Termination Proofs for Systems Code Andrey Rybalchenko, EPFL/MPI joint work with Byron Cook, MSR and Andreas Podelski, MPI PLDI’2006, Ottawa.

Slides:



Advertisements
Similar presentations
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Advertisements

Type-based termination analysis with disjunctive invariants Dimitrios Vytiniotis, MSR Cambridge with Byron Cook (MSR Cambridge) and Ranjit Jhala (UCSD)
Ditto: Speeding Up Runtime Data Structure Invariant Checks AJ Shankar and Ras Bodik UC Berkeley.
De necessariis pre condiciones consequentia sine machina P. Consobrinus, R. Consobrinus M. Aquilifer, F. Oratio.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Verification of Evolving Software Natasha Sharygina Joint work with Sagar Chaki and Nishant Sinha Carnegie Mellon University.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Program correctness The State-transition model A global state S  s 0 x s 1 x … x s m {s k = local state of process k} S0  S1  S2  … Each state transition.
1 1 Regression Verification for Multi-Threaded Programs Sagar Chaki, SEI-Pittsburgh Arie Gurfinkel, SEI-Pittsburgh Ofer Strichman, Technion-Haifa Originally.
Model-based reasoning meets code verification Michael Butler 21 May 2014 WG 2.3 Meeting 55, Orlando.
© Anvesh Komuravelli Spacer Automatic Abstraction in SMT-Based Unbounded Software Model Checking Anvesh Komuravelli Carnegie Mellon University Joint work.
Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
CS 267: Automated Verification Lecture 10: Nested Depth First Search, Counter- Example Generation Revisited, Bit-State Hashing, On-The-Fly Model Checking.
Introducing BLAST Software Verification John Gallagher CS4117.
1 Thorough Static Analysis of Device Drivers Byron Cook – Microsoft Research Joint work with: Tom Ball, Vladimir Levin, Jakob Lichtenberg,
CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
Verification of parameterised systems
SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:
The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.
Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar Shaz Qadeer.
Lazy Abstraction Thomas A. Henzinger Ranjit Jhala Rupak Majumdar Grégoire Sutre UC Berkeley.
Thread-modular Abstraction Refinement Tom Henzinger Ranjit Jhala Rupak Majumdar [UC Berkeley] Shaz Qadeer [Microsoft Research]
Synergy: A New Algorithm for Property Checking
Alternation for Termination William Harris, Akash Lal, Aditya Nori Sriram Rajamani
CS 267: Automated Verification Lectures 14: Predicate Abstraction, Counter- Example Guided Abstraction Refinement, Abstract Interpretation Instructor:
Automatically Validating Temporal Safety Properties of Interfaces Thomas Ball and Sriram K. Rajamani Software Productivity Tools, Microsoft Research Presented.
Predicate Abstraction for Software and Hardware Verification Himanshu Jain Model checking seminar April 22, 2005.
Computing Over­Approximations with Bounded Model Checking Daniel Kroening ETH Zürich.
Operational Semantics Semantics with Applications Chapter 2 H. Nielson and F. Nielson
Describing Syntax and Semantics
1 Formal Engineering of Reliable Software LASER 2004 school Tutorial, Lecture1 Natasha Sharygina Carnegie Mellon University.
Formal Verification of SpecC Programs using Predicate Abstraction Himanshu Jain Daniel Kroening Edmund Clarke Carnegie Mellon University.
Thread-modular Abstraction Refinement Thomas A. Henzinger, et al. CAV 2003 Seonggun Kim KAIST CS750b.
Verification technique on SA applications using Incremental Model Checking 컴퓨터학과 신영주.
B. Fernández, D. Darvas, E. Blanco Formal methods appliedto PLC code verification Automation seminar CERN – IFAC (CEA) 02/06/2014.
Rule Checking SLAM Checking Temporal Properties of Software with Boolean Programs Thomas Ball, Sriram K. Rajamani Microsoft Research Presented by Okan.
Incremental formal verification of hardware Hana Chockler Alexander Ivrii Arie Matsliah Shiri Moran Ziv Nevo IBM Research - Haifa.
Variance Analyses from Invariance Analyses Josh Berdine Microsoft Research, Cambridge Joint work with Aziem Chawdhary, Byron Cook, Dino.
Model construction and verification for dynamic programming languages Radu Iosif
Program correctness The State-transition model The set of global states = so x s1 x … x sm {sk is the set of local states of process k} S0 ---> S1 --->
1 Predicate Abstraction and Refinement for Verifying Hardware Designs Himanshu Jain Joint work with Daniel Kroening, Natasha Sharygina, Edmund M. Clarke.
Proving Non-Termination Gupta, Henzinger, Majumdar, Rybalchenko, Ru-Gang Xu presentation by erkan.
Program correctness The State-transition model A global states S  s 0 x s 1 x … x s m {s k = set of local states of process k} S0  S1  S2  Each state.
Hwajung Lee. The State-transition model The set of global states = s 0 x s 1 x … x s m {s k is the set of local states of process k} S0  S1  S2  Each.
More on Correctness. Prime Factorization Problem: Write a program that computes all the prime factors of a given number Solution (Idea): Factors are less.
Localization and Register Sharing for Predicate Abstraction Himanshu Jain Franjo Ivančić Aarti Gupta Malay Ganai.
Lecture 5 1 CSP tools for verification of Sec Prot Overview of the lecture The Casper interface Refinement checking and FDR Model checking Theorem proving.
Hwajung Lee. The State-transition model The set of global states = s 0 x s 1 x … x s m {s k is the set of local states of process k} S0  S1  S2  Each.
11 Counter-Example Based Predicate Discovery in Predicate Abstraction Satyaki Das and David L. Dill Computer Systems Lab Stanford University
Predicate Abstraction. Abstract state space exploration Method: (1) start in the abstract initial state (2) use to compute reachable states (invariants)
Synergy: A New Algorithm for Property Checking Bhargav S. Gulavani (IIT Bombay)‏ Yamini Kannan (Microsoft Research India)‏ Thomas A. Henzinger (EPFL)‏
1 Proving program termination Lecture 5 · February 4 th, 2008 TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A.
Loop Invariants and Binary Search Chapter 4.4, 5.1.
Lecture 4 Correctness and Fairness Verification and Assurance.
Program Correctness. The designer of a distributed system has the responsibility of certifying the correctness of the system before users start using.
CS357 Lecture 13: Symbolic model checking without BDDs Alex Aiken David Dill 1.
CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
© Anvesh Komuravelli Spacer Model Checking with Proofs and Counterexamples Anvesh Komuravelli Carnegie Mellon University Joint work with Arie Gurfinkel,
Presentation Title 2/4/2018 Software Verification using Predicate Abstraction and Iterative Refinement: Part Bug Catching: Automated Program Verification.
Tutorial: Proving termination and liveness
Enhancing PDR/IC3 with Localization Abstraction
Relatively Complete Refinement Type System for Verification of Higher-Order Non-deterministic Programs Hiroshi Unno (University of Tsukuba) Yuki Satake.
Lecture 5 Floyd-Hoare Style Verification
ITEC452 Distributed Computing Lecture 5 Program Correctness
Over-Approximating Boolean Programs with Unbounded Thread Creation
Predicate Abstraction
BLAST: A Software Verification Tool for C programs
Presentation transcript:

Termination Proofs for Systems Code Andrey Rybalchenko, EPFL/MPI joint work with Byron Cook, MSR and Andreas Podelski, MPI PLDI’2006, Ottawa

2 Temporal verification Basic properties of program computations: –Reachability –Termination Classical reduction: From: temporal reasoning about computations To: first-order reasoning over auxiliary assertions (e.g. invariants, ranking functions) Proof rules: –conditions on auxiliary assertions implying the property Challenge: –find adequate auxiliary assertions automatically

3 State-of-the-art Tools for reachability properties of software: –Astree, BLAST, F-Soft, MAGIC, SatAbs, SLAM,... Termination checkers for TRS, Prolog, functional languages, ‘toy’ imperative programs: –CiME, AProVE, TerminWeb, TerminLog, PolyRank,... Our goal: Termination tool for software verification

4 Overview Classical assertions: –reachability (invariants) –termination (ranking functions) –limitations Transition invariants –checking –incremental construction Practical implementation

5 Invariants Given program (Init, Next) and property Good Q: Init [ Next^+(Init) µ Good ? Find invariant Inv µ States To prove: 1.Init µ Inv 2.Next(Inv) µ Inv 3.Inv µ Good transitive closure

6 Inv: automated construction Incremental algorithm: Inv := Init while Next(Inv) * Inv do Inv := Inv [  Inv od Failed Next(Inv) µ Inv checks determine  Inv Keep  Inv small wrt. Good Classical fixpoint algorithms (w/ abstraction)

7 Ranking functions Given program (Init, Next) Q: do infinite computations exists ? Find ranking function R: States -> Naturals Define ranking relation Rank := { (s, s’) | R(s) ¸ 0 and R(s’) · R(s)-1 } To prove: Next µ Rank Termination proof depends on reachability: Next Å Reach µ Rank if (y ¸ 1) { while (x ¸ 0) { x = x – y; } Ranking function R(x, y) := x Ranking relation Rank := (x ¸ 0 Æ x’ · x - 1)

8 Incremental algorithm? Rank := ; while Next * Rank do Rank := Rank [  Rank od Termination is not preserved under union operation Abstraction is not possible Rank: automated construction Rank [  Rank : {a, b} [ {b, a} = {(a,a),...}  = a, a, a, a, a, a,...

9 Alternative: Transition invariants Next Å Reach µ Rank vs. Next^+ Å Reach µ Rank 1 [... [ Rank n Transition invariant T = Rank 1 [... [ Rank n transitive closure

10 Incremental algorithm: T := ; while Next^+ Å Reach * T do T := T [  T od Failed Next^+ Å... µ T checks determine  T Keep  T well-founded (aka terminating) Q: practical implementation? Transition Invariant: automated construction

11 Implementation subtasks Checking: Next^+ Å Reach µ T Incremental construction: Find  T if check fails T := ; while Nex^+ Å Reach * T do T := T [  T od

12 Checking Next^+ Å (Acc £ Acc) µ T Monitor for T –runs in parallel with the program –inspects pairs of states wrt. T –goes to error if observes (s, s’)  T (s, s’) 2 T Init 3

13 Monitor for T needs to store unbounded computation prefix trade storage for non-determinism: [Biere’02] –select arbitrary state s –for each subsequent state s’ check (s, s’) 2 T proceed in two phases: –selection –checking (s, s’) 2 T

14 Monitor for T: pseudo-code var selected := ? var phase := SELECT while True { switch (phase) { SELECT: if ( nondet() ) { selected := current phase := CHECK } CHECK: if ( (selected, current)  T ) { ERROR: } } Current program state Storage for program states

15 Monitoring T: example current5, 14, 13, 12, 11, 1 phaseSEL CHK selected ?? 3, 1 2 T?N/A OK Candidate to check: T = (x ¸ 0 Æ x’ · x - 1) if (y ¸ 1) { while (x ¸ 0) { x = x – y; } x y

16 Checking transition invariant T Given T construct monitor M T Construct product P T = P || M T Apply safety checker on P T : if success: done otherwise: counterexample P T is program with ERROR location

17 Implementation subtasks Checking: Next + Å (Acc £ Acc) µ T Incremental construction: Find  T if check fails T := ; while Nex^+ Å Reach * T do T := T [  T od

18 Counterexample for T current5, 16, 17, 1 phaseSELCHK selected ? 6, 1 2 T?N/A ERROR Candidate to check: T = (x ¸ 0 Æ x’ · x - 1) if (y ¸ 1) { while (x ¸ 0) { x = x + y; } Program trace: assume(y ¸ 1) assume(x ¸ 0) x := x + y 7 £ 67 £ 6

19 Lasso = Stem + Cycle Counterexample = Stem.Cycle.Cycle.... (to termination) Program trace: assume(y ¸ 1) assume(x ¸ 0) x := x + y Stem Cycle Selection phase Checking phase

20 From lasso to  T Counterexample is spurious if Cycle^  is infeasible if exist Rank ¶ Cycle then  T = Rank else return “counterexample Stem.Cycle^  ” Algorithms and tools exist: PolyRank, RankFinder,...

21 Example  T Candidate to check: T = ( x · z Æ x’ ¸ x + 1 ) if (y ¸ 1) { while (x · z) { if (nondet()) { x = x + y; } else z = z – y; } Counterexample (lasso): assume(y ¸ 1) assume(x · z) z := z – y  T = ( x · z Æ z’ · z – 1 ) Transition invariant: T = ( x · z Æ x’ · x + 1 ) Ç ( x · z Æ z’ · z – 1 )

22 Incremental algorithm for termination T := ; while True do P T := P || M T if safe( P T ) then return “terminates” else Stem, Cycle := counterexample if exists Rank ¶ Cycle then T := T [ Rank else return “counterexample Stem.Cycle  ” od Creates program with error state Applies temporal safety checker Applies termination checker on a single path

23 Terminator Input: program written in C Output: –termination proof: transition invariant –counterexample: lasso = stem + cycle –divergence (due to the halting problem) Language features supported –nested loops, gotos –pointers, aliasing –(mutually) recursive function calls Implementation based on SLAM/SDV Scalability: (on drivers from WinDDK) –several TLOC in minutes

24 Experiments on WinDDK Lines of code (x1000) Cut-point set size Termination proofs Termination bugs

25 Termination bugs True bugs recognized by developers Sources of false bugs: –Heap modelling –Handling of bit operations

26 Conclusion Proving termination can be easy: –Temporal reduction to transition invariants [lics’04] –Incremental computation guided by counterexamples [sas’05] –Checking using tools for reachability (abstraction, lazyness, precision,...) [this paper] Next steps: –Advanced applicability: heap, bit operations,... –General liveness properties w/ fairness

27 Inductive transition invariants Reachability check for P T succeeds Invariant Inv T for P T constructed over program and monitor variables Meaning of Inv T : T Ind := { (s, s’) | (s’, s) 2 Inv T } T Ind µ T 1.Next Å (Init £ States) µ T Ind 2.T Ind ± Next µ T Ind Inductive transition invariant

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.