Type-based termination analysis with disjunctive invariants Dimitrios Vytiniotis, MSR Cambridge with Byron Cook (MSR Cambridge) and Ranjit Jhala (UCSD)

Slides:

Advertisements

Similar presentations

1 Verification by Model Checking. 2 Part 1 : Motivation.

Advertisements

A Framework for describing recursive data structures Kenneth Roe Scott Smith.

1 Towards a Verifying Compiler: The Spec# Approach Wolfram Schulte Microsoft Research Formal Methods 2006 Joint work with Rustan Leino, Mike Barnett, Manuel.

Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 1 Summer school on Formal Models.

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Lecture 4 Towards a Verifying Compiler: Data Abstraction Wolfram Schulte Microsoft Research Formal Methods 2006 Purity, Model fields, Inconsistency _____________.

Challenges in increasing tool support for programming K. Rustan M. Leino Microsoft Research, Redmond, WA, USA 23 Sep 2004 ICTAC Guiyang, Guizhou, PRC joint.

1 Section 1.5 Rules of Inference. 2 Definitions Theorem: a statement that can be shown to be true Proof: demonstration of truth of theorem –consists of.

Let should not be generalized Dimitrios Vytiniotis, Simon Peyton Jones Microsoft Research, Cambridge TLDI’1 0, Madrid, January 2010 Tom Schrijvers K.U.

Type Checking, Inference, & Elaboration CS153: Compilers Greg Morrisett.

Proofs and Programs Wei Hu 11/01/2007. Outline  Motivation  Theory  Lambda calculus  Curry-Howard Isomorphism  Dependent types  Practice  Coq Wei.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

1 Regression-Verification Benny Godlin Ofer Strichman Technion.

1 1 Regression Verification for Multi-Threaded Programs Sagar Chaki, SEI-Pittsburgh Arie Gurfinkel, SEI-Pittsburgh Ofer Strichman, Technion-Haifa Originally.

1 How to transform an analyzer into a verifier. 2 OUTLINE OF THE LECTURE a verification technique which combines abstract interpretation and Park’s fixpoint.

1 Dependent Types for Termination Verification Hongwei Xi University of Cincinnati.

Background information Formal verification methods based on theorem proving techniques and modelchecking –to prove the absence of errors (in the formal.

ISBN Chapter 3 Describing Syntax and Semantics.

1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.

CS 355 – Programming Languages

An Integration of Program Analysis and Automated Theorem Proving Bill J. Ellis & Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt.

May 11, ACL2 Panel: What is the Future of Theorem Proving? Arvind Computer Science & Artificial Intelligence Laboratory.

Termination Proofs for Systems Code Andrey Rybalchenko, EPFL/MPI joint work with Byron Cook, MSR and Andreas Podelski, MPI PLDI’2006, Ottawa.

VIDE Integrated Environment for Development and Verification of Programs.

CS 330 Programming Languages 09 / 18 / 2007 Instructor: Michael Eckmann.

Generative type abstraction and type-level computation (Wrestling with System FC) Stephanie Weirich, Steve Zdancewic University of Pennsylvania Dimitrios.

Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.

1 Combining verification and analysis. 2 CONCLUSIONS ON VERIFICATION  denotational abstract interpreters have the extra-value of being easily transformed.

Describing Syntax and Semantics

Proving termination conditions Name Country, City, University Omer Subasi Turkey, Istanbul, Koc University Anton Dergunov

Generic Programming with Dependent Types Stephanie Weirich University of Pennsylvania.

1 Hardware synthesis 2.0 Byron Cook and Satnam Singh with Ashutosh Gupta, Stephen Magill, Andrey Rybalchenko, Jiri Simsa, and Viktor Vafeiadis TexPoint.

Stop when you are Almost-Full Adventures in constructive termination Dimitrios Vytiniotis Microsoft Research, Cambridge Thierry Coquand, David Wahlstedt.

Software Engineering Prof. Dr. Bertrand Meyer March 2007 – June 2007 Chair of Software Engineering Static program checking and verification Slides: Based.

Coinduction in a language and verifier K. Rustan M. Leino Research in Software Engineering (RiSE) Microsoft Research, Redmond IFIP WG 2.3 meeting Seattle,

Chapter 25 Formal Methods Formal methods Specify program using math Develop program using math Prove program matches specification using.

ISBN Chapter 3 Describing Semantics -Attribute Grammars -Dynamic Semantics.

CS 363 Comparative Programming Languages Semantics.

Variance Analyses from Invariance Analyses Josh Berdine Microsoft Research, Cambridge Joint work with Aziem Chawdhary, Byron Cook, Dino.

Certifying Intermediate Programming Zhaopeng Li

ISBN Chapter 3 Describing Semantics.

Chapter 3 Part II Describing Syntax and Semantics.

Semantics In Text: Chapter 3.

Logical Agents Chapter 7. Knowledge bases Knowledge base (KB): set of sentences in a formal language Inference: deriving new sentences from the KB. E.g.:

CS6133 Software Specification and Verification

Lecture 5 1 CSP tools for verification of Sec Prot Overview of the lecture The Casper interface Refinement checking and FDR Model checking Theorem proving.

Compositional Program Synthesis from Natural Language and Examples Mohammad Raza, Sumit Gulwani & Natasa Milic-Frayling Microsoft.

Function Definition by Cases and Recursion Lecture 2, Programmeringsteknik del A.

Static Techniques for V&V. Hierarchy of V&V techniques Static Analysis V&V Dynamic Techniques Model Checking Simulation Symbolic Execution Testing Informal.

Formal Verification. Background Information Formal verification methods based on theorem proving techniques and modelchecking –To prove the absence of.

1 Proving program termination Lecture 5 · February 4 th, 2008 TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A.

Program Analysis and Verification

CS 5150 Software Engineering Lecture 21 Reliability 2.

Logical Agents. Outline Knowledge-based agents Logic in general - models and entailment Propositional (Boolean) logic Equivalence, validity, satisfiability.

11/22/2016IT 3271 A formal system:Axioms and Rules, for inferring valid specification x := m; y := n; while ¬(x=y) do if x>y then x := x-y else y := y-x.

Spring 2017 Program Analysis and Verification

Tutorial: Proving termination and liveness

Automating Induction for Solving Horn Clauses

State your reasons or how to keep proofs while optimizing code

EPISTEMIC LOGIC.

Relatively Complete Refinement Type System for Verification of Higher-Order Non-deterministic Programs Hiroshi Unno (University of Tsukuba) Yuki Satake.

Lecture 5 Floyd-Hoare Style Verification

Programming Languages 2nd edition Tucker and Noonan

Over-Approximating Boolean Programs with Unbounded Thread Creation

Programming Languages and Compilers (CS 421)

Hoare-style program verification

LL and Recursive-Descent Parsing Hal Perkins Autumn 2011

A Refinement Calculus for Promela

Programming Languages 2nd edition Tucker and Noonan

Presentation transcript:

Type-based termination analysis with disjunctive invariants Dimitrios Vytiniotis, MSR Cambridge with Byron Cook (MSR Cambridge) and Ranjit Jhala (UCSD) IFIP WG 2.8, Austin TX, March 2011

1 … or, what am I doing hanging out with these people? termination and liveness of imperative programs, shape analysis and heap space bounds, ranking function synthesis program analysis, model checking and verification for systems code, refinement types, liquid types, decision procedures And myself? functional programming, type systems, type inference, dependent types, semantics and parametricity, Coq, Haskell!

2 The jungle of termination/totality analysis “Guarded recursion” (my own term) -sized types [Hughes et al, Abel] -modalities for recursion [eg Nakano] Structural recursion -Conor McBride -offered in Coq and Agda -also Bove & Capretta transformation Dependent types -programming with well-founded relations (think “ranking functions”) -Coq, Agda, DML [Xi] Terminator -termination analysis for imperative programs -“disjunctive invariants” and Ramsey’s theorem -[Cook, Podelski, Rybalchenko] Size-change principle -[Jones, Sereni, Bohr] -a control flow analysis essentially

3 A dichotomy? “Guarded recursion”, structural recursion, dependent types Terminator and disjunctive invariants, size-change -  Mostly fully manual - Programmable - Declarative specification -  Often tedious to come up with a WF relation or convince type checker (i.e. the techniques don’t make proving totality easier, they just make it possible!) - Mostly fully automatic -  Not programmable -  No declarative specs - Often easy for the tool to synthesize the termination argument Today I will have a go at combining both worlds WARNING: very fresh (i.e. airplane-fresh) ideas!

4 The idea: one new typing rule for totality

5 Example let rec flop (u,v) = if v > 0 then flop (u,v-1) else if u > 1 then flop (u-1,v) else 1 Terminating, by lexicographic pair order Terminating, by lexicographic pair order

6 Or … just call Liquid Types and it will do all that for you! … after you have applied a transformation to the original program that I will describe later on

7 Background Structural and guarded recursion, dependent types and well-founded relations in Coq We will skip these. You already know

8 Background: disjunctive invariants

9 Background: How Terminator works?  Transform a program, and assert/infer invariants!  Invariant between x and oldx represents any point of R+!  We need non-deterministic choice to allow the “start point” to be anywhere int x = 50; while (x > 0) do { … x = x - 1; } bool copied = false; int oldx; int x = 50; while (x > 0) do { if copied then assert (x <_{T_i} oldx) else if * then { copied=true; oldx=x; } … x = x - 1; }

10 In a functional setting: a first attempt let rec f x = if x==0 then 41 else f (x-1) + 1 let rec f x = if * then if x==0 then 41 else f (x-1) + 1 else f’ x x let rec f’ oldx x = if x==0 then 41 else f’ oldx (x-1) + 1 But where is the ASSERT?

11 In a functional setting: a better attempt  Just inline the first call to f’ to expose subsequent calls: let rec f x = if x==0 then 41 else f (x-1) + 1 let rec f x = if * then if x==0 then 41 else f (x-1) + 1 else f’ x x if x==0 then 41 else f’ x (x-1) + 1 let rec f’ oldx x = assert (oldx <_{T_i} x) if x==0 then 41 else f’ oldx (x-1) + 1 Starts to look like something a refinement type system could express … but can we dispense with rewriting? Starts to look like something a refinement type system could express … but can we dispense with rewriting?

12 A special typing rule, to avoid rewriting

13 Bumping up the arguments let rec flop (u,v) = if v > 0 then flop (u,v-1) else if u > 1 then flop (u-1,big) else 1

14 One way to strengthen the rule with invariants let rec flop (u,v) = if v > 0 then flop (u,v-1) else if u > 1 then flop (u-1,big) else 1

15 Scrap your lexicographic orders?...

16 What next?  More examples. Is it easy for the programmer?  Formal soundness proof  Move from trace-based semantics (Terminator) to denotational?  Integrate in a refinement type system or a dependently typed language  Tempted by the Program facilities for extraction of obligations in Coq  Is there a constructive proof of (some restriction of) disjunctive WF theorem? If yes, use it to construct the WF ranking relations in Coq  Applicable to Agda, Trellys?  Liquid types. Demo works for many examples via the transformation  Negative recursive datatypes, mutual recursion …

17 Thanks! A new typing rule for termination based on disjunctive invariants New typing rule serves as:  a declarative specification of that method, or  the basis for a tool that could potentially increase the programmability of totality checking