The distinction of safety and liveness properties is often adopted in speciica-tion and design methods for distributed systems. We present a short survey on the \history" of these concepts and on papers that contributed to their general acceptance. The notions of safety and liveness properties have been rst introduced by Lamport 14]. Informally, a safety property expresses that \something (bad) will not happen" during a system execution. A liveness property expresses that eventually \something (good) must happen" during an execution. The distinction of safety and liveness properties was motivated by the diierent techniques for proving those properties. For example, Owicki and Lamport 16] propose the technique of proof lattices for liveness properties. Later, Lamport makes his informal characterization of safety properties more precise 4]. An execution of a distributed system is formalized as an innnite sequence of states. Any set of such sequences is a property. A property is called a safety property (Section 2.2 in 4]), if and only if each execution violating the property has a nite preex 1 violating that property and, vice versa 2 , if a nite preex of an execution violates the property then the execution itself violates the property. This corresponds to the intuition that the \bad thing" (i.e. violating the property) can be detected in a nite initial part of the execution and the occurrence of the \bad thing" in a preex of an execution is irremediable. The notion of safety properties is also convincing because a safety property can be generated by a transition systems with nite internal nondeterminism 3]. This \property of safety properties" seems to be one of the main justiications for the adequacy of the supported by the Deutsche Forschungsgemeinschaft SFB 342, TP A3: SEMAFOR and the ESPRIT Basic Research WG 6067 Caliban 1 Since Lamport considers only innnite sequences he needs a \trick" to talk about nite executions: the last state is repeated innnitely often. 2 In Section 2.2 of 4] Lamport requires only the rst direction; Schneider et al. (Section 5.2 of 4] and 6, 5]) associate Lamport also with the deenition of safety requiring both directions.
[1]
Leslie Lamport,et al.
Proving the Correctness of Multiprocess Programs
,
1977,
IEEE Transactions on Software Engineering.
[2]
Leslie Lamport,et al.
Proving Liveness Properties of Concurrent Programs
,
1982,
TOPL.
[3]
Amir Pnueli,et al.
The Glory of the Past
,
1985,
Logic of Programs.
[4]
A. Prasad Sistla,et al.
On characterization of safety and liveness properties in temporal logic
,
1985,
ACM SIGACT-SIGOPS Symposium on Principles of Distributed Computing.
[5]
Bowen Alpern,et al.
Safety Without Stuttering
,
1986,
Inf. Process. Lett..
[6]
Fred B. Schneider.
Decomposing Properties into Safety and Liveness Using Predicate Logic.
,
1987
.
[7]
Frank Dederichs,et al.
Safety and Liveness From a Methodological Point of View
,
1990,
Inf. Process. Lett..
[8]
Martin Rem.
A personal perspective of Alphern-Schneider characterization of safety and liveness
,
1990
.
[9]
Martín Abadi,et al.
Preserving Liveness: Comments on "Safety and Liveness from a Methodological Point of View"
,
1991,
Inf. Process. Lett..
[10]
Thomas A. Henzinger,et al.
Sooner is Safer Than Later
,
1992,
Inf. Process. Lett..
[11]
Nissim Francez,et al.
Appraising fairness in languages for distributed programming
,
2005,
Distributed Computing.
[12]
Bowen Alpern,et al.
Recognizing safety and liveness
,
2005,
Distributed Computing.