CEG 7370: Distributed Computing Principles

Safety and Liveness

Prabhaker Mateti

A ``safety'' property is defined thus: Let BAD be a predicate characterizing any arbitrary condition or state of program code segment S that you consider is ``bad''. Assume that {P} S {Q} holds. Assume that I is a {global invariant}. If I ⇒ $\neg$ BAD, we say that $\neg$ BAD is a safety property for S.

Our Andrews' text book unfortunately uses the subjective words "good" and "bad" in defining Safety and Liveness. Instead think of (i) safety as a property that is true from the beginning of the process to its end of life, and (ii) liveness as a property that will become true at a future moment in time, perhaps just once or many many times. So, safety is an invariant property -- good or bad subjectively. Obviously, in a real enough context, we do not want a "bad" thing to ever happen, i.e., not-bad should be true at all times.

1. Safety examples

   1. Variable x is always non-negative.
   2. Two processes are never in their critical sections.
   3. A message is received only after it is sent.
   4. No sent message is lost.
   5. A philosopher remains hungry until it eats.

2. Liveness examples

   1. Variable x will become divisible by 7.
   2. Even in the presence of contentions, one of the processes will enter its critical section.
   3. A sent message is eventually received.
   4. A philosopher will eat.

3. Exercises

   1. ``Every philosopher will eventually get hungry.'' is a safety, not liveness, property. True/False? Explain.
   2. A safety property states that nothing ``bad'' will ever happen, whereas a liveness property states that something ``good'' will happen in the next minute.
   3. Often there is no difference between safety and liveness properties.
   4. The negation of a safety property is a liveness property.
   5. "Some day, if not at the end of CEG 7370, you will appreciate and marvel at the book Concurrent Programming by Andrews." Explain if this is a safety, or liveness property, or perhaps neither.