Presentation is loading. Please wait.

Presentation is loading. Please wait.

Termination Proofs for Systems Code Andrey Rybalchenko, EPFL/MPI joint work with Byron Cook, MSR and Andreas Podelski, MPI PLDI’2006, Ottawa.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Termination Proofs for Systems Code Andrey Rybalchenko, EPFL/MPI joint work with Byron Cook, MSR and Andreas Podelski, MPI PLDI’2006, Ottawa."— Presentation transcript:

1 Termination Proofs for Systems Code Andrey Rybalchenko, EPFL/MPI joint work with Byron Cook, MSR and Andreas Podelski, MPI PLDI’2006, Ottawa

2 2 Temporal verification Basic properties of program computations: –Reachability –Termination Classical reduction: From: temporal reasoning about computations To: first-order reasoning over auxiliary assertions (e.g. invariants, ranking functions) Proof rules: –conditions on auxiliary assertions implying the property Challenge: –find adequate auxiliary assertions automatically

3 3 State-of-the-art Tools for reachability properties of software: –Astree, BLAST, F-Soft, MAGIC, SatAbs, SLAM,... Termination checkers for TRS, Prolog, functional languages, ‘toy’ imperative programs: –CiME, AProVE, TerminWeb, TerminLog, PolyRank,... Our goal: Termination tool for software verification

4 4 Overview Classical assertions: –reachability (invariants) –termination (ranking functions) –limitations Transition invariants –checking –incremental construction Practical implementation

5 5 Invariants Given program (Init, Next) and property Good Q: Init [ Next^+(Init) µ Good ? Find invariant Inv µ States To prove: 1.Init µ Inv 2.Next(Inv) µ Inv 3.Inv µ Good transitive closure

6 6 Inv: automated construction Incremental algorithm: Inv := Init while Next(Inv) * Inv do Inv := Inv [  Inv od Failed Next(Inv) µ Inv checks determine  Inv Keep  Inv small wrt. Good Classical fixpoint algorithms (w/ abstraction)

7 7 Ranking functions Given program (Init, Next) Q: do infinite computations exists ? Find ranking function R: States -> Naturals Define ranking relation Rank := { (s, s’) | R(s) ¸ 0 and R(s’) · R(s)-1 } To prove: Next µ Rank Termination proof depends on reachability: Next Å Reach µ Rank if (y ¸ 1) { while (x ¸ 0) { x = x – y; } Ranking function R(x, y) := x Ranking relation Rank := (x ¸ 0 Æ x’ · x - 1)

8 8 Incremental algorithm? Rank := ; while Next * Rank do Rank := Rank [  Rank od Termination is not preserved under union operation Abstraction is not possible Rank: automated construction Rank [  Rank : {a, b} [ {b, a} = {(a,a),...}  = a, a, a, a, a, a,...

9 9 Alternative: Transition invariants Next Å Reach µ Rank vs. Next^+ Å Reach µ Rank 1 [... [ Rank n Transition invariant T = Rank 1 [... [ Rank n transitive closure

10 10 Incremental algorithm: T := ; while Next^+ Å Reach * T do T := T [  T od Failed Next^+ Å... µ T checks determine  T Keep  T well-founded (aka terminating) Q: practical implementation? Transition Invariant: automated construction

11 11 Implementation subtasks Checking: Next^+ Å Reach µ T Incremental construction: Find  T if check fails T := ; while Nex^+ Å Reach * T do T := T [  T od

12 12 Checking Next^+ Å (Acc £ Acc) µ T Monitor for T –runs in parallel with the program –inspects pairs of states wrt. T –goes to error if observes (s, s’)  T (s, s’) 2 T Init 3

13 13 Monitor for T needs to store unbounded computation prefix trade storage for non-determinism: [Biere’02] –select arbitrary state s –for each subsequent state s’ check (s, s’) 2 T proceed in two phases: –selection –checking (s, s’) 2 T

14 14 Monitor for T: pseudo-code var selected := ? var phase := SELECT while True { switch (phase) { SELECT: if ( nondet() ) { selected := current phase := CHECK } CHECK: if ( (selected, current)  T ) { ERROR: } } Current program state Storage for program states

15 15 Monitoring T: example current5, 14, 13, 12, 11, 1 phaseSEL CHK selected ?? 3, 1 2 T?N/A OK Candidate to check: T = (x ¸ 0 Æ x’ · x - 1) if (y ¸ 1) { while (x ¸ 0) { x = x – y; } x y

16 16 Checking transition invariant T Given T construct monitor M T Construct product P T = P || M T Apply safety checker on P T : if success: done otherwise: counterexample P T is program with ERROR location

17 17 Implementation subtasks Checking: Next + Å (Acc £ Acc) µ T Incremental construction: Find  T if check fails T := ; while Nex^+ Å Reach * T do T := T [  T od

18 18 Counterexample for T current5, 16, 17, 1 phaseSELCHK selected ? 6, 1 2 T?N/A ERROR Candidate to check: T = (x ¸ 0 Æ x’ · x - 1) if (y ¸ 1) { while (x ¸ 0) { x = x + y; } Program trace: assume(y ¸ 1) assume(x ¸ 0) x := x + y 7 £ 67 £ 6

19 19 Lasso = Stem + Cycle Counterexample = Stem.Cycle.Cycle.... (to termination) Program trace: assume(y ¸ 1) assume(x ¸ 0) x := x + y Stem Cycle Selection phase Checking phase

20 20 From lasso to  T Counterexample is spurious if Cycle^  is infeasible if exist Rank ¶ Cycle then  T = Rank else return “counterexample Stem.Cycle^  ” Algorithms and tools exist: PolyRank, RankFinder,...

21 21 Example  T Candidate to check: T = ( x · z Æ x’ ¸ x + 1 ) if (y ¸ 1) { while (x · z) { if (nondet()) { x = x + y; } else z = z – y; } Counterexample (lasso): assume(y ¸ 1) assume(x · z) z := z – y  T = ( x · z Æ z’ · z – 1 ) Transition invariant: T = ( x · z Æ x’ · x + 1 ) Ç ( x · z Æ z’ · z – 1 )

22 22 Incremental algorithm for termination T := ; while True do P T := P || M T if safe( P T ) then return “terminates” else Stem, Cycle := counterexample if exists Rank ¶ Cycle then T := T [ Rank else return “counterexample Stem.Cycle  ” od Creates program with error state Applies temporal safety checker Applies termination checker on a single path

23 23 Terminator Input: program written in C Output: –termination proof: transition invariant –counterexample: lasso = stem + cycle –divergence (due to the halting problem) Language features supported –nested loops, gotos –pointers, aliasing –(mutually) recursive function calls Implementation based on SLAM/SDV Scalability: (on drivers from WinDDK) –several TLOC in minutes

24 24 Experiments on WinDDK Lines of code (x1000) Cut-point set size Termination proofs Termination bugs

25 25 Termination bugs True bugs recognized by developers Sources of false bugs: –Heap modelling –Handling of bit operations

26 26 Conclusion Proving termination can be easy: –Temporal reduction to transition invariants [lics’04] –Incremental computation guided by counterexamples [sas’05] –Checking using tools for reachability (abstraction, lazyness, precision,...) [this paper] Next steps: –Advanced applicability: heap, bit operations,... –General liveness properties w/ fairness

27 27 Inductive transition invariants Reachability check for P T succeeds Invariant Inv T for P T constructed over program and monitor variables Meaning of Inv T : T Ind := { (s, s’) | (s’, s) 2 Inv T } T Ind µ T 1.Next Å (Init £ States) µ T Ind 2.T Ind ± Next µ T Ind Inductive transition invariant

Download ppt "Termination Proofs for Systems Code Andrey Rybalchenko, EPFL/MPI joint work with Byron Cook, MSR and Andreas Podelski, MPI PLDI’2006, Ottawa."

Similar presentations

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Type-based termination analysis with disjunctive invariants Dimitrios Vytiniotis, MSR Cambridge with Byron Cook (MSR Cambridge) and Ranjit Jhala (UCSD)

Type-based termination analysis with disjunctive invariants Dimitrios Vytiniotis, MSR Cambridge with Byron Cook (MSR Cambridge) and Ranjit Jhala (UCSD)
Ditto: Speeding Up Runtime Data Structure Invariant Checks AJ Shankar and Ras Bodik UC Berkeley.

Ditto: Speeding Up Runtime Data Structure Invariant Checks AJ Shankar and Ras Bodik UC Berkeley.
De necessariis pre condiciones consequentia sine machina P. Consobrinus, R. Consobrinus M. Aquilifer, F. Oratio.

De necessariis pre condiciones consequentia sine machina P. Consobrinus, R. Consobrinus M. Aquilifer, F. Oratio.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Verification of Evolving Software Natasha Sharygina Joint work with Sagar Chaki and Nishant Sinha Carnegie Mellon University.

Verification of Evolving Software Natasha Sharygina Joint work with Sagar Chaki and Nishant Sinha Carnegie Mellon University.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Program correctness The State-transition model A global state S  s 0 x s 1 x … x s m {s k = local state of process k} S0  S1  S2  … Each state transition.

Program correctness The State-transition model A global state S  s 0 x s 1 x … x s m {s k = local state of process k} S0  S1  S2  … Each state transition.
1 1 Regression Verification for Multi-Threaded Programs Sagar Chaki, SEI-Pittsburgh Arie Gurfinkel, SEI-Pittsburgh Ofer Strichman, Technion-Haifa Originally.

1 1 Regression Verification for Multi-Threaded Programs Sagar Chaki, SEI-Pittsburgh Arie Gurfinkel, SEI-Pittsburgh Ofer Strichman, Technion-Haifa Originally.
Model-based reasoning meets code verification Michael Butler 21 May 2014 WG 2.3 Meeting 55, Orlando.

Model-based reasoning meets code verification Michael Butler 21 May 2014 WG 2.3 Meeting 55, Orlando.
© Anvesh Komuravelli Spacer Automatic Abstraction in SMT-Based Unbounded Software Model Checking Anvesh Komuravelli Carnegie Mellon University Joint work.

© Anvesh Komuravelli Spacer Automatic Abstraction in SMT-Based Unbounded Software Model Checking Anvesh Komuravelli Carnegie Mellon University Joint work.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 13.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
CS 267: Automated Verification Lecture 10: Nested Depth First Search, Counter- Example Generation Revisited, Bit-State Hashing, On-The-Fly Model Checking.

CS 267: Automated Verification Lecture 10: Nested Depth First Search, Counter- Example Generation Revisited, Bit-State Hashing, On-The-Fly Model Checking.
Introducing BLAST Software Verification John Gallagher CS4117.

Introducing BLAST Software Verification John Gallagher CS4117.
1 Thorough Static Analysis of Device Drivers Byron Cook – Microsoft Research Joint work with: Tom Ball, Vladimir Levin, Jakob Lichtenberg,

1 Thorough Static Analysis of Device Drivers Byron Cook – Microsoft Research Joint work with: Tom Ball, Vladimir Levin, Jakob Lichtenberg,
CIS 540 Principles of Embedded Computation Spring 2015 Instructor: Rajeev Alur

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
Verification of parameterised systems

Verification of parameterised systems
SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:

SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:
The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.

The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.

Similar presentations

Ads by Google