \) is safe. 2. \(\varPhi \) is upper semicontinuous. 3. \(\varPhi (f) = \varPhi ^*(f)\) for all \(f \in \varSigma ^\omega \).
3.2 Related Definitions of Quantitative Safety
In [41], the authors consider the modelchecking problem for properties on multivalued truth domains. They introduce the notion of multisafety through a closure operation that coincides with our safety closure. Formally, a property \(\varPhi \) is multisafe iff \(\varPhi (f) = \varPhi ^*(f)\) for every \(f \in \varSigma ^\omega \). It is easy to see the following.
Proposition 10
For every property \(\varPhi \), we have \(\varPhi \) is multisafe iff \(\varPhi \) is safe.
Although the two definitions of safety are equivalent, our definition is consistent with the membership problem for quantitative automata and motivated by the monitoring of quantitative properties.
In [27], the authors extend a refinement of the safetyliveness classification for monitoring [43] to richer domains. They introduce the notion of verdictsafety through dismissibility of values not less than or equal to the property value. Formally, a property \(\varPhi \) is verdictsafe iff for every \(f \in \varSigma ^\omega \) and \(v \not \le \varPhi (f)\), there exists a prefix \(s \prec f\) such that for all \(g \in \varSigma ^\omega \), we have \(\varPhi (sg) \ne v\).
We demonstrate that verdictsafety is weaker than safety. Moreover, we provide a condition under which the two definitions coincide. To achieve this, we reason about sets of possible prediction values: for a property \(\varPhi \) and \(s \in \varSigma ^*\), let \(P_{\varPhi ,s} = \{\varPhi (sf) \;\;f \in \varSigma ^\omega \}\).
Lemma 11
A property \(\varPhi \) is verdictsafe iff \(\varPhi (f) = \sup (\lim _{s \prec f} P_{\varPhi ,s})\) for all \(f \in \varSigma ^\omega \).
Notice that \(\varPhi \) is safe iff \(\varPhi (f) = \lim _{s \prec f} (\sup P_{\varPhi ,s})\) for all \(f \in \varSigma ^\omega \). Below we describe a property that is verdictsafe but not safe.
Example 12
Let \(\varSigma = \{a,b\}\). Define \(\varPhi \) by \(\varPhi (f) = 0\) if \(f = a^\omega \), and \(\varPhi (f) = s\) otherwise, where \(s \prec f\) is the shortest prefix in which b occurs. The property \(\varPhi \) is verdictsafe. First, observe that \(\mathbb {D}= \mathbb {N}\cup \{\infty \}\). Let \(f \in \varSigma ^\omega \) and \(v \in \mathbb {D}\) with \(v > \varPhi (f)\). If \(\varPhi (f) > 0\), then f contains b, and \(\varPhi (f) = s\) for some \(s \prec f\) in which b occurs for the first time. After the prefix s, all \(g \in \varSigma ^\omega \) yield \(\varPhi (sg) = s\), thus all values above s are rejected. If \(\varPhi (f) = 0\), then \(f = a^\omega \). Let \(v \in \mathbb {D}\) with \(v > 0\), and consider the prefix \(a^v \prec f\). Observe that the set of possible prediction values after reading \(a^v\) is \(\{0, v+1, v+2, \ldots \}\), therefore \(a^v\) allows the ghost monitor to reject the value v. However, \(\varPhi \) is not safe because, although \(\varPhi (a^\omega ) = 0\), for every \(s \prec a^\omega \), we have \(\sup _{g \in \varSigma ^\omega } \varPhi (sg) = \infty \). \(\square \)
The separation is due to the fact that, for some finite traces, the \(\sup \) of possible prediction values cannot be realized by any future. Below, we present a condition that prevents such cases.
Definition 13 (Supremum closedness)
A property \(\varPhi \) is \(\sup \)closed iff for every \(s \in \varSigma ^*\) we have \(\sup P_{\varPhi , s} \in P_{\varPhi , s}\).
We remark that the minimal responsetime property is \(\sup \)closed.
Example 14
The safety property minimal responsetime \(\varPhi _{\min }\) from Example 3 is \(\sup \)closed. This is because, for every \(s \in \varSigma ^*\), the continuation \(\texttt {gr}^\omega \) realizes the value \(\sup _{g \in \varSigma ^\omega } \varPhi (sg)\). \(\square \)
Recall from the introduction the ghost monitor that maintains the \(\sup \) of possible prediction values. For monitoring \(\sup \)closed properties this suffices; otherwise the ghost monitor also needs to maintain whether or not the supremum of the possible prediction values is realizable by some future continuation. In general, we have the following for every \(\sup \)closed property.
Lemma 15
For every \(\sup \)closed property \(\varPhi \) and for all \(f \in \varSigma ^\omega \), we have \(\lim _{s \prec f} (\sup P_{\varPhi , s}) = \sup (\lim _{s \prec f} P_{\varPhi ,s})\).
As a consequence of the lemmas above, we get the following.
Theorem 16
A \(\sup \)closed property \(\varPhi \) is safe iff \(\varPhi \) is verdictsafe.
4 The Quantitative SafetyProgress Hierarchy
Our quantitative extension of safety closure allows us to build a Borel hierarchy, which is a quantitative extension of the boolean safetyprogress hierarchy [17]. First, we show that safety properties are closed under pairwise \(\min \) and \(\max \).
Proposition 17
For every value domain \(\mathbb {D}\), the set of safety properties over \(\mathbb {D}\) is closed under \(\min \) and \(\max \).
The boolean safetyprogress classification of properties is a Borel hierarchy built from the Cantor topology of traces. Safety and cosafety properties lie on the first level, respectively corresponding to the closed sets and open sets of the topology. The second level is obtained through countable unions and intersections of properties from the first level: persistence properties are countable unions of closed sets, while response properties are countable intersections of open sets. We generalize this construction to the quantitative setting.
In the boolean case, each property class is defined through an operation that takes a set \(S \subseteq \varSigma ^*\) of finite traces and produces a set \(P \subseteq \varSigma ^\omega \) of infinite traces. For example, to obtain a cosafety property from \(S \subseteq \varSigma ^*\), the corresponding operation yields \(S\varSigma ^\omega \). Similarly, we formalize each property class by a value function. For this, we define the notion of limit property.
Definition 18 (Limit property)
A property \(\varPhi : \varSigma ^\omega \rightarrow \mathbb {D}\) is a limit property iff there exists a finitary property \(\pi : \varSigma ^* \rightarrow \mathbb {D}\) and a value function \(\ell : \mathbb {D}^\omega \rightarrow \mathbb {D}\) such that \(\varPhi (f) = \ell _{s \prec f} \pi (s)\) for all \(f \in \varSigma ^\omega \). We denote this by \(\varPhi = (\pi ,\ell )\), and write \(\varPhi (s)\) instead of \(\pi (s)\). In particular, if \(\varPhi = (\pi ,\ell )\), where \(\ell \in \{ \inf , \sup , \liminf , \limsup \}\), then \(\varPhi \) is an \(\ell \)property.
To account for the value functions that construct the first two levels of the safetyprogress hierarchy, we start our investigation with \(\inf \) and \(\sup \)properties and later focus on \(\liminf \) and \(\limsup \) properties [18].
4.1 Infimum and Supremum Properties
Let us start with an example by demonstrating that the minimal responsetime property is an \(\inf \)property.
Example 19
Recall the safety property \(\varPhi _{\min }\) of minimal response time from Example 3. We can equivalently define \(\varPhi _{\min }\) as a limit property by taking the finitary property \(\pi _{\text {last}}\) and the value function \(\inf \). As discussed in Example 3, the function \(\pi _{\text {last}}\) outputs the response time for the last request when all requests are granted, and \(\infty \) when there is a pending request or no request. Then \(\inf _{s \prec f} \pi _{\text {last}}(s) = \varPhi _{\min }(f)\) for all \(f \in \varSigma ^\omega \), and therefore \(\varPhi _{\min } = (\pi _{\text {last}}, \inf )\). \(\square \)
In fact, the safety properties coincide with \(\inf \)properties.
Theorem 20
A property \(\varPhi \) is safe iff \(\varPhi \) is an \(\inf \)property.
Defining the minimal responsetime property as a limit property, we observe the following relation between its behavior on finite traces and infinite traces.
Example 21
Consider the property \(\varPhi _{\min } = (\pi _{\text {last}}, \inf )\) from Example 19. Let \(f \in \varSigma ^\omega \) and \(v \in \mathbb {D}\). Observe that if the minimal response time of f is at least v, then the last response time for each prefix \(s \prec f\) is also at least v. Conversely, if the minimal response time of f is below v, then there is a prefix \(s \prec f\) for which the last response time is also below v. \(\square \)
In light of this observation, we provide another characterization of safety properties, explicitly relating the specified behavior of the limit property on finite and infinite traces.
Theorem 22
A property \(\varPhi :\varSigma ^\omega \rightarrow \mathbb {D}\) is safe iff \(\varPhi \) is a limit property such that for every \(f \in \varSigma ^\omega \) and value \(v \in \mathbb {D}\), we have \(\varPhi (f) \ge v\) iff \(\varPhi (s) \ge v\) for all \(s \prec f\).
Recall that a safety property allows rejecting wrong lowerbound hypotheses with a finite witness, by assigning a tight upper bound to each trace. We define cosafety properties symmetrically: a property \(\varPhi \) is cosafe iff every wrong hypothesis of the form \(\varPhi (f) \le v\) has a finite witness \(s \prec f\).
Definition 23 (Cosafety)
A property \(\varPhi : \varSigma ^\omega \rightarrow \mathbb {D}\) is cosafe iff for every \(f\in \varSigma ^\omega \) and value \(v\in \mathbb {D}\) with \(\varPhi (f) \not \le v\), there exists a prefix \(s \prec f\) such that \(\inf _{g \in \varSigma ^\omega } \varPhi (sg) \not \le v\).
We note that our definition generalizes boolean cosafety, and thus a dual of Remark 4 holds also for cosafety. Moreover, we analogously define the notions of cosafety closure and lower semicontinuity.
Definition 24 (Cosafety closure)
The cosafety closure of a property \(\varPhi \) is the property \(\varPhi _*(f)\) defined by \(\varPhi _*(f) = \sup _{s \prec f} \inf _{g \in \varSigma ^\omega } \varPhi (sg)\) for all \(f\in \varSigma ^\omega \).
Definition 25
(Lower semicontinuity [33]). A property \(\varPhi \) is lower semicontinuous iff \(\varPhi (f) = \lim _{s \prec f} \inf _{g \in \varSigma ^\omega } \varPhi (sg)\) for all \(f \in \varSigma ^\omega \).
Now, we define and investigate the maximal responsetime property. In particular, we show that it is a \(\sup \)property that is cosafe and lower semicontinuous.
Example 26
Let \(\varSigma = \{\texttt {rq}, \texttt {gr}, \texttt {tk}, \texttt {oo}\}\) and \(\mathbb {D}= \mathbb {N}\cup \{\infty \}\). We define the maximal responsetime property \(\varPhi _{\max }\) through a finitary property that computes the current response time for each finite trace and the value function \(\sup \). In particular, for all \(s \in \varSigma ^*\), let \(\pi _{\text {curr}}(s) = s_\texttt {tk} r_\texttt {tk}\), where \(r \preceq s\) is the longest prefix of s without pending \(\texttt {rq}\); then \(\varPhi _{\max } = (\pi _{\text {curr}},\sup )\). Note the contrast between \(\pi _{\text {curr}}\) and \(\pi _{\text {last}}\) from Example 3. While \(\pi _{\text {curr}}\) takes an optimistic view of the future and assumes the \(\texttt {gr}\) will follow immediately, \(\pi _{\text {last}}\) takes a pessimistic view and assumes the \(\texttt {gr}\) will never follow. Let \(f \in \varSigma ^\omega \) and \(v \in \mathbb {D}\). If the maximal response time of f is greater than v, then for some prefix \(s \prec f\) the current response time is greater than v also, which means that, no matter what happens in the future, the maximal response time is greater than v after observing s. Therefore, \(\varPhi _{\max }\) is cosafe. By a similar reasoning, the sequence of greatest lower bounds of possible prediction values over the prefixes converges to the property value. In other words, we have \(\lim _{s \prec f} \inf _{g \in \varSigma ^\omega } \varPhi _{\max }(sg) = \varPhi _{\max }(f)\) for all \(f \in \varSigma ^\omega \). Thus \(\varPhi _{\max }\) is also lower semicontinuous, and it equals its cosafety closure. Now, consider the complementary property \(\overline{\varPhi _{\max }}\), which maps every trace to the same value as \(\varPhi _{\max }\) on a domain where the order is reversed. It is easy to see that \(\overline{\varPhi _{\max }}\) is safe. Finally, recall the ghost monitor from the introduction, which maintains the infimum of possible prediction values for the maximal responsetime property. Since the maximal responsetime property is \(\inf \)closed, the output of the ghost monitor after every prefix is realizable by some future continuation, and that output is \(\pi _{\max }(s) = \max _{r \preceq s} \pi _{\text {curr}}(r)\) for all \(s \in \varSigma ^*\). \(\square \)
Generalizing the observations in the example above, we obtain the following characterizations due to the duality between safety and cosafety.
Theorem 27
For every property \(\varPhi : \varSigma ^\omega \rightarrow \mathbb {D}\), the following are equivalent.

1.
\(\varPhi \) is cosafe.

2.
\(\varPhi \) is lower semicontinuous.

3.
\(\varPhi (f) = \varPhi _*(f)\) for every \(f \in \varSigma ^\omega \).

4.
\(\varPhi \) is a \(\sup \)property.

5.
\(\varPhi \) is a limit property such that for every \(f \in \varSigma ^\omega \) and value \(v \in \mathbb {D}\), we have \(\varPhi (f) \le v\) iff \(\varPhi (s) \le v\) for all \(s \prec f\).

6.
\(\overline{\varPhi }\) is safe.
4.2 Limit Inferior and Limit Superior Properties
Let us start with an observation on the minimal responsetime property.
Example 28
Recall once again the minimal responsetime property \(\varPhi _{\min }\) from Example 3. In the previous subsection, we presented an alternative definition of \(\varPhi _{\min }\) to establish that it is an \(\inf \)property. Observe that there is yet another equivalent definition of \(\varPhi _{\min }\) which takes the monotonically decreasing finitary property \(\pi _{\min }\) from Example 3 and pairs it with either the value function \(\liminf \), or with \(\limsup \). Hence \(\varPhi _{\min }\) is both a \(\liminf \) and a \(\limsup \)property. \(\square \)
Before moving on to investigating \(\liminf \) and \(\limsup \)properties more closely, we show that the above observation can be generalized.
Theorem 29
Every \(\ell \)property \(\varPhi \), for \(\ell \in \{\inf , \sup \}\), is both a \(\liminf \) and a \(\limsup \)property.
An interesting responsetime property beyond safety and cosafety arises when we remove extreme values: instead of minimal response time, consider the property that maps every trace to a value that bounds from below, not all response times, but all of them from a point onward (i.e., all but finitely many). We call this property tailminimal response time.
Example 30
Let \(\varSigma = \{\texttt {rq},\texttt {gr},\texttt {tk},\texttt {oo}\}\) and \(\pi _{\text {last}}\) be the finitary property from Example 3 that computes the last response time. We define the tailminimal responsetime property as \(\varPhi _{\text {tmin}} = (\pi _{\text {last}},\liminf )\). Intuitively, it maps each trace to the least response time over all but finitely many requests. This property is interesting as a performance measure, because it focuses on the longterm performance by ignoring finitely many outliers. Consider \(f \in \varSigma ^\omega \) and \(v \in \mathbb {D}\). Observe that, if the tailminimal response time of f is at least v, then there is a prefix \(s \prec f\) such that for all longer prefixes \(s \preceq r \prec f\), the last response time in r is at least v, and vice versa. \(\square \)
Similarly as for \(\inf \)properties, we characterize \(\liminf \)properties through a relation between property behaviors on finite and infinite traces.
Theorem 31
A property \(\varPhi :\varSigma ^\omega \rightarrow \mathbb {D}\) is a \(\liminf \)property iff \(\varPhi \) is a limit property such that for every \(f \in \varSigma ^\omega \) and value \(v \in \mathbb {D}\), we have \(\varPhi (f) \ge v\) iff there exists \(s \prec f\) such that for all \(s \preceq r \prec f\), we have \(\varPhi (r) \ge v\).
Now, we show that the tailminimal responsetime property can be expressed as a countable supremum of \(\inf \)properties.
Example 32
Let \(i \in \mathbb {N}\) and define \(\pi _{i,\text {last}}\) as a finitary property that imitates \(\pi _{\text {last}}\) from Example 3, but ignores the first i observations of every finite trace. Formally, for \(s \in \varSigma ^*\), we define \(\pi _{i,\text {last}}(s) = \pi _{\text {last}}(r)\) for \(s = s_i r\) where \(s_i \preceq s\) with \(s_i = i\), and \(r \in \varSigma ^*\). Observe that an equivalent way to define \(\varPhi _{\text {tmin}}\) from Example 30 is \(\sup _{i \in \mathbb {N}} (\inf _{s \prec f} (\pi _{i,\text {last}}(s)))\) for all \(f \in \varSigma ^\omega \). Intuitively, for each \(i \in \mathbb {N}\), we obtain an \(\inf \)property that computes the minimal response time of the suffixes of a given trace. Taking the supremum over these, we obtain the greatest lower bound on all but finitely many response times. \(\square \)
We generalize this observation and show that every \(\liminf \)property is a countable supremum of \(\inf \)properties.
Theorem 33
Every \(\liminf \)property is a countable supremum of \(\inf \)properties.
We would also like to have the converse of Theorem 33, i.e., that every countable supremum of \(\inf \)properties is a \(\liminf \)property. Currently, we are able to show only the following.
Theorem 34
For every infinite sequence \((\varPhi _i)_{i \in \mathbb {N}}\) of \(\inf \)properties, there is a \(\liminf \)property \(\varPhi \) such that \(\sup _{i \in \mathbb {N}} \varPhi _i(f) \le \varPhi (f)\).
We conjecture that some \(\liminf \)property that satisfies Theorem 34 is also a lower bound on the countable supremum that occurs in the theorem. This, together with Theorem 34, would imply the converse of Theorem 33. Proving the converse of Theorem 33 would give us, thanks to the following duality, that the \(\liminf \) and \(\limsup \)properties characterize the second level of the Borel hierarchy of the topology induced by the safety closure operator.
Proposition 35
A property \(\varPhi \) is a \(\liminf \)property iff its complement \(\overline{\varPhi }\) is a \(\limsup \)property.
5 Quantitative Liveness
Similarly as for safety, we take the perspective of the quantitative membership problem to define liveness: a property \(\varPhi \) is live iff, whenever a property value is less than \(\top \), there exists a value v for which the wrong hypothesis \(\varPhi (f) \ge v\) can never be dismissed by any finite witness \(s \prec f\).
Definition 36 (Liveness)
A property \(\varPhi : \varSigma ^\omega \rightarrow \mathbb {D}\) is live iff for all \(f \in \varSigma ^\omega \), if \(\varPhi (f) < \top \), then there exists a value \(v \in \mathbb {D}\) such that \(\varPhi (f) \not \ge v\) and for all prefixes \(s \prec f\), we have \(\sup _{g \in \varSigma ^\omega } \varPhi (sg) \ge v\).
An equivalent definition can be given through the safety closure.
Theorem 37
A property \(\varPhi \) is live iff \(\varPhi ^*(f) > \varPhi (f)\) for every \(f \in \varSigma ^\omega \) with \(\varPhi (f) < \top \).
Our definition generalizes boolean liveness. A boolean property \(P \subseteq \varSigma ^\omega \) is live according to the classical definition [4] iff its characteristic property \(\varPhi _P\) is live according to our definition. Moreover, the intersection of safety and liveness contains only the single degenerate property that always outputs \(\top \).
Proposition 38
A property \(\varPhi \) is safe and live iff \(\varPhi (f) = \top \) for all \(f \in \varSigma ^\omega \).
We define coliveness symmetrically, and note that the duals of the observations above also hold for coliveness.
Definition 39 (Coliveness)
A property \(\varPhi : \varSigma ^\omega \rightarrow \mathbb {D}\) is colive iff for all \(f \in \varSigma ^\omega \), if \(\varPhi (f) > \bot \), then there exists a value \(v \in \mathbb {D}\) such that \(\varPhi (f) \not \le v\) and for all prefixes \(s \prec f\), we have \(\inf _{g \in \varSigma ^\omega } \varPhi (sg) \le v\).
Next, we present some examples of liveness and coliveness properties. We start by showing that \(\liminf \) and \(\limsup \)properties can be live and colive.
Example 40
Let \(\varSigma = \{a,b\}\) be an alphabet, and let \(P = \square \lozenge a\) and \(Q = \lozenge \square b\) be boolean properties defined in linear temporal logic. Consider their characteristic properties \(\varPhi _P\) and \(\varPhi _Q\). As we pointed out earlier, our definitions generalize their boolean counterparts, therefore \(\varPhi _P\) and \(\varPhi _Q\) are both live and colive. Moreover, \(\varPhi _P\) is a \(\limsup \)property: define \(\pi _P(s) = 1\) if \(s \in \varSigma ^* a\), and \(\pi _P(s) = 0\) otherwise, and observe that \(\varPhi _P(f) = \limsup _{s \prec f} \pi _P(s)\) for all \(f \in \varSigma ^\omega \). Similarly, \(\varPhi _Q\) is a \(\liminf \)property. \(\square \)
Now, we show that the maximal responsetime property is live, and the minimal response time is colive.
Example 41
Recall the cosafety property \(\varPhi _{\max }\) of maximal response time from Example 26. Let \(f \in \varSigma ^\omega \) such that \(\varPhi _{\max }(f) < \infty \). We can extend every prefix \(s \prec f\) with \(g = \texttt {rq}\, \texttt {tk}^\omega \), which gives us \(\varPhi _{\max }(sg) = \infty > \varPhi (f)\). Equivalently, for every \(f \in \varSigma ^\omega \), we have \(\varPhi _{\max }^*(f) = \infty > \varPhi _{\max }(f)\). Hence \(\varPhi _{\max }\) is live and, analogously, the safety property \(\varPhi _{\min }\) from Example 3 is colive. \(\square \)
Finally, we show that the average responsetime property is live and colive.
Example 42
Let \(\varSigma = \{\texttt {rq}, \texttt {gr}, \texttt {tk}, \texttt {oo}\}\). For all \(s \in \varSigma ^*\), let \(p(s) = 1\) if there is no pending \(\texttt {rq}\) in s, and \(p(s) = 0\) otherwise. Define \(\pi _{\text {valid}}(s) = \{r \preceq s \;\;\exists t \in \varSigma ^* : r = t \, \texttt {rq}\wedge p(t) = 1\}\) as the number of valid requests in s, and define \(\pi _{\text {time}}(s)\) as the number of \(\texttt {tk}\) observations that occur after a valid \(\texttt {rq}\) and before the matching \(\texttt {gr}\). Then, \(\varPhi _{\text { avg}} = (\pi _{\text { avg}}, \liminf )\), where \(\pi _{\text { avg}}(s) = \frac{\pi _{\text {time}}(s)}{\pi _{\text {valid}}(s)}\) for all \(s \in \varSigma ^*\) with \(\pi _{\text {valid}}(s) > 0\), and \(\pi _{\text { avg}}(s) = \infty \) otherwise. For example, \(\pi _{\text { avg}}(s) = \frac{3}{2}\) for \(s = \texttt {rq}\, \texttt {tk}\, \texttt {gr}\, \texttt {tk}\, \texttt {rq}\, \texttt {tk}\, \texttt {rq}\, \texttt {tk}\). Note that \(\varPhi _{\text { avg}}\) is a \(\liminf \)property.
The property \(\varPhi _{\text { avg}}\) is defined on the value domain \([0,\infty ]\) and is both live and colive. To see this, let \(f \in \varSigma ^\omega \) such that \(0< \varPhi _{\text { avg}}(f) < \infty \) and, for every prefix \(s \prec f\), consider \(g = \texttt {rq}\, \texttt {tk}^\omega \) and \(h = \texttt {gr}\, (\texttt {rq}\,\texttt {gr})^\omega \). Since sg has a pending request followed by infinitely many clock ticks, we have \(\varPhi _{\text { avg}}(s g) = \infty \). Similarly, since sh eventually has all new requests immediately granted, we get \(\varPhi _{\text { avg}}(s h) = 0\). \(\square \)
5.1 The Quantitative SafetyLiveness Decomposition
A celebrated theorem states that every boolean property can be expressed as an intersection of a safety property and a liveness property [4]. In this section, we prove the analogous result for the quantitative setting.
Example 43
Let \(\varSigma = \{\texttt {rq}, \texttt {gr}, \texttt {tk}, \texttt {oo}\}\). Recall the maximal responsetime property \(\varPhi _{\max }\) from Example 26, and the average responsetime property \(\varPhi _{\text { avg}}\) from Example 42. Let \(n > 0\) be an integer and define a new property \(\varPhi \) by \(\varPhi (f) = \varPhi _{\text { avg}}(f)\) if \(\varPhi _{\max }(f) \le n\), and \(\varPhi (f) = 0\) otherwise. For the safety closure of \(\varPhi \), we have \(\varPhi ^*(f) = n\) if \(\varPhi _{\max }(f) \le n\), and \(\varPhi ^*(f) = 0\) otherwise. Now, we further define \(\varPsi (f) = \varPhi _{\text { avg}}(f)\) if \(\varPhi _{\max }(f) \le n\), and \(\varPsi (f) = n\) otherwise. Observe that \(\varPsi \) is live, because every prefix of a trace whose value is less than n can be extended to a greater value. Finally, note that for all \(f \in \varSigma ^\omega \), we can express \(\varPhi (f)\) as the pointwise minimum of \(\varPhi ^*(f)\) and \(\varPsi (f)\). Intuitively, the safety part \(\varPhi ^*\) of this decomposition checks whether the maximal response time stays below the permitted bound, and the liveness part \(\varPsi \) keeps track of the average response time as long as the bound is satisfied. \(\square \)
Following a similar construction, we show that a safetyliveness decomposition exists for every property.
Theorem 44
For every property \(\varPhi \), there exists a liveness property \(\varPsi \) such that \(\varPhi (f) = \min (\varPhi ^*(f), \varPsi (f))\) for all \(f \in \varSigma ^\omega \).
In particular, if the given property is safe or live, the decomposition is trivial.
Remark 45
Let \(\varPhi \) be a property. If \(\varPhi \) is safe (resp. live), then the safety (resp. liveness) part of the decomposition is \(\varPhi \) itself, and the liveness (resp. safety) part is the constant property that maps every trace to \(\top \).
For cosafety and coliveness, the duals of Theorem 44 and Remark 45 hold. In particular, every property is the pointwise maximum of its cosafety closure and a coliveness property.
5.2 Related Definitions of Quantitative Liveness
In [41], the authors define a property \(\varPhi \) as multilive iff \(\varPhi ^*(f) > \bot \) for all \(f\in \varSigma ^\omega \). We show that our definition is more restrictive, resulting in fewer liveness properties while still allowing a safetyliveness decomposition.
Proposition 46
Every live property is multilive, and the inclusion is strict.
We provide a separating example on a totally ordered domain below.
Example 47
Let \(\varSigma = \{a,b, c\}\), and consider the following property: \(\varPhi (f) = 0\) if \(f \models \square a\), and \(\varPhi (f) = 1\) if \(f \models \lozenge c\), and \(\varPhi (f) = 2\) otherwise (i.e., if \(f \,\models \, \lozenge b \wedge \square \lnot c\)). For all \(f\in \varSigma ^\omega \) and prefixes \(s\prec f\), we have \(\varPhi (s c^\omega ) = 1\). Thus \(\varPhi ^*(f) \ne \bot \), which implies that \(\varPhi \) is multilive. However, \(\varPhi \) is not live. Indeed, for every \(f\in \varSigma ^\omega \) such that \(f \,\models \, \lozenge c\), we have \(\varPhi (f) = 1 < \top \). Moreover, f admits some prefix s that contains an occurrence of c, thus satisfying \(\sup _{g \in \varSigma ^\omega } \varPhi (sg) = 1\). \(\square \)
In [27], the authors define a property \(\varPhi \) as verdictlive iff for every \(f \in \varSigma ^\omega \) and value \(v \not \le \varPhi (f)\), every prefix \(s \prec f\) satisfies \(\varPhi (sg) = v\) for some \(g \in \varSigma ^\omega \). We show that our definition is more liberal.
Proposition 48
Every verdictlive property is live, and the inclusion is strict.
We provide a separating example below, concluding that our definition is strictly more general even for totally ordered domains.
Example 49
Let \(\varSigma = \{a,b\}\), and consider the following property: \(\varPhi (f) = 0\) if \(f \not \models \lozenge b\), and \(\varPhi (f) = 1\) if \(f \models \lozenge (b \wedge \bigcirc \lozenge b)\), and \(\varPhi (f) = 2^{s}\) otherwise, where \(s \prec f\) is the shortest prefix in which b occurs. Consider an arbitrary \(f \in \varSigma ^\omega \). If \(\varPhi (f) = 1\), then the liveness condition is vacuously satisfied. If \(\varPhi (f) = 0\), then \(f = a^\omega \), and every prefix \(s \prec f\) can be extended with \(g = ba^\omega \) or \(h = b^\omega \) to obtain \(\varPhi (s g) = 2^{(s+1)}\) and \(\varPhi (s h) = 1\). If \(0< \varPhi (f) < 1\), then f satisfies \(\lozenge b\) but not \(\lozenge (b \wedge \bigcirc \lozenge b)\), and every prefix \(s \prec f\) can be extended with \(b^\omega \) to obtain \(\varPhi (s b^\omega ) = 1\). Hence \(\varPhi \) is live. However, \(\varPhi \) is not verdictlive. To see this, consider the trace \(f = a^k b a^\omega \) for some integer \(k \ge 1\) and note that \(\varPhi (f) = 2^{(k+1)}\). Although all prefixes of f can be extended to reach the value 1, the value domain contains elements between \(\varPhi (f)\) and 1, namely the values \(2^{m}\) for \(1 \le m \le k\). Each of these values can be rejected after reading a finite prefix of f, because for \(n \ge m\) it is not possible to extend \(a^n\) to reach the value \(2^{m}\). \(\square \)
6 Approximate Monitoring through Approximate Safety
In this section, we consider properties on extended reals \(\mathbb {R}^{\pm \infty } = \mathbb {R}\cup \{\infty , +\infty \}\). We denote by \(\mathbb {R}_{\ge 0}\) the set of nonnegative real numbers.
Definition 50 (Approximate safety and cosafety)
Let \(\alpha \in \mathbb {R}_{\ge 0}\). A property \(\varPhi \) is \(\alpha \)safe iff for every \(f \in \varSigma ^\omega \) and value \(v \in \mathbb {R}^{\pm \infty }\) with \(\varPhi (f) < v\), there exists a prefix \(s \prec f\) such that \(\sup _{g \in \varSigma ^\omega } \varPhi (sg) < v + \alpha \). Similarly, \(\varPhi \) is \(\alpha \)cosafe iff for every \(f \in \varSigma ^\omega \) and \(v \in \mathbb {R}^{\pm \infty }\) with \(\varPhi (f) > v\), there exists \(s \prec f\) such that \(\inf _{g \in \varSigma ^\omega } \varPhi (sg) > v  \alpha \). When \(\varPhi \) is \(\alpha \)safe (resp. \(\alpha \)cosafe) for some \(\alpha \in \mathbb {R}_{\ge 0}\), we say that \(\varPhi \) is approximately safe (resp. approximately cosafe).
Approximate safety can be characterized through the following relation with the safety closure.
Proposition 51
For every error bound \(\alpha \in \mathbb {R}_{\ge 0}\), a property \(\varPhi \) is \(\alpha \)safe iff \(\varPhi ^*(f)  \varPhi (f) \le \alpha \) for all \(f \in \varSigma ^\omega \).
An analogue of Proposition 51 holds for approximate cosafety and the cosafety closure. Moreover, approximate safety and approximate cosafety are dual notions that are connected by the complement operation, similarly to their precise counterparts (Theorem 27).
6.1 The Intersection of Approximate Safety and Cosafety
Recall the ghost monitor from the introduction. If, after a finite number of observations, all the possible prediction values are close enough, then we can simply freeze the current value and achieve a sufficiently small error. This happens for properties that are both approximately safe and approximately cosafe, generalizing the unfolding approximation of discounted properties [13].
Proposition 52
For every limit property \(\varPhi \) and all error bounds \(\alpha , \beta \in \mathbb {R}_{\ge 0}\), if \(\varPhi \) is \(\alpha \)safe and \(\beta \)cosafe, then the set \(\textstyle S_\delta = \{s \in \varSigma ^* \;\;\sup _{r_1\in \varSigma ^*} \varPhi (sr_1)  \inf _{r_2\in \varSigma ^*} \varPhi (sr_2) \ge \delta \}\) is finite for all reals \(\delta > \alpha + \beta \).
Based on this proposition, we show that, for limit properties that are both approximately safe and approximately cosafe, the influence of the suffix on the property value is eventually negligible.
Theorem 53
For every limit property \(\varPhi \) such that \(\varPhi (f) \in \mathbb {R}\) for all \(f \in \varSigma ^\omega \), and for all error bounds \(\alpha , \beta \in \mathbb {R}_{\ge 0}\), if \(\varPhi \) is \(\alpha \)safe and \(\beta \)cosafe, then for every real \(\delta > \alpha + \beta \) and trace \(f \in \varSigma ^\omega \), there is a prefix \(s \prec f\) such that for all continuations \(w \in \varSigma ^* \cup \varSigma ^\omega \), we have \(\varPhi (sw)  \varPhi (s) < \delta \).
We illustrate this theorem with a discounted safety property.
Example 54
Let \(P \subseteq \varSigma ^\omega \) be a boolean safety property. We define the finitary property \(\pi _P : \varSigma ^* \rightarrow [0,1]\) as follows: \(\pi _P(s) = 1\) if \(sf \in P\) for some \(f \in \varSigma ^\omega \), and \(\pi _P(s) = 1  2^{r}\) otherwise, where \(r \preceq s\) is the shortest prefix with \(rf \notin P\) for all \(f \in \varSigma ^\omega \). The limit property \(\varPhi = (\pi _P, \inf )\) is called discounted safety [3]. Because \(\varPhi \) is an \(\inf \)property, it is safe by Theorem 20. Now consider the finitary property \(\pi _P'\) defined by \(\pi _P'(s) = 1  2^{s}\) if \(sf \in P\) for some \(f \in \varSigma ^\omega \), and \(\pi _P'(s) = 1  2^{r}\) otherwise, where \(r \preceq s\) is the shortest prefix with \(rf \notin P\) for all \(f \in \varSigma ^\omega \). Let \(\varPhi ' = (\pi _P', \sup )\), and note that \(\varPhi (f) = \varPhi '(f)\) for all \(f \in \varSigma ^\omega \). Hence \(\varPhi \) is also cosafe, because it is a \(\sup \)property.
Let \(f \in \varSigma ^\omega \) and \(\delta > 0\). For every prefix \(s \prec f\), the set of possible prediction values is either the range \([1  2^{s}, 1]\) or the singleton \(\{1  2^{r}\}\), where \(r \preceq s\) is chosen as above. In the latter case, we have \(\varPhi (sw)  \varPhi (s) = 0 < \delta \) for all \(w \in \varSigma ^* \cup \varSigma ^\omega \). In the former case, since the range becomes smaller as the prefix grows, there is a prefix \(s' \prec f\) with \(2^{s'} < \delta \), which yields \(\varPhi (s'w)  \varPhi (s') < \delta \) for all \(w \in \varSigma ^* \cup \varSigma ^\omega \). \(\square \)
6.2 Finitestate Approximate Monitoring
Monitors with finite state spaces are particularly desirable, because finite automata enjoy a plethora of desirable closure and decidability properties. Here, we prove that properties that are both approximately safe and approximately cosafe can be monitored approximately by a finitestate monitor. First, we recall the notion of abstract quantitative monitor from [30].
A binary relation \({\sim }\) over \(\varSigma ^*\) is an equivalence relation iff it is reflexive, symmetric, and transitive. Such a relation is rightmonotonic iff \(s_1 \sim s_2\) implies \(s_1 r \sim s_2 r\) for all \(s_1,s_2,r \in \varSigma ^*\). For an equivalence relation \({\sim }\) over \(\varSigma ^*\) and a finite trace \(s \in \varSigma ^*\), we write \([s]_{{\sim }}\) for the equivalence class of \({\sim }\) to which s belongs. When \({\sim }\) is clear from the context, we write [s] instead. We denote by \(\varSigma ^* / {\sim }\) the quotient of the relation \({\sim }\).
Definition 55
(Abstract monitor [30]). An abstract monitor \(\mathcal {M}= (\sim , \gamma )\) is a pair consisting of a rightmonotonic equivalence relation \({\sim }\) on \(\varSigma ^*\) and a function \(\gamma :({\varSigma ^* / \sim }) \rightarrow \mathbb {R}^{\pm \infty }\). The monitor \(\mathcal {M}\) is finitestate iff the relation \(\sim \) has finitely many equivalence classes. Let \(\delta _{\text { fin}},\delta _{\lim } \in \mathbb {R}^{\pm \infty }\) be error bounds. We say that \(\mathcal {M}\) is a \((\delta _{\text { fin}},\delta _{\lim })\)monitor for a given limit property \(\varPhi = (\pi , \ell )\) iff for all \(s \in \varSigma ^*\) and \(f \in \varSigma ^\omega \), we have \(\pi (s)  \gamma ([s]) \le \delta _{\text { fin}}\) and \(\ell _{s \prec f}(\pi (s))  \ell _{s\prec f}(\gamma ([s])) \le \delta _{\lim }\).
Building on Theorem 53, we identify a sufficient condition to guarantee the existence of an abstract monitor with finitely many equivalence classes.
Theorem 56
For every limit property \(\varPhi \) such that \(\varPhi (f) \in \mathbb {R}\) for all \(f \in \varSigma ^\omega \), and for all error bounds \(\alpha , \beta \in \mathbb {R}_{\ge 0}\), if \(\varPhi \) is \(\alpha \)safe and \(\beta \)cosafe, then for every real \(\delta > \alpha + \beta \), there exists a finitestate \((\delta ,\delta )\)monitor for \(\varPhi \).
Due to Theorem 56, the discounted safety property of Example 54 has a finitestate monitor for every positive error bound. We remark that Theorem 56 is proved by a construction that generalizes the unfolding approach for the approximate determinization of discounted automata [12], which unfolds an automaton until the distance constraint is satisfied.
7 Conclusion
We presented a generalization of safety and liveness that lifts the safetyprogress hierarchy to the quantitative setting of [18] while preserving major desirable features of the boolean setting, such as the safetyliveness decomposition.
Monitorability identifies a boundary separating properties that can be verified or falsified from a finite number of observations, from those that cannot. Safetyliveness and cosafetycoliveness decompositions allow us separate, for an individual property, monitorable parts from nonmonitorable parts. The larger the monitorable parts of the given property, the stronger the decomposition. We provided the strongest known safetyliveness decomposition, which consists of a pointwise minimum between a safe part defined by a quantitative safety closure, and a live part which corrects for the difference. We then defined approximate safety as the relaxation of safety by a parametric error bound. This further increases the monitorability of properties and offers monitorability at a parametric cost. In fact, we showed that every property that is both approximately safe and approximately cosafe can be monitored arbitrarily precisely by a finitestate monitor. A future direction is to extend our decomposition to approximate safety together with a support for quantitative assumptions [32].
The literature contains efficient modelchecking procedures that leverage the boolean safety hypothesis [36, 40]. We thus expect that also quantitative safety and cosafety, and their approximations, enable efficient verification algorithms for quantitative properties.
References
de Alfaro, L., Faella, M., Henzinger, T.A., Majumdar, R., Stoelinga, M.: Model checking discounted temporal properties. Theor. Comput. Sci. 345(1), 139–170 (2005). https://doi.org/10.1016/j.tcs.2005.07.033
de Alfaro, L., Faella, M., Stoelinga, M.: Linear and branching metrics for quantitative transition systems. In: Díaz, J., Karhumäki, J., Lepistö, A., Sannella, D. (eds.) Automata, Languages and Programming: 31st International Colloquium, ICALP 2004, Turku, Finland, July 1216, 2004. Proceedings. Lecture Notes in Computer Science, vol. 3142, pp. 97–109. Springer (2004). https://doi.org/10.1007/9783540278368_11
de Alfaro, L., Henzinger, T.A., Majumdar, R.: Discounting the future in systems theory. In: Baeten, J.C.M., Lenstra, J.K., Parrow, J., Woeginger, G.J. (eds.) Automata, Languages and Programming, 30th International Colloquium, ICALP 2003, Eindhoven, The Netherlands, June 30  July 4, 2003. Proceedings. Lecture Notes in Computer Science, vol. 2719, pp. 1022–1037. Springer (2003). https://doi.org/10.1007/3540450610_79
Alpern, B., Schneider, F.B.: Defining liveness. Inf. Process. Lett. 21(4), 181–185 (1985). https://doi.org/10.1016/00200190(85)900560
Alpern, B., Schneider, F.B.: Recognizing safety and liveness. Distributed Comput. 2(3), 117–126 (1987). https://doi.org/10.1007/BF01782772
Bartocci, E., Falcone, Y., Francalanza, A., Reger, G.: Introduction to runtime verification. In: Bartocci, E., Falcone, Y. (eds.) Lectures on Runtime Verification  Introductory and Advanced Topics, Lecture Notes in Computer Science, vol. 10457, pp. 1–33. Springer (2018). https://doi.org/10.1007/9783319756325_1
Bauer, A., Leucker, M., Schallhart, C.: Comparing LTL semantics for runtime verification. J. Log. Comput. 20(3), 651–674 (2010). https://doi.org/10.1093/logcom/exn075
Bauer, A., Leucker, M., Schallhart, C.: Runtime verification for LTL and TLTL. ACM Trans. Softw. Eng. Methodol. 20(4), 14:1–14:64 (2011). https://doi.org/10.1145/2000799.2000800
Bloem, R., Chatterjee, K., Henzinger, T.A., Jobstmann, B.: Better quality in synthesis through quantitative objectives. In: Bouajjani, A., Maler, O. (eds.) Computer Aided Verification, 21st International Conference, CAV 2009, Grenoble, France, June 26  July 2, 2009. Proceedings. Lecture Notes in Computer Science, vol. 5643, pp. 140–156. Springer (2009). https://doi.org/10.1007/9783642026584_14
Bloem, R., Chatterjee, K., Jobstmann, B.: Graph games and reactive synthesis. In: Clarke, E.M., Henzinger, T.A., Veith, H., Bloem, R. (eds.) Handbook of Model Checking, pp. 921–962. Springer (2018). https://doi.org/10.1007/9783319105758_27
Boker, U., Chatterjee, K., Henzinger, T.A., Kupferman, O.: Temporal specifications with accumulative values. ACM Trans. Comput. Log. 15(4), 27:1–27:25 (2014). https://doi.org/10.1145/2629686
Boker, U., Henzinger, T.A.: Approximate determinization of quantitative automata. In: D’Souza, D., Kavitha, T., Radhakrishnan, J. (eds.) IARCS Annual Conference on Foundations of Software Technology and Theoretical Computer Science, FSTTCS 2012, December 1517, 2012, Hyderabad, India. LIPIcs, vol. 18, pp. 362–373. Schloss Dagstuhl  LeibnizZentrum für Informatik (2012). https://doi.org/10.4230/LIPIcs.FSTTCS.2012.362
Boker, U., Henzinger, T.A.: Exact and approximate determinization of discountedsum automata. Log. Methods Comput. Sci. 10(1) (2014). https://doi.org/10.2168/LMCS10(1:10)2014
Bouyer, P., Fahrenberg, U., Larsen, K.G., Markey, N.: Quantitative analysis of realtime systems using priced timed automata. Commun. ACM 54(9), 78–87 (2011). https://doi.org/10.1145/1995376.1995396
Bouyer, P., Markey, N., Randour, M., Larsen, K.G., Laursen, S.: Averageenergy games. Acta Informatica 55(2), 91–127 (2018). https://doi.org/10.1007/s0023601602741
Cerný, P., Henzinger, T.A., Radhakrishna, A.: Simulation distances. Theor. Comput. Sci. 413(1), 21–35 (2012). https://doi.org/10.1016/j.tcs.2011.08.002
Chang, E., Manna, Z., Pnueli, A.: The safetyprogress classification. In: Bauer, F.L., Brauer, W., Schwichtenberg, H. (eds.) Logic and Algebra of Specification. pp. 143–202. Springer Berlin Heidelberg, Berlin, Heidelberg (1993). https://doi.org/10.1007/9783642580413_5
Chatterjee, K., Doyen, L., Henzinger, T.A.: Quantitative languages. ACM Trans. Comput. Log. 11(4), 23:1–23:38 (2010). https://doi.org/10.1145/1805950.1805953
Chatterjee, K., Henzinger, T.A., Otop, J.: Nested weighted automata. ACM Trans. Comput. Log. 18(4), 31:1–31:44 (2017). https://doi.org/10.1145/3152769
D’Antoni, L., Samanta, R., Singh, R.: Qlose: Program repair with quantitative objectives. In: Chaudhuri, S., Farzan, A. (eds.) Computer Aided Verification  28th International Conference, CAV 2016, Toronto, ON, Canada, July 1723, 2016, Proceedings, Part II. Lecture Notes in Computer Science, vol. 9780, pp. 383–401. Springer (2016). https://doi.org/10.1007/9783319415406_21
Fahrenberg, U., Legay, A.: Generalized quantitative analysis of metric transition systems. In: Shan, C. (ed.) Programming Languages and Systems  11th Asian Symposium, APLAS 2013, Melbourne, VIC, Australia, December 911, 2013. Proceedings. Lecture Notes in Computer Science, vol. 8301, pp. 192–208. Springer (2013). https://doi.org/10.1007/9783319035420_14
Fahrenberg, U., Legay, A.: The quantitative lineartimebranchingtime spectrum. Theor. Comput. Sci. 538, 54–69 (2014). https://doi.org/10.1016/j.tcs.2013.07.030
Falcone, Y., Fernandez, J., Mounier, L.: What can you verify and enforce at runtime? Int. J. Softw. Tools Technol. Transf. 14(3), 349–382 (2012). https://doi.org/10.1007/s1000901101968
Faran, R., Kupferman, O.: Spanning the spectrum from safety to liveness. Acta Informatica 55(8), 703–732 (2018). https://doi.org/10.1007/s0023601703074
Ferrère, T., Henzinger, T.A., Kragl, B.: Monitoring event frequencies. In: Fernández, M., Muscholl, A. (eds.) 28th EACSL Annual Conference on Computer Science Logic, CSL 2020, January 1316, 2020, Barcelona, Spain. LIPIcs, vol. 152, pp. 20:1–20:16. Schloss Dagstuhl  LeibnizZentrum für Informatik (2020). https://doi.org/10.4230/LIPIcs.CSL.2020.20
Ferrère, T., Henzinger, T.A., Saraç, N.E.: A theory of register monitors. In: Dawar, A., Grädel, E. (eds.) Proceedings of the 33rd Annual ACM/IEEE Symposium on Logic in Computer Science, LICS 2018, Oxford, UK, July 0912, 2018. pp. 394–403. ACM (2018). https://doi.org/10.1145/3209108.3209194
Gorostiaga, F., Sánchez, C.: Monitorability of expressive verdicts. In: Deshmukh, J.V., Havelund, K., Perez, I. (eds.) NASA Formal Methods  14th International Symposium, NFM 2022, Pasadena, CA, USA, May 2427, 2022, Proceedings. Lecture Notes in Computer Science, vol. 13260, pp. 693–712. Springer (2022). https://doi.org/10.1007/9783031067730_37
Havelund, K., Rosu, G.: Synthesizing monitors for safety properties. In: Katoen, J., Stevens, P. (eds.) Tools and Algorithms for the Construction and Analysis of Systems, 8th International Conference, TACAS 2002, Held as Part of the Joint European Conference on Theory and Practice of Software, ETAPS 2002, Grenoble, France, April 812, 2002, Proceedings. Lecture Notes in Computer Science, vol. 2280, pp. 342–356. Springer (2002). https://doi.org/10.1007/3540460020_24
Henzinger, T.A.: Quantitative reactive modeling and verification. Comput. Sci. Res. Dev. 28(4), 331–344 (2013). https://doi.org/10.1007/s0045001302517
Henzinger, T.A., Mazzocchi, N., Saraç, N.E.: Abstract monitors for quantitative specifications. In: Dang, T., Stolz, V. (eds.) Runtime Verification  22nd International Conference, RV 2022, Tbilisi, Georgia, September 2830, 2022, Proceedings. Lecture Notes in Computer Science, vol. 13498, pp. 200–220. Springer (2022). https://doi.org/10.1007/9783031171963_11
Henzinger, T.A., Otop, J.: From model checking to model measuring. In: D’Argenio, P.R., Melgratti, H.C. (eds.) CONCUR 2013  Concurrency Theory  24th International Conference, CONCUR 2013, Buenos Aires, Argentina, August 2730, 2013. Proceedings. Lecture Notes in Computer Science, vol. 8052, pp. 273–287. Springer (2013). https://doi.org/10.1007/9783642401848_20
Henzinger, T.A., Saraç, N.E.: Monitorability under assumptions. In: Deshmukh, J., Nickovic, D. (eds.) Runtime Verification  20th International Conference, RV 2020, Los Angeles, CA, USA, October 69, 2020, Proceedings. Lecture Notes in Computer Science, vol. 12399, pp. 3–18. Springer (2020). https://doi.org/10.1007/9783030605087_1
Henzinger, T.A., Saraç, N.E.: Quantitative and approximate monitoring. In: 36th Annual ACM/IEEE Symposium on Logic in Computer Science, LICS 2021, Rome, Italy, June 29  July 2, 2021. pp. 1–14. IEEE (2021). https://doi.org/10.1109/LICS52264.2021.9470547
Katoen, J., Song, L., Zhang, L.: Probably safe or live. In: Henzinger, T.A., Miller, D. (eds.) Joint Meeting of the TwentyThird EACSL Annual Conference on Computer Science Logic (CSL) and the TwentyNinth Annual ACM/IEEE Symposium on Logic in Computer Science (LICS), CSLLICS ’14, Vienna, Austria, July 14  18, 2014. pp. 55:1–55:10. ACM (2014). https://doi.org/10.1145/2603088.2603147
Kim, M., Kannan, S., Lee, I., Sokolsky, O., Viswanathan, M.: Computational analysis of runtime monitoring  fundamentals of javamac. In: Havelund, K., Rosu, G. (eds.) Runtime Verification 2002, RV 2002, FLoC Satellite Event, Copenhagen, Denmark, July 26, 2002. Electronic Notes in Theoretical Computer Science, vol. 70, pp. 80–94. Elsevier (2002). https://doi.org/10.1016/S15710661(04)805784
Kupferman, O., Vardi, M.Y.: Model checking of safety properties. Formal Methods Syst. Des. 19(3), 291–314 (2001). https://doi.org/10.1023/A:1011254632723
Kwiatkowska, M., Norman, G., Parker, D.: Probabilistic Model Checking: Advances and Applications, pp. 73–121. Springer International Publishing, Cham (2018). https://doi.org/10.1007/9783319576855_3
Kwiatkowska, M.Z.: Quantitative verification: models techniques and tools. In: Crnkovic, I., Bertolino, A. (eds.) Proceedings of the 6th joint meeting of the European Software Engineering Conference and the ACM SIGSOFT International Symposium on Foundations of Software Engineering, 2007, Dubrovnik, Croatia, September 37, 2007. pp. 449–458. ACM (2007). https://doi.org/10.1145/1287624.1287688
Lamport, L.: Proving the correctness of multiprocess programs. IEEE Trans. Software Eng. 3(2), 125–143 (1977). https://doi.org/10.1109/TSE.1977.229904
Latvala, T.: Efficient model checking of safety properties. In: Ball, T., Rajamani, S.K. (eds.) Model Checking Software, 10th International SPIN Workshop. Portland, OR, USA, May 910, 2003, Proceedings. Lecture Notes in Computer Science, vol. 2648, pp. 74–88. Springer (2003). https://doi.org/10.1007/3540448292_5
Li, Y., Droste, M., Lei, L.: Model checking of lineartime properties in multivalued systems. Inf. Sci. 377, 51–74 (2017). https://doi.org/10.1016/j.ins.2016.10.030
Manna, Z., Pnueli, A.: Adequate proof principles for invariance and liveness properties of concurrent programs. Sci. Comput. Program. 4(3), 257–289 (1984). https://doi.org/10.1016/01676423(84)900030
Peled, D., Havelund, K.: Refining the safetyliveness classification of temporal properties according to monitorability. In: Margaria, T., Graf, S., Larsen, K.G. (eds.) Models, Mindsets, Meta: The What, the How, and the Why Not?  Essays Dedicated to Bernhard Steffen on the Occasion of His 60th Birthday. Lecture Notes in Computer Science, vol. 11200, pp. 218–234. Springer (2018). https://doi.org/10.1007/9783030223489_14
Pnueli, A., Zaks, A.: PSL model checking and runtime verification via testers. In: Misra, J., Nipkow, T., Sekerinski, E. (eds.) FM 2006: Formal Methods, 14th International Symposium on Formal Methods, Hamilton, Canada, August 2127, 2006, Proceedings. Lecture Notes in Computer Science, vol. 4085, pp. 573–586. Springer (2006). https://doi.org/10.1007/11813040_38
Qian, J., Shi, F., Cai, Y., Pan, H.: Approximate safety properties in metric transition systems. IEEE Trans. Reliab. 71(1), 221–234 (2022). https://doi.org/10.1109/TR.2021.3139616
Sistla, A.P.: Safety, liveness and fairness in temporal logic. Formal Aspects Comput. 6(5), 495–512 (1994). https://doi.org/10.1007/BF01211865
Thrane, C.R., Fahrenberg, U., Larsen, K.G.: Quantitative analysis of weighted transition systems. J. Log. Algebraic Methods Program. 79(7), 689–703 (2010). https://doi.org/10.1016/j.jlap.2010.07.010
Weiner, S., Hasson, M., Kupferman, O., Pery, E., Shevach, Z.: Weighted safety. In: Hung, D.V., Ogawa, M. (eds.) Automated Technology for Verification and Analysis  11th International Symposium, ATVA 2013, Hanoi, Vietnam, October 1518, 2013. Proceedings. Lecture Notes in Computer Science, vol. 8172, pp. 133–147. Springer (2013). https://doi.org/10.1007/9783319024448_11
Acknowledgments
We thank the anonymous reviewers for their helpful comments. This work was supported in part by the ERC2020AdG 101020093.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.
The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.
Copyright information
© 2023 The Author(s)
About this paper
Cite this paper
Henzinger, T.A., Mazzocchi, N., Saraç, N.E. (2023). Quantitative Safety and Liveness. In: Kupferman, O., Sobocinski, P. (eds) Foundations of Software Science and Computation Structures. FoSSaCS 2023. Lecture Notes in Computer Science, vol 13992. Springer, Cham. https://doi.org/10.1007/9783031308291_17
Download citation
DOI: https://doi.org/10.1007/9783031308291_17
Published:
Publisher Name: Springer, Cham
Print ISBN: 9783031308284
Online ISBN: 9783031308291
eBook Packages: Computer ScienceComputer Science (R0)