Abstract
Safety and liveness are elementary concepts of computation, and the foundation of many verification paradigms. The safety-liveness classification of boolean properties characterizes whether a given property can be falsified by observing a finite prefix of an infinite computation trace (always for safety, never for liveness). In quantitative specification and verification, properties assign not truth values, but quantitative values to infinite traces (e.g., a cost, or the distance to a boolean property). We introduce quantitative safety and liveness, and we prove that our definitions induce conservative quantitative generalizations of both (1) the safety-progress hierarchy of boolean properties and (2) the safety-liveness decomposition of boolean properties. In particular, we show that every quantitative property can be written as the pointwise minimum of a quantitative safety property and a quantitative liveness property. Consequently, like boolean properties, also quantitative properties can be \(\min \)-decomposed into safety and liveness parts, or alternatively, \(\max \)-decomposed into co-safety and co-liveness parts. Moreover, quantitative properties can be approximated naturally. We prove that every quantitative property that has both safe and co-safe approximations can be monitored arbitrarily precisely by a monitor that uses only a finite number of states.
You have full access to this open access chapter, Download conference paper PDF
Similar content being viewed by others
1 Introduction
Safety and liveness are elementary concepts in the semantics of computation [39]. They can be explained through the thought experiment of a ghost monitor—an imaginary device that watches an infinite computation trace at runtime, one observation at a time, and always maintains the set of possible prediction values to reflect the satisfaction of a given property. Let \(\varPhi \) be a boolean property, meaning that \(\varPhi \) divides all infinite traces into those that satisfy \(\varPhi \), and those that violate \(\varPhi \). After any finite number of observations, True is a possible prediction value for \(\varPhi \) if the observations seen so far are consistent with an infinite trace that satisfies \(\varPhi \), and False is a possible prediction value for \(\varPhi \) if the observations seen so far are consistent with an infinite trace that violates \(\varPhi \). When True is no possible prediction value, the ghost monitor can reject the hypothesis that \(\varPhi \) is satisfied. The property \(\varPhi \) is safe if and only if the ghost monitor can always reject the hypothesis \(\varPhi \) after a finite number of observations: if the infinite trace that is being monitored violates \(\varPhi \), then after some finite number of observations, True is no possible prediction value for \(\varPhi \). Orthogonally, the property \(\varPhi \) is live if and only if the ghost monitor can never reject the hypothesis \(\varPhi \) after a finite number of observations: for all infinite traces, after every finite number of observations, True remains a possible prediction value for \(\varPhi \).
The safety-liveness classification of properties is fundamental in verification. In the natural topology on infinite traces—the “Cantor topology”—the safety properties are the closed sets, and the liveness properties are the dense sets [4]. For every property \(\varPhi \), the location of \(\varPhi \) within the Borel hierarchy that is induced by the Cantor topology—the so-called “safety-progress hierarchy” [17]—indicates the level of difficulty encountered when verifying \(\varPhi \). On the first level, we find the safety and co-safety properties, the latter being the complements of safety properties, i.e., the properties whose falsehood (rather than truth) can always be rejected after a finite number of observations by the ghost monitor. More sophisticated verification techniques are needed for second-level properties, which are the countable boolean combinations of first-level properties—the so-called “response” and “persistence” properties [17]. Moreover, the orthogonality of safety and liveness leads to the following celebrated fact: every property can be written as the intersection of a safety property and a liveness property [4]. This means that every property \(\varPhi \) can be decomposed into two parts: a safety part—which is amenable to simple verification techniques, such as invariants—and a liveness part—which requires heavier verification paradigms, such as ranking functions. Dually, there is always a disjunctive decomposition of \(\varPhi \) into co-safety and co-liveness.
So far, we have retold the well-known story of safety and liveness for boolean properties. A boolean property \(\varPhi \) is formalized mathematically as the set of infinite computation traces that satisfy \(\varPhi \), or equivalently, the characteristic function that maps each infinite trace to a truth value. Quantitative generalizations of the boolean setting allow us to capture not only correctness properties, but also performance properties [31]. In this paper we reveal the story of safety and liveness for such quantitative properties, which are functions from infinite traces to an arbitrary set \(\mathbb {D}\) of values. In order to compare values, we equip the value domain \(\mathbb {D}\) with a partial order <, and we require \((\mathbb {D},<)\) to be a complete lattice. The membership problem [18] for an infinite trace f and a quantitative property \(\varPhi \) asks whether \(\varPhi (f)\ge v\) for a given threshold value \(v\in \mathbb {D}\). Correspondingly, in our thought experiment, the ghost monitor attempts to reject hypotheses of the form \(\varPhi (f)\ge v\), which cannot be rejected as long as all observations seen so far are consistent with an infinite trace f with \(\varPhi (f)\ge v\). We will define \(\varPhi \) to be a quantitative safety property if and only if every hypothesis of the form \(\varPhi (f)\ge v\) can always be rejected by the ghost monitor after a finite number of observations, and we will define \(\varPhi \) to be a quantitative liveness property if and only if some hypothesis of the form \(\varPhi (f)\ge v\) can never be rejected by the ghost monitor after any finite number of observations. We note that in the quantitative case, after every finite number of observations, the set of possible prediction values for \(\varPhi \) maintained by the ghost monitor may be finite or infinite, and in the latter case, it may not contain a minimal or maximal element.
Let us give a few examples. Suppose we have four observations: observation \(\texttt {rq}\) for “request a resource,” observation \(\texttt {gr}\) for “grant the resource,” observation \(\texttt {tk}\) for “clock tick,” and observation \(\texttt {oo}\) for “other.” The boolean property Resp requires that every occurrence of \(\texttt {rq}\) in an infinite trace is followed eventually by an occurrence of \(\texttt {gr}\). The boolean property NoDoubleReq requires that no occurrence of \(\texttt {rq}\) is followed by another \(\texttt {rq}\) without some \(\texttt {gr}\) in between. The quantitative property MinRespTime maps every infinite trace to the largest number k such that there are at least k occurrences of \(\texttt {tk}\) between each \(\texttt {rq}\) and the closest subsequent \(\texttt {gr}\). The quantitative property MaxRespTime maps every infinite trace to the smallest number k such that there are at most k occurrences of \(\texttt {tk}\) between each \(\texttt {rq}\) and the closest subsequent \(\texttt {gr}\). The quantitative property AvgRespTime maps every infinite trace to the lower limit value \(\liminf \) of the infinite sequence \((v_i)_{i \ge 1}\), where \(v_i\) is, for the first i occurrences of \(\texttt {tk}\), the average number of occurrences of \(\texttt {tk}\) between \(\texttt {rq}\) and the closest subsequent \(\texttt {gr}\). Note that the values of AvgRespTime can be \(\infty \) for some computations, including those for which the value of Resp is True. This highlights that boolean properties are not embedded in the limit behavior of quantitative properties.
The boolean property Resp is live because every finite observation sequence can be extended with an occurrence of \(\texttt {gr}\). In fact, Resp is a second-level liveness property (namely, a response property), because it can be written as a countable intersection of co-safety properties. The boolean property NoDoubleReq is safe because if it is violated, it will be rejected by the ghost monitor after a finite number of observations, namely, as soon as the ghost monitor sees a \(\texttt {rq}\) followed by another occurrence of \(\texttt {rq}\) without an intervening \(\texttt {gr}\). According to our quantitative generalization of safety, MinRespTime is a safety property. The ghost monitor always maintains the minimal number k of occurrences of \(\texttt {tk}\) between any past \(\texttt {rq}\) and the closest subsequent \(\texttt {gr}\) seen so far; the set of possible prediction values for MinRespTime is always \(\{0,1,\ldots ,k\}\). Every hypothesis of the form “the MinRespTime-value is at least v” is rejected by the ghost monitor as soon as \(k<v\); if such a hypothesis is violated, this will happen after some finite number of observations. Symmetrically, the quantitative property MaxRespTime is co-safe, because every wrong hypothesis of the form “the MaxRespTime-value is at most v” will be rejected by the ghost monitor as soon as the smallest possible prediction value for MaxRespTime, which is the maximal number of occurrences of \(\texttt {tk}\) between any past \(\texttt {rq}\) and the closest subsequent \(\texttt {gr}\) seen so far, goes above v. By contrast, the quantitative property AvgRespTime is both live and co-live because no hypothesis of the form “the AvgRespTime-value is at least v,” nor of the form “the AvgRespTime-value is at most v,” can ever be rejected by the ghost monitor after a finite number of observations. All nonnegative real numbers and \(\infty \) always remain possible prediction values for AvgRespTime. Note that a ghost monitor that attempts to reject hypotheses of the form \(\varPhi (f) \ge v\) does not need to maintain the entire set of possible prediction values, but only the \(\sup \) of the set of possible prediction values, and whether or not the \(\sup \) is contained in the set. Dually, updating \(\inf \) (and whether it is contained) suffices to reject hypotheses of the form \(\varPhi (f) \le v\).
By defining quantitative safety and liveness via ghost monitors, we not only obtain a conservative and quantitative generalization of the boolean story, but also open up attractive frontiers for quantitative semantics, monitoring, and verification. For example, while the approximation of boolean properties reduces to adding and removing traces to and from a set, the approximation of quantitative properties offers a rich landscape of possibilities. In fact, we can approximate the notion of safety itself. Given an error bound \(\alpha \), the quantitative property \(\varPhi \) is \(\alpha \)-safe if and only if for every value v and every infinite trace f whose value \(\varPhi (f)\) is less than v, all possible prediction values for \(\varPhi \) are less than \(v+\alpha \) after some finite prefix of f. This means that, for an \(\alpha \)-safe property \(\varPhi \), the ghost monitor may not reject wrong hypotheses of the form \(\varPhi (f)\ge v\) after a finite number of observations, once the violation is below the error bound. We show that every quantitative property that is both \(\alpha \)-safe and \(\beta \)-co-safe, for any finite \(\alpha \) and \(\beta \), can be monitored arbitrarily precisely by a monitor that uses only a finite number of states.
We are not the first to define quantitative (or multi-valued) definitions of safety and liveness [27, 41]. While the previously proposed quantitative generalizations of safety share strong similarities with our definition (without coinciding completely), our quantitative generalization of liveness is entirely new. The definitions of [27] do not support any safety-liveness decomposition, because their notion of safety is too permissive, and their liveness too restrictive. While the definitions of [41] admit a safety-liveness decomposition, our definition of liveness captures strictly fewer properties. Consequently, our definitions offer a stronger safety-liveness decomposition theorem. Our definitions also fit naturally with the definitions of emptiness, equivalence, and inclusion for quantitative languages [18].
Overview. In Section 2, we introduce quantitative properties. In Section 3, we define quantitative safety as well as safety closure, namely, the property that increases the value of each trace as little as possible to achieve safety. Then, we prove that our definitions preserve classical boolean facts. In particular, we show that a quantitative property \(\varPhi \) is safe if and only if \(\varPhi \) equals its safety closure if and only if \(\varPhi \) is upper semicontinuous. In Section 4, we generalize the safety-progress hierarchy to quantitative properties. We first define limit properties. For \(\ell \in \{\inf , \sup , \liminf , \limsup \}\), the class of \(\ell \)-properties captures those for which the value of each infinite trace can be derived by applying the limit function \(\ell \) to the infinite sequence of values of finite prefixes. We prove that \(\inf \)-properties coincide with safety, \(\sup \)-properties with co-safety, \(\liminf \)-properties are suprema of countably many safety properties, and \(\limsup \)-properties infima of countably many co-safety properties. The \(\liminf \)-properties generalize the boolean persistence properties of [17]; the \(\limsup \)-properties generalize their response properties. For example, AvgRespTime is a \(\liminf \)-property. In Section 5, we introduce quantitative liveness and co-liveness. We prove that our definitions preserve the classical boolean facts, and show that there is a unique property which is both safe and live. As main result, we provide a safety-liveness decomposition that holds for every quantitative property. In Section 6, we define approximate safety and co-safety. We generalize the well-known unfolding approximation of discounted properties for approximate safety and co-safety properties over the extended reals. This allows us to provide a finite-state approximate monitor for these properties. In Section 7, we conclude with future research directions. For complete proofs of all results, we refer the reader to the full version of the paper.
Related Work. The notions of safety and liveness for boolean properties appeared first in [39] and were later formalized in [4], where safety properties were characterized as closed sets of the Cantor topology on infinite traces, and liveness properties as dense sets. As a consequence, the seminal decomposition theorem followed: every boolean property is an intersection of a safety property and a liveness property. A benefit of such a decomposition lies in the difference between the mathematical arguments used in their verification. While safety properties enable simpler methods such as invariants, liveness properties require more complex approaches such as well-foundedness [5, 42]. These classes were characterized in terms of Büchi automata in [5] and in terms of linear temporal logic in [46].
The safety-progress classification of boolean properties [17] proposes an orthogonal view: rather than partitioning the set of properties, it provides a hierarchy of properties starting from safety. This yields a more fine-grained view of nonsafety properties which distinguishes whether a “good thing” happens at least once (co-safety or “guarantee”), infinitely many times (response), or eventually always (persistence). This classification follows the Borel hierarchy that is induced by the Cantor topology on infinite traces, and has corresponding projections within properties that are definable by finite automata and by formulas of linear temporal logic.
Runtime verification, or monitoring, is a lightweight, dynamic verification technique [6], where a monitor watches a system during its execution and tries to decide, after each finite sequence of observations, whether the observed finite computation trace or its unknown infinite extension satisfies a desired property. The safety-liveness dichotomy has profound implications for runtime verification as well: safety is easy to monitor [28], while liveness is not. An early definition of boolean monitorability was equivalent to safety with recursively enumerable sets of bad prefixes [35]. The monitoring of infinite-state boolean safety properties was later studied in [26]. A more popular definition of boolean monitorability [8, 44] accounts for both truth and falsehood, establishing the set of monitorable properties as a strict superset of finite boolean combinations of safety and co-safety [23]. Boolean monitors that use the set possible prediction values can be found in [7]. The notion of boolean monitorability was investigated through the safety-liveness lens in [43] and through the safety-progress lens in [23].
Quantitative properties (a.k.a. “quantitative languages”) [18] extend their boolean counterparts by moving from the two-valued truth domain to richer domains such as real numbers. Such properties have been extensively studied from a static verification perspective in the past decade, e.g., in the context of model-checking probabilistic properties [37, 38], games with quantitative objectives [10, 15], specifying quantitative properties [1, 11], measuring distances between systems [2, 16, 22, 29], best-effort synthesis and repair [9, 20], and quantitative analysis of transition systems [14, 19, 21, 47]. More recently, quantitative properties have been also studied from a runtime verification perspective, e.g., for limit monitoring of statistical indicators of infinite traces [25] and for analyzing resource-precision trade-offs in the design of quantitative monitors [30, 33].
To the best of our knowledge, previous definitions of (approximate) safety and liveness in nonboolean domains make implicit assumptions about the specification language [24, 34, 45, 48]. We identify two notable exceptions. In [27], the authors generalize the framework of [43] to nonboolean value domains. They provide neither a safety-liveness decomposition of quantitative properties, nor a fine-grained classification of nonsafety properties. In [41], the authors present a safety-liveness decomposition and some levels of the safety-progress hierarchy on multi-valued truth domains, which are bounded distributive lattices. Their motivation is to provide algorithms for model-checking properties on multi-valued truth domains. We present the relationships between their definitions and ours in the relevant sections below.
2 Quantitative Properties
Let \(\varSigma = \{a,b,\ldots \}\) be a finite alphabet of observations. A trace is an infinite sequence of observations, denoted by \(f,g,h \in \varSigma ^\omega \), and a finite trace is a finite sequence of observations, denoted by \(s,r,t \in \varSigma ^*\). Given \(s \in \varSigma ^*\) and \(w \in \varSigma ^* \cup \varSigma ^\omega \), we denote by \(s \prec w\) (resp. \(s \preceq w\)) that s is a strict (resp. nonstrict) prefix of w. Furthermore, we denote by |w| the length of w and, given \(a \in \varSigma \), by \(|w|_a\) the number of occurrences of a in w.
A value domain \(\mathbb {D}\) is a poset. Unless otherwise stated, we assume that \(\mathbb {D}\) is a nontrivial (i.e., \(\bot \ne \top \)) complete lattice and, whenever appropriate, we write \(0, 1, -\infty , \infty \) instead of \(\bot \) and \(\top \) for the least and the greatest elements. We respectively use the terms minimum and maximum for the greatest lower bound and the least upper bound of finitely many elements.
Definition 1 (Property)
A quantitative property (or simply property) is a function \(\varPhi : \varSigma ^\omega \rightarrow \mathbb {D}\) from the set of all traces to a value domain.
A boolean property \(P \subseteq \varSigma ^\omega \) is defined as a set of traces. We use the boolean domain \(\mathbb {B}= \{0,1\}\) with \(0 < 1\) and, in place of P, its characteristic property \(\varPhi _P : \varSigma ^\omega \rightarrow \mathbb {B}\), which is defined by \(\varPhi _P(f) = 1\) if \(f \in P\), and \(\varPhi _P(f) = 0\) if \(f \notin P\).
For all properties \(\varPhi _1,\varPhi _2\) on a domain \(\mathbb {D}\) and all traces \(f \in \varSigma ^\omega \), we let \(\min (\varPhi _1,\varPhi _2)(f) = \min (\varPhi _1(f),\varPhi _2(f))\) and \(\max (\varPhi _1,\varPhi _2)(f) = \max (\varPhi _1(f),\varPhi _2(f))\). For a domain \(\mathbb {D}\), the inverse of \(\mathbb {D}\) is the domain \(\overline{\mathbb {D}}\) that contains the same elements as \(\mathbb {D}\) but with the ordering reversed. For a property \(\varPhi \), we define its complement \(\overline{\varPhi } : \varSigma ^\omega \rightarrow \overline{\mathbb {D}}\) by \(\overline{\varPhi }(f) = \varPhi (f)\) for all \(f \in \varSigma ^\omega \).
Some properties can be defined as limits of value sequences. A finitary property \(\pi :\varSigma ^* \rightarrow \mathbb {D}\) associates a value with each finite trace. A value function \(\ell :\mathbb {D}^\omega \rightarrow \mathbb {D}\) condenses an infinite sequence of values to a single value. Given a finitary property \(\pi \), a value function \(\ell \), and a trace \(f \in \varSigma ^\omega \), we write \(\ell _{s \prec f} \pi (s)\) instead of \(\ell (\pi (s_0)\pi (s_1)\ldots )\), where each \(s_i\) fulfills \(s_i \prec f\) and \(|s_i|=i\).
3 Quantitative Safety
Given a property \(\varPhi : \varSigma ^\omega \rightarrow \mathbb {D}\), a trace \(f \in \varSigma ^\omega \), and a value \(v \in \mathbb {D}\), the quantitative membership problem [18] asks whether \(\varPhi (f) \ge v\). We define quantitative safety as follows: the property \(\varPhi \) is safe iff every wrong hypothesis of the form \(\varPhi (f) \ge v\) has a finite witness \(s \prec f\).
Definition 2 (Safety)
A property \(\varPhi : \varSigma ^\omega \rightarrow \mathbb {D}\) is safe iff for every \(f \in \varSigma ^\omega \) and value \(v \in \mathbb {D}\) with \(\varPhi (f) \not \ge v\), there is a prefix \(s \prec f\) such that \(\sup _{g \in \varSigma ^\omega } \varPhi (sg) \not \ge v\).
Let us illustrate this definition with the minimal response-time property.
Example 3
Let \(\varSigma = \{\texttt {rq}, \texttt {gr}, \texttt {tk}, \texttt {oo}\}\) and \(\mathbb {D}= \mathbb {N}\cup \{\infty \}\). We define the minimal response-time property \(\varPhi _{\min }\) through an auxiliary finitary property \(\pi _{\min }\) that computes the minimum response time so far. In a finite or infinite trace, an occurrence of \(\texttt {rq}\) is granted if it is followed, later, by a \(\texttt {gr}\), and otherwise it is pending. Let \(\pi _{\text {last}}(s) = \infty \) if the finite trace s contains a pending \(\texttt {rq}\), or no \(\texttt {rq}\), and \(\pi _{\text {last}}(s) = |r|_\texttt {tk}- |t|_\texttt {tk}\) otherwise, where \(r \prec s\) is the longest prefix of s with a pending \(\texttt {rq}\), and \(t \prec r\) is the longest prefix of r without pending \(\texttt {rq}\). Intuitively, \(\pi _{\text {last}}\) provides the response time for the last request when all requests are granted, and \(\infty \) when there is a pending request or no request. Given \(s \in \varSigma ^*\), taking the minimum of the values of \(\pi _{\text {last}}\) over the prefixes \(r \preceq s\) gives us the minimum response time so far. Let \(\pi _{\min }(s) = \min _{r \preceq s} \pi _{\text {last}}(r)\) for all \(s \in \varSigma ^*\), and \(\varPhi _{\min }(f) = \lim _{s \prec f} \pi _{\min }(s)\) for all \(f\in \varSigma ^\omega \). The limit always exists because the minimum is monotonically decreasing.
The minimal response-time property is safe. Let \(f \in \varSigma ^\omega \) and \(v \in \mathbb {D}\) such that \(\varPhi _{\min }(f) < v\). Then, some prefix \(s \prec f\) contains a \(\texttt {rq}\) that is granted after \(u < v\) ticks, in which case, no matter what happens in the future, the minimal response time is guaranteed to be at most u; that is, \(\sup _{g \in \varSigma ^\omega } \varPhi _{\min }(sg) \le u < v\). If you recall from the introduction the ghost monitor that maintains the \(\sup \) of possible prediction values for the minimal response-time property, that value is always \(\pi _{\min }\); that is, \(\sup _{g \in \varSigma ^\omega } \varPhi _{\min }(sg) = \pi _{\min }(s)\) for all \(s\in \varSigma ^*\). Note that in the case of minimal response time, the \(\sup \) of possible prediction values is always realizable; that is, for all \(s\in \varSigma ^*\), there exists an \(f\in \varSigma ^{\omega }\) such that \(\sup _{g \in \varSigma ^\omega } \varPhi _{\min }(sg) = \varPhi _{\min }(sf)\). \(\square \)
Remark 4
Quantitative safety generalizes boolean safety. For every boolean property \(P \subseteq \varSigma ^\omega \), the following statements are equivalent: (i) P is safe according to the classical definition [4], (ii) its characteristic property \(\varPhi _P\) is safe, and (iii) for every \(f \in \varSigma ^\omega \) and \(v \in \mathbb {B}\) with \(\varPhi _P(f) < v\), there exists a prefix \(s \prec f\) such that for all \(g \in \varSigma ^\omega \), we have \(\varPhi _P(sg) < v\).
We now generalize the notion of safety closure and present an operation that makes a property safe by increasing the value of each trace as little as possible.
Definition 5 (Safety closure)
The safety closure of a property \(\varPhi \) is the property \(\varPhi ^*\) defined by \(\varPhi ^*(f) = \inf _{s \prec f} \sup _{g \in \varSigma ^\omega } \varPhi (sg)\) for all \(f\in \varSigma ^\omega \).
We can say the following about the safety closure operation.
Proposition 6
For every property \(\varPhi : \varSigma ^\omega \rightarrow \mathbb {D}\), the following statements hold.
-
1.
\(\varPhi ^*\) is safe.
-
2.
\(\varPhi ^*(f) \ge \varPhi (f)\) for all \(f\in \varSigma ^\omega \).
-
3.
\(\varPhi ^*(f) = {\varPhi ^*}^*(f)\) for all \(f\in \varSigma ^\omega \).
-
4.
For every safety property \(\varPsi : \varSigma ^\omega \rightarrow \mathbb {D}\), if \(\varPhi (f) \le \varPsi (f)\) for all \(f\in \varSigma ^\omega \), then \(\varPsi (g) \not < \varPhi ^*(g)\) for all \(g\in \varSigma ^\omega \).
3.1 Alternative Characterizations of Quantitative Safety
Consider a trace and its prefixes of increasing length. For a given property, the ghost monitor from the introduction maintains, for each prefix, the \(\sup \) of possible prediction values, i.e., the least upper bound of the property values for all possible infinite continuations. The resulting sequence of monotonically decreasing suprema provides an upper bound on the eventual property value. Moreover, for some properties, this sequence always converges to the property value. If this is the case, then the ghost monitor can always dismiss wrong lower-bound hypotheses after finite prefixes, and vice versa. This gives us an alternative definition for the safety of quantitative properties which, inspired by the notion of Scott continuity, was called continuity [33]. We now believe that upper semicontinuity is a more appropriate term, as becomes clear when we consider the Cantor topology on \(\varSigma ^\omega \) and the value domain \(\mathbb {R}\cup \{-\infty , +\infty \}\).
Definition 7
(Upper semicontinuity [33]). A property \(\varPhi \) is upper semicontinuous iff \(\varPhi (f) = \lim _{s \prec f} \sup _{g \in \varSigma ^\omega } \varPhi (sg)\) for all \(f \in \varSigma ^\omega \).
We note that the minimal response-time property is upper semicontinuous.
Example 8
Recall the minimal response-time property \(\varPhi _{\min }\) from Example 3. For every trace \(f\in \varSigma ^\omega \), the \(\varPhi _{\min }\) value is the limit of the \(\pi _{\min }\) values for the prefixes of f. Therefore, \(\varPhi _{\min }\) is upper semicontinuous. \(\square \)
In general, a property is safe iff it maps every trace to the limit of the suprema of possible prediction values. Moreover, we can also characterize safety properties as the properties that are equal to their safety closure.
Theorem 9
For every property \(\varPhi \), the following statements are equivalent:
1. \(\varPhi \) is safe. 2. \(\varPhi \) is upper semicontinuous. 3. \(\varPhi (f) = \varPhi ^*(f)\) for all \(f \in \varSigma ^\omega \).
3.2 Related Definitions of Quantitative Safety
In [41], the authors consider the model-checking problem for properties on multi-valued truth domains. They introduce the notion of multi-safety through a closure operation that coincides with our safety closure. Formally, a property \(\varPhi \) is multi-safe iff \(\varPhi (f) = \varPhi ^*(f)\) for every \(f \in \varSigma ^\omega \). It is easy to see the following.
Proposition 10
For every property \(\varPhi \), we have \(\varPhi \) is multi-safe iff \(\varPhi \) is safe.
Although the two definitions of safety are equivalent, our definition is consistent with the membership problem for quantitative automata and motivated by the monitoring of quantitative properties.
In [27], the authors extend a refinement of the safety-liveness classification for monitoring [43] to richer domains. They introduce the notion of verdict-safety through dismissibility of values not less than or equal to the property value. Formally, a property \(\varPhi \) is verdict-safe iff for every \(f \in \varSigma ^\omega \) and \(v \not \le \varPhi (f)\), there exists a prefix \(s \prec f\) such that for all \(g \in \varSigma ^\omega \), we have \(\varPhi (sg) \ne v\).
We demonstrate that verdict-safety is weaker than safety. Moreover, we provide a condition under which the two definitions coincide. To achieve this, we reason about sets of possible prediction values: for a property \(\varPhi \) and \(s \in \varSigma ^*\), let \(P_{\varPhi ,s} = \{\varPhi (sf) \;|\;f \in \varSigma ^\omega \}\).
Lemma 11
A property \(\varPhi \) is verdict-safe iff \(\varPhi (f) = \sup (\lim _{s \prec f} P_{\varPhi ,s})\) for all \(f \in \varSigma ^\omega \).
Notice that \(\varPhi \) is safe iff \(\varPhi (f) = \lim _{s \prec f} (\sup P_{\varPhi ,s})\) for all \(f \in \varSigma ^\omega \). Below we describe a property that is verdict-safe but not safe.
Example 12
Let \(\varSigma = \{a,b\}\). Define \(\varPhi \) by \(\varPhi (f) = 0\) if \(f = a^\omega \), and \(\varPhi (f) = |s|\) otherwise, where \(s \prec f\) is the shortest prefix in which b occurs. The property \(\varPhi \) is verdict-safe. First, observe that \(\mathbb {D}= \mathbb {N}\cup \{\infty \}\). Let \(f \in \varSigma ^\omega \) and \(v \in \mathbb {D}\) with \(v > \varPhi (f)\). If \(\varPhi (f) > 0\), then f contains b, and \(\varPhi (f) = |s|\) for some \(s \prec f\) in which b occurs for the first time. After the prefix s, all \(g \in \varSigma ^\omega \) yield \(\varPhi (sg) = |s|\), thus all values above |s| are rejected. If \(\varPhi (f) = 0\), then \(f = a^\omega \). Let \(v \in \mathbb {D}\) with \(v > 0\), and consider the prefix \(a^v \prec f\). Observe that the set of possible prediction values after reading \(a^v\) is \(\{0, v+1, v+2, \ldots \}\), therefore \(a^v\) allows the ghost monitor to reject the value v. However, \(\varPhi \) is not safe because, although \(\varPhi (a^\omega ) = 0\), for every \(s \prec a^\omega \), we have \(\sup _{g \in \varSigma ^\omega } \varPhi (sg) = \infty \). \(\square \)
The separation is due to the fact that, for some finite traces, the \(\sup \) of possible prediction values cannot be realized by any future. Below, we present a condition that prevents such cases.
Definition 13 (Supremum closedness)
A property \(\varPhi \) is \(\sup \)-closed iff for every \(s \in \varSigma ^*\) we have \(\sup P_{\varPhi , s} \in P_{\varPhi , s}\).
We remark that the minimal response-time property is \(\sup \)-closed.
Example 14
The safety property minimal response-time \(\varPhi _{\min }\) from Example 3 is \(\sup \)-closed. This is because, for every \(s \in \varSigma ^*\), the continuation \(\texttt {gr}^\omega \) realizes the value \(\sup _{g \in \varSigma ^\omega } \varPhi (sg)\). \(\square \)
Recall from the introduction the ghost monitor that maintains the \(\sup \) of possible prediction values. For monitoring \(\sup \)-closed properties this suffices; otherwise the ghost monitor also needs to maintain whether or not the supremum of the possible prediction values is realizable by some future continuation. In general, we have the following for every \(\sup \)-closed property.
Lemma 15
For every \(\sup \)-closed property \(\varPhi \) and for all \(f \in \varSigma ^\omega \), we have \(\lim _{s \prec f} (\sup P_{\varPhi , s}) = \sup (\lim _{s \prec f} P_{\varPhi ,s})\).
As a consequence of the lemmas above, we get the following.
Theorem 16
A \(\sup \)-closed property \(\varPhi \) is safe iff \(\varPhi \) is verdict-safe.
4 The Quantitative Safety-Progress Hierarchy
Our quantitative extension of safety closure allows us to build a Borel hierarchy, which is a quantitative extension of the boolean safety-progress hierarchy [17]. First, we show that safety properties are closed under pairwise \(\min \) and \(\max \).
Proposition 17
For every value domain \(\mathbb {D}\), the set of safety properties over \(\mathbb {D}\) is closed under \(\min \) and \(\max \).
The boolean safety-progress classification of properties is a Borel hierarchy built from the Cantor topology of traces. Safety and co-safety properties lie on the first level, respectively corresponding to the closed sets and open sets of the topology. The second level is obtained through countable unions and intersections of properties from the first level: persistence properties are countable unions of closed sets, while response properties are countable intersections of open sets. We generalize this construction to the quantitative setting.
In the boolean case, each property class is defined through an operation that takes a set \(S \subseteq \varSigma ^*\) of finite traces and produces a set \(P \subseteq \varSigma ^\omega \) of infinite traces. For example, to obtain a co-safety property from \(S \subseteq \varSigma ^*\), the corresponding operation yields \(S\varSigma ^\omega \). Similarly, we formalize each property class by a value function. For this, we define the notion of limit property.
Definition 18 (Limit property)
A property \(\varPhi : \varSigma ^\omega \rightarrow \mathbb {D}\) is a limit property iff there exists a finitary property \(\pi : \varSigma ^* \rightarrow \mathbb {D}\) and a value function \(\ell : \mathbb {D}^\omega \rightarrow \mathbb {D}\) such that \(\varPhi (f) = \ell _{s \prec f} \pi (s)\) for all \(f \in \varSigma ^\omega \). We denote this by \(\varPhi = (\pi ,\ell )\), and write \(\varPhi (s)\) instead of \(\pi (s)\). In particular, if \(\varPhi = (\pi ,\ell )\), where \(\ell \in \{ \inf , \sup , \liminf , \limsup \}\), then \(\varPhi \) is an \(\ell \)-property.
To account for the value functions that construct the first two levels of the safety-progress hierarchy, we start our investigation with \(\inf \)- and \(\sup \)-properties and later focus on \(\liminf \)- and \(\limsup \)- properties [18].
4.1 Infimum and Supremum Properties
Let us start with an example by demonstrating that the minimal response-time property is an \(\inf \)-property.
Example 19
Recall the safety property \(\varPhi _{\min }\) of minimal response time from Example 3. We can equivalently define \(\varPhi _{\min }\) as a limit property by taking the finitary property \(\pi _{\text {last}}\) and the value function \(\inf \). As discussed in Example 3, the function \(\pi _{\text {last}}\) outputs the response time for the last request when all requests are granted, and \(\infty \) when there is a pending request or no request. Then \(\inf _{s \prec f} \pi _{\text {last}}(s) = \varPhi _{\min }(f)\) for all \(f \in \varSigma ^\omega \), and therefore \(\varPhi _{\min } = (\pi _{\text {last}}, \inf )\). \(\square \)
In fact, the safety properties coincide with \(\inf \)-properties.
Theorem 20
A property \(\varPhi \) is safe iff \(\varPhi \) is an \(\inf \)-property.
Defining the minimal response-time property as a limit property, we observe the following relation between its behavior on finite traces and infinite traces.
Example 21
Consider the property \(\varPhi _{\min } = (\pi _{\text {last}}, \inf )\) from Example 19. Let \(f \in \varSigma ^\omega \) and \(v \in \mathbb {D}\). Observe that if the minimal response time of f is at least v, then the last response time for each prefix \(s \prec f\) is also at least v. Conversely, if the minimal response time of f is below v, then there is a prefix \(s \prec f\) for which the last response time is also below v. \(\square \)
In light of this observation, we provide another characterization of safety properties, explicitly relating the specified behavior of the limit property on finite and infinite traces.
Theorem 22
A property \(\varPhi :\varSigma ^\omega \rightarrow \mathbb {D}\) is safe iff \(\varPhi \) is a limit property such that for every \(f \in \varSigma ^\omega \) and value \(v \in \mathbb {D}\), we have \(\varPhi (f) \ge v\) iff \(\varPhi (s) \ge v\) for all \(s \prec f\).
Recall that a safety property allows rejecting wrong lower-bound hypotheses with a finite witness, by assigning a tight upper bound to each trace. We define co-safety properties symmetrically: a property \(\varPhi \) is co-safe iff every wrong hypothesis of the form \(\varPhi (f) \le v\) has a finite witness \(s \prec f\).
Definition 23 (Co-safety)
A property \(\varPhi : \varSigma ^\omega \rightarrow \mathbb {D}\) is co-safe iff for every \(f\in \varSigma ^\omega \) and value \(v\in \mathbb {D}\) with \(\varPhi (f) \not \le v\), there exists a prefix \(s \prec f\) such that \(\inf _{g \in \varSigma ^\omega } \varPhi (sg) \not \le v\).
We note that our definition generalizes boolean co-safety, and thus a dual of Remark 4 holds also for co-safety. Moreover, we analogously define the notions of co-safety closure and lower semicontinuity.
Definition 24 (Co-safety closure)
The co-safety closure of a property \(\varPhi \) is the property \(\varPhi _*(f)\) defined by \(\varPhi _*(f) = \sup _{s \prec f} \inf _{g \in \varSigma ^\omega } \varPhi (sg)\) for all \(f\in \varSigma ^\omega \).
Definition 25
(Lower semicontinuity [33]). A property \(\varPhi \) is lower semicontinuous iff \(\varPhi (f) = \lim _{s \prec f} \inf _{g \in \varSigma ^\omega } \varPhi (sg)\) for all \(f \in \varSigma ^\omega \).
Now, we define and investigate the maximal response-time property. In particular, we show that it is a \(\sup \)-property that is co-safe and lower semicontinuous.
Example 26
Let \(\varSigma = \{\texttt {rq}, \texttt {gr}, \texttt {tk}, \texttt {oo}\}\) and \(\mathbb {D}= \mathbb {N}\cup \{\infty \}\). We define the maximal response-time property \(\varPhi _{\max }\) through a finitary property that computes the current response time for each finite trace and the value function \(\sup \). In particular, for all \(s \in \varSigma ^*\), let \(\pi _{\text {curr}}(s) = |s|_\texttt {tk}- |r|_\texttt {tk}\), where \(r \preceq s\) is the longest prefix of s without pending \(\texttt {rq}\); then \(\varPhi _{\max } = (\pi _{\text {curr}},\sup )\). Note the contrast between \(\pi _{\text {curr}}\) and \(\pi _{\text {last}}\) from Example 3. While \(\pi _{\text {curr}}\) takes an optimistic view of the future and assumes the \(\texttt {gr}\) will follow immediately, \(\pi _{\text {last}}\) takes a pessimistic view and assumes the \(\texttt {gr}\) will never follow. Let \(f \in \varSigma ^\omega \) and \(v \in \mathbb {D}\). If the maximal response time of f is greater than v, then for some prefix \(s \prec f\) the current response time is greater than v also, which means that, no matter what happens in the future, the maximal response time is greater than v after observing s. Therefore, \(\varPhi _{\max }\) is co-safe. By a similar reasoning, the sequence of greatest lower bounds of possible prediction values over the prefixes converges to the property value. In other words, we have \(\lim _{s \prec f} \inf _{g \in \varSigma ^\omega } \varPhi _{\max }(sg) = \varPhi _{\max }(f)\) for all \(f \in \varSigma ^\omega \). Thus \(\varPhi _{\max }\) is also lower semicontinuous, and it equals its co-safety closure. Now, consider the complementary property \(\overline{\varPhi _{\max }}\), which maps every trace to the same value as \(\varPhi _{\max }\) on a domain where the order is reversed. It is easy to see that \(\overline{\varPhi _{\max }}\) is safe. Finally, recall the ghost monitor from the introduction, which maintains the infimum of possible prediction values for the maximal response-time property. Since the maximal response-time property is \(\inf \)-closed, the output of the ghost monitor after every prefix is realizable by some future continuation, and that output is \(\pi _{\max }(s) = \max _{r \preceq s} \pi _{\text {curr}}(r)\) for all \(s \in \varSigma ^*\). \(\square \)
Generalizing the observations in the example above, we obtain the following characterizations due to the duality between safety and co-safety.
Theorem 27
For every property \(\varPhi : \varSigma ^\omega \rightarrow \mathbb {D}\), the following are equivalent.
-
1.
\(\varPhi \) is co-safe.
-
2.
\(\varPhi \) is lower semicontinuous.
-
3.
\(\varPhi (f) = \varPhi _*(f)\) for every \(f \in \varSigma ^\omega \).
-
4.
\(\varPhi \) is a \(\sup \)-property.
-
5.
\(\varPhi \) is a limit property such that for every \(f \in \varSigma ^\omega \) and value \(v \in \mathbb {D}\), we have \(\varPhi (f) \le v\) iff \(\varPhi (s) \le v\) for all \(s \prec f\).
-
6.
\(\overline{\varPhi }\) is safe.
4.2 Limit Inferior and Limit Superior Properties
Let us start with an observation on the minimal response-time property.
Example 28
Recall once again the minimal response-time property \(\varPhi _{\min }\) from Example 3. In the previous subsection, we presented an alternative definition of \(\varPhi _{\min }\) to establish that it is an \(\inf \)-property. Observe that there is yet another equivalent definition of \(\varPhi _{\min }\) which takes the monotonically decreasing finitary property \(\pi _{\min }\) from Example 3 and pairs it with either the value function \(\liminf \), or with \(\limsup \). Hence \(\varPhi _{\min }\) is both a \(\liminf \)- and a \(\limsup \)-property. \(\square \)
Before moving on to investigating \(\liminf \)- and \(\limsup \)-properties more closely, we show that the above observation can be generalized.
Theorem 29
Every \(\ell \)-property \(\varPhi \), for \(\ell \in \{\inf , \sup \}\), is both a \(\liminf \)- and a \(\limsup \)-property.
An interesting response-time property beyond safety and co-safety arises when we remove extreme values: instead of minimal response time, consider the property that maps every trace to a value that bounds from below, not all response times, but all of them from a point onward (i.e., all but finitely many). We call this property tail-minimal response time.
Example 30
Let \(\varSigma = \{\texttt {rq},\texttt {gr},\texttt {tk},\texttt {oo}\}\) and \(\pi _{\text {last}}\) be the finitary property from Example 3 that computes the last response time. We define the tail-minimal response-time property as \(\varPhi _{\text {tmin}} = (\pi _{\text {last}},\liminf )\). Intuitively, it maps each trace to the least response time over all but finitely many requests. This property is interesting as a performance measure, because it focuses on the long-term performance by ignoring finitely many outliers. Consider \(f \in \varSigma ^\omega \) and \(v \in \mathbb {D}\). Observe that, if the tail-minimal response time of f is at least v, then there is a prefix \(s \prec f\) such that for all longer prefixes \(s \preceq r \prec f\), the last response time in r is at least v, and vice versa. \(\square \)
Similarly as for \(\inf \)-properties, we characterize \(\liminf \)-properties through a relation between property behaviors on finite and infinite traces.
Theorem 31
A property \(\varPhi :\varSigma ^\omega \rightarrow \mathbb {D}\) is a \(\liminf \)-property iff \(\varPhi \) is a limit property such that for every \(f \in \varSigma ^\omega \) and value \(v \in \mathbb {D}\), we have \(\varPhi (f) \ge v\) iff there exists \(s \prec f\) such that for all \(s \preceq r \prec f\), we have \(\varPhi (r) \ge v\).
Now, we show that the tail-minimal response-time property can be expressed as a countable supremum of \(\inf \)-properties.
Example 32
Let \(i \in \mathbb {N}\) and define \(\pi _{i,\text {last}}\) as a finitary property that imitates \(\pi _{\text {last}}\) from Example 3, but ignores the first i observations of every finite trace. Formally, for \(s \in \varSigma ^*\), we define \(\pi _{i,\text {last}}(s) = \pi _{\text {last}}(r)\) for \(s = s_i r\) where \(s_i \preceq s\) with \(|s_i| = i\), and \(r \in \varSigma ^*\). Observe that an equivalent way to define \(\varPhi _{\text {tmin}}\) from Example 30 is \(\sup _{i \in \mathbb {N}} (\inf _{s \prec f} (\pi _{i,\text {last}}(s)))\) for all \(f \in \varSigma ^\omega \). Intuitively, for each \(i \in \mathbb {N}\), we obtain an \(\inf \)-property that computes the minimal response time of the suffixes of a given trace. Taking the supremum over these, we obtain the greatest lower bound on all but finitely many response times. \(\square \)
We generalize this observation and show that every \(\liminf \)-property is a countable supremum of \(\inf \)-properties.
Theorem 33
Every \(\liminf \)-property is a countable supremum of \(\inf \)-properties.
We would also like to have the converse of Theorem 33, i.e., that every countable supremum of \(\inf \)-properties is a \(\liminf \)-property. Currently, we are able to show only the following.
Theorem 34
For every infinite sequence \((\varPhi _i)_{i \in \mathbb {N}}\) of \(\inf \)-properties, there is a \(\liminf \)-property \(\varPhi \) such that \(\sup _{i \in \mathbb {N}} \varPhi _i(f) \le \varPhi (f)\).
We conjecture that some \(\liminf \)-property that satisfies Theorem 34 is also a lower bound on the countable supremum that occurs in the theorem. This, together with Theorem 34, would imply the converse of Theorem 33. Proving the converse of Theorem 33 would give us, thanks to the following duality, that the \(\liminf \)- and \(\limsup \)-properties characterize the second level of the Borel hierarchy of the topology induced by the safety closure operator.
Proposition 35
A property \(\varPhi \) is a \(\liminf \)-property iff its complement \(\overline{\varPhi }\) is a \(\limsup \)-property.
5 Quantitative Liveness
Similarly as for safety, we take the perspective of the quantitative membership problem to define liveness: a property \(\varPhi \) is live iff, whenever a property value is less than \(\top \), there exists a value v for which the wrong hypothesis \(\varPhi (f) \ge v\) can never be dismissed by any finite witness \(s \prec f\).
Definition 36 (Liveness)
A property \(\varPhi : \varSigma ^\omega \rightarrow \mathbb {D}\) is live iff for all \(f \in \varSigma ^\omega \), if \(\varPhi (f) < \top \), then there exists a value \(v \in \mathbb {D}\) such that \(\varPhi (f) \not \ge v\) and for all prefixes \(s \prec f\), we have \(\sup _{g \in \varSigma ^\omega } \varPhi (sg) \ge v\).
An equivalent definition can be given through the safety closure.
Theorem 37
A property \(\varPhi \) is live iff \(\varPhi ^*(f) > \varPhi (f)\) for every \(f \in \varSigma ^\omega \) with \(\varPhi (f) < \top \).
Our definition generalizes boolean liveness. A boolean property \(P \subseteq \varSigma ^\omega \) is live according to the classical definition [4] iff its characteristic property \(\varPhi _P\) is live according to our definition. Moreover, the intersection of safety and liveness contains only the single degenerate property that always outputs \(\top \).
Proposition 38
A property \(\varPhi \) is safe and live iff \(\varPhi (f) = \top \) for all \(f \in \varSigma ^\omega \).
We define co-liveness symmetrically, and note that the duals of the observations above also hold for co-liveness.
Definition 39 (Co-liveness)
A property \(\varPhi : \varSigma ^\omega \rightarrow \mathbb {D}\) is co-live iff for all \(f \in \varSigma ^\omega \), if \(\varPhi (f) > \bot \), then there exists a value \(v \in \mathbb {D}\) such that \(\varPhi (f) \not \le v\) and for all prefixes \(s \prec f\), we have \(\inf _{g \in \varSigma ^\omega } \varPhi (sg) \le v\).
Next, we present some examples of liveness and co-liveness properties. We start by showing that \(\liminf \)- and \(\limsup \)-properties can be live and co-live.
Example 40
Let \(\varSigma = \{a,b\}\) be an alphabet, and let \(P = \square \lozenge a\) and \(Q = \lozenge \square b\) be boolean properties defined in linear temporal logic. Consider their characteristic properties \(\varPhi _P\) and \(\varPhi _Q\). As we pointed out earlier, our definitions generalize their boolean counterparts, therefore \(\varPhi _P\) and \(\varPhi _Q\) are both live and co-live. Moreover, \(\varPhi _P\) is a \(\limsup \)-property: define \(\pi _P(s) = 1\) if \(s \in \varSigma ^* a\), and \(\pi _P(s) = 0\) otherwise, and observe that \(\varPhi _P(f) = \limsup _{s \prec f} \pi _P(s)\) for all \(f \in \varSigma ^\omega \). Similarly, \(\varPhi _Q\) is a \(\liminf \)-property. \(\square \)
Now, we show that the maximal response-time property is live, and the minimal response time is co-live.
Example 41
Recall the co-safety property \(\varPhi _{\max }\) of maximal response time from Example 26. Let \(f \in \varSigma ^\omega \) such that \(\varPhi _{\max }(f) < \infty \). We can extend every prefix \(s \prec f\) with \(g = \texttt {rq}\, \texttt {tk}^\omega \), which gives us \(\varPhi _{\max }(sg) = \infty > \varPhi (f)\). Equivalently, for every \(f \in \varSigma ^\omega \), we have \(\varPhi _{\max }^*(f) = \infty > \varPhi _{\max }(f)\). Hence \(\varPhi _{\max }\) is live and, analogously, the safety property \(\varPhi _{\min }\) from Example 3 is co-live. \(\square \)
Finally, we show that the average response-time property is live and co-live.
Example 42
Let \(\varSigma = \{\texttt {rq}, \texttt {gr}, \texttt {tk}, \texttt {oo}\}\). For all \(s \in \varSigma ^*\), let \(p(s) = 1\) if there is no pending \(\texttt {rq}\) in s, and \(p(s) = 0\) otherwise. Define \(\pi _{\text {valid}}(s) = |\{r \preceq s \;|\;\exists t \in \varSigma ^* : r = t \, \texttt {rq}\wedge p(t) = 1\}|\) as the number of valid requests in s, and define \(\pi _{\text {time}}(s)\) as the number of \(\texttt {tk}\) observations that occur after a valid \(\texttt {rq}\) and before the matching \(\texttt {gr}\). Then, \(\varPhi _{\text { avg}} = (\pi _{\text { avg}}, \liminf )\), where \(\pi _{\text { avg}}(s) = \frac{\pi _{\text {time}}(s)}{\pi _{\text {valid}}(s)}\) for all \(s \in \varSigma ^*\) with \(\pi _{\text {valid}}(s) > 0\), and \(\pi _{\text { avg}}(s) = \infty \) otherwise. For example, \(\pi _{\text { avg}}(s) = \frac{3}{2}\) for \(s = \texttt {rq}\, \texttt {tk}\, \texttt {gr}\, \texttt {tk}\, \texttt {rq}\, \texttt {tk}\, \texttt {rq}\, \texttt {tk}\). Note that \(\varPhi _{\text { avg}}\) is a \(\liminf \)-property.
The property \(\varPhi _{\text { avg}}\) is defined on the value domain \([0,\infty ]\) and is both live and co-live. To see this, let \(f \in \varSigma ^\omega \) such that \(0< \varPhi _{\text { avg}}(f) < \infty \) and, for every prefix \(s \prec f\), consider \(g = \texttt {rq}\, \texttt {tk}^\omega \) and \(h = \texttt {gr}\, (\texttt {rq}\,\texttt {gr})^\omega \). Since sg has a pending request followed by infinitely many clock ticks, we have \(\varPhi _{\text { avg}}(s g) = \infty \). Similarly, since sh eventually has all new requests immediately granted, we get \(\varPhi _{\text { avg}}(s h) = 0\). \(\square \)
5.1 The Quantitative Safety-Liveness Decomposition
A celebrated theorem states that every boolean property can be expressed as an intersection of a safety property and a liveness property [4]. In this section, we prove the analogous result for the quantitative setting.
Example 43
Let \(\varSigma = \{\texttt {rq}, \texttt {gr}, \texttt {tk}, \texttt {oo}\}\). Recall the maximal response-time property \(\varPhi _{\max }\) from Example 26, and the average response-time property \(\varPhi _{\text { avg}}\) from Example 42. Let \(n > 0\) be an integer and define a new property \(\varPhi \) by \(\varPhi (f) = \varPhi _{\text { avg}}(f)\) if \(\varPhi _{\max }(f) \le n\), and \(\varPhi (f) = 0\) otherwise. For the safety closure of \(\varPhi \), we have \(\varPhi ^*(f) = n\) if \(\varPhi _{\max }(f) \le n\), and \(\varPhi ^*(f) = 0\) otherwise. Now, we further define \(\varPsi (f) = \varPhi _{\text { avg}}(f)\) if \(\varPhi _{\max }(f) \le n\), and \(\varPsi (f) = n\) otherwise. Observe that \(\varPsi \) is live, because every prefix of a trace whose value is less than n can be extended to a greater value. Finally, note that for all \(f \in \varSigma ^\omega \), we can express \(\varPhi (f)\) as the pointwise minimum of \(\varPhi ^*(f)\) and \(\varPsi (f)\). Intuitively, the safety part \(\varPhi ^*\) of this decomposition checks whether the maximal response time stays below the permitted bound, and the liveness part \(\varPsi \) keeps track of the average response time as long as the bound is satisfied. \(\square \)
Following a similar construction, we show that a safety-liveness decomposition exists for every property.
Theorem 44
For every property \(\varPhi \), there exists a liveness property \(\varPsi \) such that \(\varPhi (f) = \min (\varPhi ^*(f), \varPsi (f))\) for all \(f \in \varSigma ^\omega \).
In particular, if the given property is safe or live, the decomposition is trivial.
Remark 45
Let \(\varPhi \) be a property. If \(\varPhi \) is safe (resp. live), then the safety (resp. liveness) part of the decomposition is \(\varPhi \) itself, and the liveness (resp. safety) part is the constant property that maps every trace to \(\top \).
For co-safety and co-liveness, the duals of Theorem 44 and Remark 45 hold. In particular, every property is the pointwise maximum of its co-safety closure and a co-liveness property.
5.2 Related Definitions of Quantitative Liveness
In [41], the authors define a property \(\varPhi \) as multi-live iff \(\varPhi ^*(f) > \bot \) for all \(f\in \varSigma ^\omega \). We show that our definition is more restrictive, resulting in fewer liveness properties while still allowing a safety-liveness decomposition.
Proposition 46
Every live property is multi-live, and the inclusion is strict.
We provide a separating example on a totally ordered domain below.
Example 47
Let \(\varSigma = \{a,b, c\}\), and consider the following property: \(\varPhi (f) = 0\) if \(f \models \square a\), and \(\varPhi (f) = 1\) if \(f \models \lozenge c\), and \(\varPhi (f) = 2\) otherwise (i.e., if \(f \,\models \, \lozenge b \wedge \square \lnot c\)). For all \(f\in \varSigma ^\omega \) and prefixes \(s\prec f\), we have \(\varPhi (s c^\omega ) = 1\). Thus \(\varPhi ^*(f) \ne \bot \), which implies that \(\varPhi \) is multi-live. However, \(\varPhi \) is not live. Indeed, for every \(f\in \varSigma ^\omega \) such that \(f \,\models \, \lozenge c\), we have \(\varPhi (f) = 1 < \top \). Moreover, f admits some prefix s that contains an occurrence of c, thus satisfying \(\sup _{g \in \varSigma ^\omega } \varPhi (sg) = 1\). \(\square \)
In [27], the authors define a property \(\varPhi \) as verdict-live iff for every \(f \in \varSigma ^\omega \) and value \(v \not \le \varPhi (f)\), every prefix \(s \prec f\) satisfies \(\varPhi (sg) = v\) for some \(g \in \varSigma ^\omega \). We show that our definition is more liberal.
Proposition 48
Every verdict-live property is live, and the inclusion is strict.
We provide a separating example below, concluding that our definition is strictly more general even for totally ordered domains.
Example 49
Let \(\varSigma = \{a,b\}\), and consider the following property: \(\varPhi (f) = 0\) if \(f \not \models \lozenge b\), and \(\varPhi (f) = 1\) if \(f \models \lozenge (b \wedge \bigcirc \lozenge b)\), and \(\varPhi (f) = 2^{-|s|}\) otherwise, where \(s \prec f\) is the shortest prefix in which b occurs. Consider an arbitrary \(f \in \varSigma ^\omega \). If \(\varPhi (f) = 1\), then the liveness condition is vacuously satisfied. If \(\varPhi (f) = 0\), then \(f = a^\omega \), and every prefix \(s \prec f\) can be extended with \(g = ba^\omega \) or \(h = b^\omega \) to obtain \(\varPhi (s g) = 2^{-(|s|+1)}\) and \(\varPhi (s h) = 1\). If \(0< \varPhi (f) < 1\), then f satisfies \(\lozenge b\) but not \(\lozenge (b \wedge \bigcirc \lozenge b)\), and every prefix \(s \prec f\) can be extended with \(b^\omega \) to obtain \(\varPhi (s b^\omega ) = 1\). Hence \(\varPhi \) is live. However, \(\varPhi \) is not verdict-live. To see this, consider the trace \(f = a^k b a^\omega \) for some integer \(k \ge 1\) and note that \(\varPhi (f) = 2^{-(k+1)}\). Although all prefixes of f can be extended to reach the value 1, the value domain contains elements between \(\varPhi (f)\) and 1, namely the values \(2^{-m}\) for \(1 \le m \le k\). Each of these values can be rejected after reading a finite prefix of f, because for \(n \ge m\) it is not possible to extend \(a^n\) to reach the value \(2^{-m}\). \(\square \)
6 Approximate Monitoring through Approximate Safety
In this section, we consider properties on extended reals \(\mathbb {R}^{\pm \infty } = \mathbb {R}\cup \{-\infty , +\infty \}\). We denote by \(\mathbb {R}_{\ge 0}\) the set of nonnegative real numbers.
Definition 50 (Approximate safety and co-safety)
Let \(\alpha \in \mathbb {R}_{\ge 0}\). A property \(\varPhi \) is \(\alpha \)-safe iff for every \(f \in \varSigma ^\omega \) and value \(v \in \mathbb {R}^{\pm \infty }\) with \(\varPhi (f) < v\), there exists a prefix \(s \prec f\) such that \(\sup _{g \in \varSigma ^\omega } \varPhi (sg) < v + \alpha \). Similarly, \(\varPhi \) is \(\alpha \)-co-safe iff for every \(f \in \varSigma ^\omega \) and \(v \in \mathbb {R}^{\pm \infty }\) with \(\varPhi (f) > v\), there exists \(s \prec f\) such that \(\inf _{g \in \varSigma ^\omega } \varPhi (sg) > v - \alpha \). When \(\varPhi \) is \(\alpha \)-safe (resp. \(\alpha \)-co-safe) for some \(\alpha \in \mathbb {R}_{\ge 0}\), we say that \(\varPhi \) is approximately safe (resp. approximately co-safe).
Approximate safety can be characterized through the following relation with the safety closure.
Proposition 51
For every error bound \(\alpha \in \mathbb {R}_{\ge 0}\), a property \(\varPhi \) is \(\alpha \)-safe iff \(\varPhi ^*(f) - \varPhi (f) \le \alpha \) for all \(f \in \varSigma ^\omega \).
An analogue of Proposition 51 holds for approximate co-safety and the co-safety closure. Moreover, approximate safety and approximate co-safety are dual notions that are connected by the complement operation, similarly to their precise counterparts (Theorem 27).
6.1 The Intersection of Approximate Safety and Co-safety
Recall the ghost monitor from the introduction. If, after a finite number of observations, all the possible prediction values are close enough, then we can simply freeze the current value and achieve a sufficiently small error. This happens for properties that are both approximately safe and approximately co-safe, generalizing the unfolding approximation of discounted properties [13].
Proposition 52
For every limit property \(\varPhi \) and all error bounds \(\alpha , \beta \in \mathbb {R}_{\ge 0}\), if \(\varPhi \) is \(\alpha \)-safe and \(\beta \)-co-safe, then the set \(\textstyle S_\delta = \{s \in \varSigma ^* \;|\;\sup _{r_1\in \varSigma ^*} \varPhi (sr_1) - \inf _{r_2\in \varSigma ^*} \varPhi (sr_2) \ge \delta \}\) is finite for all reals \(\delta > \alpha + \beta \).
Based on this proposition, we show that, for limit properties that are both approximately safe and approximately co-safe, the influence of the suffix on the property value is eventually negligible.
Theorem 53
For every limit property \(\varPhi \) such that \(\varPhi (f) \in \mathbb {R}\) for all \(f \in \varSigma ^\omega \), and for all error bounds \(\alpha , \beta \in \mathbb {R}_{\ge 0}\), if \(\varPhi \) is \(\alpha \)-safe and \(\beta \)-co-safe, then for every real \(\delta > \alpha + \beta \) and trace \(f \in \varSigma ^\omega \), there is a prefix \(s \prec f\) such that for all continuations \(w \in \varSigma ^* \cup \varSigma ^\omega \), we have \(|\varPhi (sw) - \varPhi (s)| < \delta \).
We illustrate this theorem with a discounted safety property.
Example 54
Let \(P \subseteq \varSigma ^\omega \) be a boolean safety property. We define the finitary property \(\pi _P : \varSigma ^* \rightarrow [0,1]\) as follows: \(\pi _P(s) = 1\) if \(sf \in P\) for some \(f \in \varSigma ^\omega \), and \(\pi _P(s) = 1 - 2^{-|r|}\) otherwise, where \(r \preceq s\) is the shortest prefix with \(rf \notin P\) for all \(f \in \varSigma ^\omega \). The limit property \(\varPhi = (\pi _P, \inf )\) is called discounted safety [3]. Because \(\varPhi \) is an \(\inf \)-property, it is safe by Theorem 20. Now consider the finitary property \(\pi _P'\) defined by \(\pi _P'(s) = 1 - 2^{-|s|}\) if \(sf \in P\) for some \(f \in \varSigma ^\omega \), and \(\pi _P'(s) = 1 - 2^{-|r|}\) otherwise, where \(r \preceq s\) is the shortest prefix with \(rf \notin P\) for all \(f \in \varSigma ^\omega \). Let \(\varPhi ' = (\pi _P', \sup )\), and note that \(\varPhi (f) = \varPhi '(f)\) for all \(f \in \varSigma ^\omega \). Hence \(\varPhi \) is also co-safe, because it is a \(\sup \)-property.
Let \(f \in \varSigma ^\omega \) and \(\delta > 0\). For every prefix \(s \prec f\), the set of possible prediction values is either the range \([1 - 2^{-|s|}, 1]\) or the singleton \(\{1 - 2^{-|r|}\}\), where \(r \preceq s\) is chosen as above. In the latter case, we have \(|\varPhi (sw) - \varPhi (s)| = 0 < \delta \) for all \(w \in \varSigma ^* \cup \varSigma ^\omega \). In the former case, since the range becomes smaller as the prefix grows, there is a prefix \(s' \prec f\) with \(2^{-|s'|} < \delta \), which yields \(|\varPhi (s'w) - \varPhi (s')| < \delta \) for all \(w \in \varSigma ^* \cup \varSigma ^\omega \). \(\square \)
6.2 Finite-state Approximate Monitoring
Monitors with finite state spaces are particularly desirable, because finite automata enjoy a plethora of desirable closure and decidability properties. Here, we prove that properties that are both approximately safe and approximately co-safe can be monitored approximately by a finite-state monitor. First, we recall the notion of abstract quantitative monitor from [30].
A binary relation \({\sim }\) over \(\varSigma ^*\) is an equivalence relation iff it is reflexive, symmetric, and transitive. Such a relation is right-monotonic iff \(s_1 \sim s_2\) implies \(s_1 r \sim s_2 r\) for all \(s_1,s_2,r \in \varSigma ^*\). For an equivalence relation \({\sim }\) over \(\varSigma ^*\) and a finite trace \(s \in \varSigma ^*\), we write \([s]_{{\sim }}\) for the equivalence class of \({\sim }\) to which s belongs. When \({\sim }\) is clear from the context, we write [s] instead. We denote by \(\varSigma ^* / {\sim }\) the quotient of the relation \({\sim }\).
Definition 55
(Abstract monitor [30]). An abstract monitor \(\mathcal {M}= (\sim , \gamma )\) is a pair consisting of a right-monotonic equivalence relation \({\sim }\) on \(\varSigma ^*\) and a function \(\gamma :({\varSigma ^* / \sim }) \rightarrow \mathbb {R}^{\pm \infty }\). The monitor \(\mathcal {M}\) is finite-state iff the relation \(\sim \) has finitely many equivalence classes. Let \(\delta _{\text { fin}},\delta _{\lim } \in \mathbb {R}^{\pm \infty }\) be error bounds. We say that \(\mathcal {M}\) is a \((\delta _{\text { fin}},\delta _{\lim })\)-monitor for a given limit property \(\varPhi = (\pi , \ell )\) iff for all \(s \in \varSigma ^*\) and \(f \in \varSigma ^\omega \), we have \(|\pi (s) - \gamma ([s])| \le \delta _{\text { fin}}\) and \(|\ell _{s \prec f}(\pi (s)) - \ell _{s\prec f}(\gamma ([s]))| \le \delta _{\lim }\).
Building on Theorem 53, we identify a sufficient condition to guarantee the existence of an abstract monitor with finitely many equivalence classes.
Theorem 56
For every limit property \(\varPhi \) such that \(\varPhi (f) \in \mathbb {R}\) for all \(f \in \varSigma ^\omega \), and for all error bounds \(\alpha , \beta \in \mathbb {R}_{\ge 0}\), if \(\varPhi \) is \(\alpha \)-safe and \(\beta \)-co-safe, then for every real \(\delta > \alpha + \beta \), there exists a finite-state \((\delta ,\delta )\)-monitor for \(\varPhi \).
Due to Theorem 56, the discounted safety property of Example 54 has a finite-state monitor for every positive error bound. We remark that Theorem 56 is proved by a construction that generalizes the unfolding approach for the approximate determinization of discounted automata [12], which unfolds an automaton until the distance constraint is satisfied.
7 Conclusion
We presented a generalization of safety and liveness that lifts the safety-progress hierarchy to the quantitative setting of [18] while preserving major desirable features of the boolean setting, such as the safety-liveness decomposition.
Monitorability identifies a boundary separating properties that can be verified or falsified from a finite number of observations, from those that cannot. Safety-liveness and co-safety-co-liveness decompositions allow us separate, for an individual property, monitorable parts from nonmonitorable parts. The larger the monitorable parts of the given property, the stronger the decomposition. We provided the strongest known safety-liveness decomposition, which consists of a pointwise minimum between a safe part defined by a quantitative safety closure, and a live part which corrects for the difference. We then defined approximate safety as the relaxation of safety by a parametric error bound. This further increases the monitorability of properties and offers monitorability at a parametric cost. In fact, we showed that every property that is both approximately safe and approximately co-safe can be monitored arbitrarily precisely by a finite-state monitor. A future direction is to extend our decomposition to approximate safety together with a support for quantitative assumptions [32].
The literature contains efficient model-checking procedures that leverage the boolean safety hypothesis [36, 40]. We thus expect that also quantitative safety and co-safety, and their approximations, enable efficient verification algorithms for quantitative properties.
References
de Alfaro, L., Faella, M., Henzinger, T.A., Majumdar, R., Stoelinga, M.: Model checking discounted temporal properties. Theor. Comput. Sci. 345(1), 139–170 (2005). https://doi.org/10.1016/j.tcs.2005.07.033
de Alfaro, L., Faella, M., Stoelinga, M.: Linear and branching metrics for quantitative transition systems. In: Díaz, J., Karhumäki, J., Lepistö, A., Sannella, D. (eds.) Automata, Languages and Programming: 31st International Colloquium, ICALP 2004, Turku, Finland, July 12-16, 2004. Proceedings. Lecture Notes in Computer Science, vol. 3142, pp. 97–109. Springer (2004). https://doi.org/10.1007/978-3-540-27836-8_11
de Alfaro, L., Henzinger, T.A., Majumdar, R.: Discounting the future in systems theory. In: Baeten, J.C.M., Lenstra, J.K., Parrow, J., Woeginger, G.J. (eds.) Automata, Languages and Programming, 30th International Colloquium, ICALP 2003, Eindhoven, The Netherlands, June 30 - July 4, 2003. Proceedings. Lecture Notes in Computer Science, vol. 2719, pp. 1022–1037. Springer (2003). https://doi.org/10.1007/3-540-45061-0_79
Alpern, B., Schneider, F.B.: Defining liveness. Inf. Process. Lett. 21(4), 181–185 (1985). https://doi.org/10.1016/0020-0190(85)90056-0
Alpern, B., Schneider, F.B.: Recognizing safety and liveness. Distributed Comput. 2(3), 117–126 (1987). https://doi.org/10.1007/BF01782772
Bartocci, E., Falcone, Y., Francalanza, A., Reger, G.: Introduction to runtime verification. In: Bartocci, E., Falcone, Y. (eds.) Lectures on Runtime Verification - Introductory and Advanced Topics, Lecture Notes in Computer Science, vol. 10457, pp. 1–33. Springer (2018). https://doi.org/10.1007/978-3-319-75632-5_1
Bauer, A., Leucker, M., Schallhart, C.: Comparing LTL semantics for runtime verification. J. Log. Comput. 20(3), 651–674 (2010). https://doi.org/10.1093/logcom/exn075
Bauer, A., Leucker, M., Schallhart, C.: Runtime verification for LTL and TLTL. ACM Trans. Softw. Eng. Methodol. 20(4), 14:1–14:64 (2011). https://doi.org/10.1145/2000799.2000800
Bloem, R., Chatterjee, K., Henzinger, T.A., Jobstmann, B.: Better quality in synthesis through quantitative objectives. In: Bouajjani, A., Maler, O. (eds.) Computer Aided Verification, 21st International Conference, CAV 2009, Grenoble, France, June 26 - July 2, 2009. Proceedings. Lecture Notes in Computer Science, vol. 5643, pp. 140–156. Springer (2009). https://doi.org/10.1007/978-3-642-02658-4_14
Bloem, R., Chatterjee, K., Jobstmann, B.: Graph games and reactive synthesis. In: Clarke, E.M., Henzinger, T.A., Veith, H., Bloem, R. (eds.) Handbook of Model Checking, pp. 921–962. Springer (2018). https://doi.org/10.1007/978-3-319-10575-8_27
Boker, U., Chatterjee, K., Henzinger, T.A., Kupferman, O.: Temporal specifications with accumulative values. ACM Trans. Comput. Log. 15(4), 27:1–27:25 (2014). https://doi.org/10.1145/2629686
Boker, U., Henzinger, T.A.: Approximate determinization of quantitative automata. In: D’Souza, D., Kavitha, T., Radhakrishnan, J. (eds.) IARCS Annual Conference on Foundations of Software Technology and Theoretical Computer Science, FSTTCS 2012, December 15-17, 2012, Hyderabad, India. LIPIcs, vol. 18, pp. 362–373. Schloss Dagstuhl - Leibniz-Zentrum für Informatik (2012). https://doi.org/10.4230/LIPIcs.FSTTCS.2012.362
Boker, U., Henzinger, T.A.: Exact and approximate determinization of discounted-sum automata. Log. Methods Comput. Sci. 10(1) (2014). https://doi.org/10.2168/LMCS-10(1:10)2014
Bouyer, P., Fahrenberg, U., Larsen, K.G., Markey, N.: Quantitative analysis of real-time systems using priced timed automata. Commun. ACM 54(9), 78–87 (2011). https://doi.org/10.1145/1995376.1995396
Bouyer, P., Markey, N., Randour, M., Larsen, K.G., Laursen, S.: Average-energy games. Acta Informatica 55(2), 91–127 (2018). https://doi.org/10.1007/s00236-016-0274-1
Cerný, P., Henzinger, T.A., Radhakrishna, A.: Simulation distances. Theor. Comput. Sci. 413(1), 21–35 (2012). https://doi.org/10.1016/j.tcs.2011.08.002
Chang, E., Manna, Z., Pnueli, A.: The safety-progress classification. In: Bauer, F.L., Brauer, W., Schwichtenberg, H. (eds.) Logic and Algebra of Specification. pp. 143–202. Springer Berlin Heidelberg, Berlin, Heidelberg (1993). https://doi.org/10.1007/978-3-642-58041-3_5
Chatterjee, K., Doyen, L., Henzinger, T.A.: Quantitative languages. ACM Trans. Comput. Log. 11(4), 23:1–23:38 (2010). https://doi.org/10.1145/1805950.1805953
Chatterjee, K., Henzinger, T.A., Otop, J.: Nested weighted automata. ACM Trans. Comput. Log. 18(4), 31:1–31:44 (2017). https://doi.org/10.1145/3152769
D’Antoni, L., Samanta, R., Singh, R.: Qlose: Program repair with quantitative objectives. In: Chaudhuri, S., Farzan, A. (eds.) Computer Aided Verification - 28th International Conference, CAV 2016, Toronto, ON, Canada, July 17-23, 2016, Proceedings, Part II. Lecture Notes in Computer Science, vol. 9780, pp. 383–401. Springer (2016). https://doi.org/10.1007/978-3-319-41540-6_21
Fahrenberg, U., Legay, A.: Generalized quantitative analysis of metric transition systems. In: Shan, C. (ed.) Programming Languages and Systems - 11th Asian Symposium, APLAS 2013, Melbourne, VIC, Australia, December 9-11, 2013. Proceedings. Lecture Notes in Computer Science, vol. 8301, pp. 192–208. Springer (2013). https://doi.org/10.1007/978-3-319-03542-0_14
Fahrenberg, U., Legay, A.: The quantitative linear-time-branching-time spectrum. Theor. Comput. Sci. 538, 54–69 (2014). https://doi.org/10.1016/j.tcs.2013.07.030
Falcone, Y., Fernandez, J., Mounier, L.: What can you verify and enforce at runtime? Int. J. Softw. Tools Technol. Transf. 14(3), 349–382 (2012). https://doi.org/10.1007/s10009-011-0196-8
Faran, R., Kupferman, O.: Spanning the spectrum from safety to liveness. Acta Informatica 55(8), 703–732 (2018). https://doi.org/10.1007/s00236-017-0307-4
Ferrère, T., Henzinger, T.A., Kragl, B.: Monitoring event frequencies. In: Fernández, M., Muscholl, A. (eds.) 28th EACSL Annual Conference on Computer Science Logic, CSL 2020, January 13-16, 2020, Barcelona, Spain. LIPIcs, vol. 152, pp. 20:1–20:16. Schloss Dagstuhl - Leibniz-Zentrum für Informatik (2020). https://doi.org/10.4230/LIPIcs.CSL.2020.20
Ferrère, T., Henzinger, T.A., Saraç, N.E.: A theory of register monitors. In: Dawar, A., Grädel, E. (eds.) Proceedings of the 33rd Annual ACM/IEEE Symposium on Logic in Computer Science, LICS 2018, Oxford, UK, July 09-12, 2018. pp. 394–403. ACM (2018). https://doi.org/10.1145/3209108.3209194
Gorostiaga, F., Sánchez, C.: Monitorability of expressive verdicts. In: Deshmukh, J.V., Havelund, K., Perez, I. (eds.) NASA Formal Methods - 14th International Symposium, NFM 2022, Pasadena, CA, USA, May 24-27, 2022, Proceedings. Lecture Notes in Computer Science, vol. 13260, pp. 693–712. Springer (2022). https://doi.org/10.1007/978-3-031-06773-0_37
Havelund, K., Rosu, G.: Synthesizing monitors for safety properties. In: Katoen, J., Stevens, P. (eds.) Tools and Algorithms for the Construction and Analysis of Systems, 8th International Conference, TACAS 2002, Held as Part of the Joint European Conference on Theory and Practice of Software, ETAPS 2002, Grenoble, France, April 8-12, 2002, Proceedings. Lecture Notes in Computer Science, vol. 2280, pp. 342–356. Springer (2002). https://doi.org/10.1007/3-540-46002-0_24
Henzinger, T.A.: Quantitative reactive modeling and verification. Comput. Sci. Res. Dev. 28(4), 331–344 (2013). https://doi.org/10.1007/s00450-013-0251-7
Henzinger, T.A., Mazzocchi, N., Saraç, N.E.: Abstract monitors for quantitative specifications. In: Dang, T., Stolz, V. (eds.) Runtime Verification - 22nd International Conference, RV 2022, Tbilisi, Georgia, September 28-30, 2022, Proceedings. Lecture Notes in Computer Science, vol. 13498, pp. 200–220. Springer (2022). https://doi.org/10.1007/978-3-031-17196-3_11
Henzinger, T.A., Otop, J.: From model checking to model measuring. In: D’Argenio, P.R., Melgratti, H.C. (eds.) CONCUR 2013 - Concurrency Theory - 24th International Conference, CONCUR 2013, Buenos Aires, Argentina, August 27-30, 2013. Proceedings. Lecture Notes in Computer Science, vol. 8052, pp. 273–287. Springer (2013). https://doi.org/10.1007/978-3-642-40184-8_20
Henzinger, T.A., Saraç, N.E.: Monitorability under assumptions. In: Deshmukh, J., Nickovic, D. (eds.) Runtime Verification - 20th International Conference, RV 2020, Los Angeles, CA, USA, October 6-9, 2020, Proceedings. Lecture Notes in Computer Science, vol. 12399, pp. 3–18. Springer (2020). https://doi.org/10.1007/978-3-030-60508-7_1
Henzinger, T.A., Saraç, N.E.: Quantitative and approximate monitoring. In: 36th Annual ACM/IEEE Symposium on Logic in Computer Science, LICS 2021, Rome, Italy, June 29 - July 2, 2021. pp. 1–14. IEEE (2021). https://doi.org/10.1109/LICS52264.2021.9470547
Katoen, J., Song, L., Zhang, L.: Probably safe or live. In: Henzinger, T.A., Miller, D. (eds.) Joint Meeting of the Twenty-Third EACSL Annual Conference on Computer Science Logic (CSL) and the Twenty-Ninth Annual ACM/IEEE Symposium on Logic in Computer Science (LICS), CSL-LICS ’14, Vienna, Austria, July 14 - 18, 2014. pp. 55:1–55:10. ACM (2014). https://doi.org/10.1145/2603088.2603147
Kim, M., Kannan, S., Lee, I., Sokolsky, O., Viswanathan, M.: Computational analysis of run-time monitoring - fundamentals of java-mac. In: Havelund, K., Rosu, G. (eds.) Runtime Verification 2002, RV 2002, FLoC Satellite Event, Copenhagen, Denmark, July 26, 2002. Electronic Notes in Theoretical Computer Science, vol. 70, pp. 80–94. Elsevier (2002). https://doi.org/10.1016/S1571-0661(04)80578-4
Kupferman, O., Vardi, M.Y.: Model checking of safety properties. Formal Methods Syst. Des. 19(3), 291–314 (2001). https://doi.org/10.1023/A:1011254632723
Kwiatkowska, M., Norman, G., Parker, D.: Probabilistic Model Checking: Advances and Applications, pp. 73–121. Springer International Publishing, Cham (2018). https://doi.org/10.1007/978-3-319-57685-5_3
Kwiatkowska, M.Z.: Quantitative verification: models techniques and tools. In: Crnkovic, I., Bertolino, A. (eds.) Proceedings of the 6th joint meeting of the European Software Engineering Conference and the ACM SIGSOFT International Symposium on Foundations of Software Engineering, 2007, Dubrovnik, Croatia, September 3-7, 2007. pp. 449–458. ACM (2007). https://doi.org/10.1145/1287624.1287688
Lamport, L.: Proving the correctness of multiprocess programs. IEEE Trans. Software Eng. 3(2), 125–143 (1977). https://doi.org/10.1109/TSE.1977.229904
Latvala, T.: Efficient model checking of safety properties. In: Ball, T., Rajamani, S.K. (eds.) Model Checking Software, 10th International SPIN Workshop. Portland, OR, USA, May 9-10, 2003, Proceedings. Lecture Notes in Computer Science, vol. 2648, pp. 74–88. Springer (2003). https://doi.org/10.1007/3-540-44829-2_5
Li, Y., Droste, M., Lei, L.: Model checking of linear-time properties in multi-valued systems. Inf. Sci. 377, 51–74 (2017). https://doi.org/10.1016/j.ins.2016.10.030
Manna, Z., Pnueli, A.: Adequate proof principles for invariance and liveness properties of concurrent programs. Sci. Comput. Program. 4(3), 257–289 (1984). https://doi.org/10.1016/0167-6423(84)90003-0
Peled, D., Havelund, K.: Refining the safety-liveness classification of temporal properties according to monitorability. In: Margaria, T., Graf, S., Larsen, K.G. (eds.) Models, Mindsets, Meta: The What, the How, and the Why Not? - Essays Dedicated to Bernhard Steffen on the Occasion of His 60th Birthday. Lecture Notes in Computer Science, vol. 11200, pp. 218–234. Springer (2018). https://doi.org/10.1007/978-3-030-22348-9_14
Pnueli, A., Zaks, A.: PSL model checking and run-time verification via testers. In: Misra, J., Nipkow, T., Sekerinski, E. (eds.) FM 2006: Formal Methods, 14th International Symposium on Formal Methods, Hamilton, Canada, August 21-27, 2006, Proceedings. Lecture Notes in Computer Science, vol. 4085, pp. 573–586. Springer (2006). https://doi.org/10.1007/11813040_38
Qian, J., Shi, F., Cai, Y., Pan, H.: Approximate safety properties in metric transition systems. IEEE Trans. Reliab. 71(1), 221–234 (2022). https://doi.org/10.1109/TR.2021.3139616
Sistla, A.P.: Safety, liveness and fairness in temporal logic. Formal Aspects Comput. 6(5), 495–512 (1994). https://doi.org/10.1007/BF01211865
Thrane, C.R., Fahrenberg, U., Larsen, K.G.: Quantitative analysis of weighted transition systems. J. Log. Algebraic Methods Program. 79(7), 689–703 (2010). https://doi.org/10.1016/j.jlap.2010.07.010
Weiner, S., Hasson, M., Kupferman, O., Pery, E., Shevach, Z.: Weighted safety. In: Hung, D.V., Ogawa, M. (eds.) Automated Technology for Verification and Analysis - 11th International Symposium, ATVA 2013, Hanoi, Vietnam, October 15-18, 2013. Proceedings. Lecture Notes in Computer Science, vol. 8172, pp. 133–147. Springer (2013). https://doi.org/10.1007/978-3-319-02444-8_11
Acknowledgments
We thank the anonymous reviewers for their helpful comments. This work was supported in part by the ERC-2020-AdG 101020093.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.
The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.
Copyright information
© 2023 The Author(s)
About this paper
Cite this paper
Henzinger, T.A., Mazzocchi, N., Saraç, N.E. (2023). Quantitative Safety and Liveness. In: Kupferman, O., Sobocinski, P. (eds) Foundations of Software Science and Computation Structures. FoSSaCS 2023. Lecture Notes in Computer Science, vol 13992. Springer, Cham. https://doi.org/10.1007/978-3-031-30829-1_17
Download citation
DOI: https://doi.org/10.1007/978-3-031-30829-1_17
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-30828-4
Online ISBN: 978-3-031-30829-1
eBook Packages: Computer ScienceComputer Science (R0)