termination proofs for systems code
DESCRIPTION
Termination Proofs for Systems Code. Andrey Rybalchenko, EPFL/MPI joint work with Byron Cook, MSR and Andreas Podelski, MPI PLDI’2006, Ottawa. Temporal verification. Basic properties of program computations: Reachability Termination Classical reduction : - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Termination Proofs for Systems Code](https://reader035.vdocuments.net/reader035/viewer/2022062321/56813a00550346895da1c8c0/html5/thumbnails/1.jpg)
Termination Proofs for Systems Code
Andrey Rybalchenko, EPFL/MPI
joint work with Byron Cook, MSRand Andreas Podelski, MPI
PLDI’2006, Ottawa
![Page 2: Termination Proofs for Systems Code](https://reader035.vdocuments.net/reader035/viewer/2022062321/56813a00550346895da1c8c0/html5/thumbnails/2.jpg)
2
Temporal verification
• Basic properties of program computations:– Reachability– Termination
• Classical reduction: From: temporal reasoning about computationsTo: first-order reasoning over auxiliary assertions
(e.g. invariants, ranking functions)• Proof rules:
– conditions on auxiliary assertions implying the property
• Challenge:– find adequate auxiliary assertions automatically
![Page 3: Termination Proofs for Systems Code](https://reader035.vdocuments.net/reader035/viewer/2022062321/56813a00550346895da1c8c0/html5/thumbnails/3.jpg)
3
State-of-the-art
• Tools for reachability properties of software:– Astree, BLAST, F-Soft, MAGIC, SatAbs, SLAM,...
• Termination checkers for TRS, Prolog, functional languages, ‘toy’ imperative programs:– CiME, AProVE, TerminWeb, TerminLog, PolyRank, ...
• Our goal: Termination tool for software verification
![Page 4: Termination Proofs for Systems Code](https://reader035.vdocuments.net/reader035/viewer/2022062321/56813a00550346895da1c8c0/html5/thumbnails/4.jpg)
4
Overview
• Classical assertions:– reachability (invariants)– termination (ranking functions)– limitations
• Transition invariants– checking – incremental construction
• Practical implementation
![Page 5: Termination Proofs for Systems Code](https://reader035.vdocuments.net/reader035/viewer/2022062321/56813a00550346895da1c8c0/html5/thumbnails/5.jpg)
5
Invariants
• Given program (Init, Next) and property Good• Q: Init [ Next^+(Init) µ Good ?
• Find invariant Inv µ States• To prove:
1. Init µ Inv
2. Next(Inv) µ Inv
3. Inv µ Good
transitive closure
![Page 6: Termination Proofs for Systems Code](https://reader035.vdocuments.net/reader035/viewer/2022062321/56813a00550346895da1c8c0/html5/thumbnails/6.jpg)
6
Inv: automated construction
• Incremental algorithm:
Inv := Initwhile Next(Inv) * Inv do
Inv := Inv [ Inv
od
• Failed Next(Inv) µ Inv checks determine Inv
• Keep Inv small wrt. Good• Classical fixpoint algorithms (w/ abstraction)
![Page 7: Termination Proofs for Systems Code](https://reader035.vdocuments.net/reader035/viewer/2022062321/56813a00550346895da1c8c0/html5/thumbnails/7.jpg)
7
Ranking functions
• Given program (Init, Next)• Q: do infinite computations exists ?
• Find ranking function R: States -> Naturals• Define ranking relation
Rank := { (s, s’) | R(s) ¸ 0 and R(s’) · R(s)-1 }• To prove:
Next µ Rank
• Termination proof depends on reachability:Next Å Reach µ Rank
if (y ¸ 1) { while (x ¸ 0) { x = x – y;
}
}
Ranking function
R(x, y) := x
Ranking relation
Rank := (x ¸ 0 Æ x’ · x - 1)
![Page 8: Termination Proofs for Systems Code](https://reader035.vdocuments.net/reader035/viewer/2022062321/56813a00550346895da1c8c0/html5/thumbnails/8.jpg)
8
• Incremental algorithm?
Rank := ;while Next * Rank do
Rank := Rank [ Rank
od
• Termination is not preserved under union operation
• Abstraction is not possible
Rank: automated construction
Rank [ Rank:
{a, b} [ {b, a} = {(a,a), ...}
= a, a, a, a, a, a, ...
![Page 9: Termination Proofs for Systems Code](https://reader035.vdocuments.net/reader035/viewer/2022062321/56813a00550346895da1c8c0/html5/thumbnails/9.jpg)
9
Alternative: Transition invariants
Next Å Reach µ Rank
vs.
Next^+ Å Reach µ Rank1 [ ... [ Rankn
• Transition invariant T = Rank1 [ ... [ Rankntransitive closure
![Page 10: Termination Proofs for Systems Code](https://reader035.vdocuments.net/reader035/viewer/2022062321/56813a00550346895da1c8c0/html5/thumbnails/10.jpg)
10
• Incremental algorithm:
T := ;while Next^+ Å Reach * T do
T := T [ T
od
• Failed Next^+ Å ... µ T checks determine T
• Keep T well-founded (aka terminating) • Q: practical implementation?
Transition Invariant: automated construction
![Page 11: Termination Proofs for Systems Code](https://reader035.vdocuments.net/reader035/viewer/2022062321/56813a00550346895da1c8c0/html5/thumbnails/11.jpg)
11
Implementation subtasks
• Checking:
Next^+ Å Reach µ T
• Incremental construction:
Find T if check fails
T := ;while Nex^+ Å Reach * T do
T := T [ T
od
![Page 12: Termination Proofs for Systems Code](https://reader035.vdocuments.net/reader035/viewer/2022062321/56813a00550346895da1c8c0/html5/thumbnails/12.jpg)
12
Checking Next^+ Å (Acc £ Acc) µ T
• Monitor for T– runs in parallel with the program– inspects pairs of states wrt. T– goes to error if observes (s, s’) T
(s, s’) 2 T
Init 3
![Page 13: Termination Proofs for Systems Code](https://reader035.vdocuments.net/reader035/viewer/2022062321/56813a00550346895da1c8c0/html5/thumbnails/13.jpg)
13
Monitor for T
• needs to store unbounded computation prefix• trade storage for non-determinism: [Biere’02]
– select arbitrary state s– for each subsequent state s’ check (s, s’) 2 T
• proceed in two phases: – selection – checking
(s, s’) 2 T
![Page 14: Termination Proofs for Systems Code](https://reader035.vdocuments.net/reader035/viewer/2022062321/56813a00550346895da1c8c0/html5/thumbnails/14.jpg)
14
Monitor for T: pseudo-codevar selected := ? var phase := SELECT
while True { switch (phase) { SELECT: if ( nondet() ) { selected := current phase := CHECK } CHECK: if ( (selected, current) T ) { ERROR: } }}
Current program state
Storage for program states
![Page 15: Termination Proofs for Systems Code](https://reader035.vdocuments.net/reader035/viewer/2022062321/56813a00550346895da1c8c0/html5/thumbnails/15.jpg)
15
Monitoring T: example
current 5, 1 4, 1 3, 1 2, 1 1, 1
phase SEL SEL CHK CHK CHK
selected ? ? 3, 1 3, 1 3, 1
2 T? N/A N/A N/A OK OK
Candidate to check:
T = (x ¸ 0 Æ x’ · x - 1)
if (y ¸ 1) { while (x ¸ 0) { x = x – y;
}
}
x y
![Page 16: Termination Proofs for Systems Code](https://reader035.vdocuments.net/reader035/viewer/2022062321/56813a00550346895da1c8c0/html5/thumbnails/16.jpg)
16
Checking transition invariant T
• Given T construct monitor MT
• Construct product PT = P || MT
• Apply safety checker on PT:
if success: done
otherwise: counterexample
PT is program
with ERROR location
![Page 17: Termination Proofs for Systems Code](https://reader035.vdocuments.net/reader035/viewer/2022062321/56813a00550346895da1c8c0/html5/thumbnails/17.jpg)
17
Implementation subtasks
• Checking:
Next+ Å (Acc £ Acc) µ T
• Incremental construction:
Find T if check fails
T := ;while Nex^+ Å Reach * T do
T := T [ T
od
![Page 18: Termination Proofs for Systems Code](https://reader035.vdocuments.net/reader035/viewer/2022062321/56813a00550346895da1c8c0/html5/thumbnails/18.jpg)
18
Counterexample for T
current 5, 1 6, 1 7, 1
phase SEL CHK CHK
selected ? 6, 1 6, 1
2 T? N/A N/A ERROR
Candidate to check:
T = (x ¸ 0 Æ x’ · x - 1)
if (y ¸ 1) { while (x ¸ 0) { x = x + y;
}
}
Program trace:• assume(y ¸ 1)• assume(x ¸ 0)• x := x + y• x := x + y
7 £ 6
![Page 19: Termination Proofs for Systems Code](https://reader035.vdocuments.net/reader035/viewer/2022062321/56813a00550346895da1c8c0/html5/thumbnails/19.jpg)
19
Lasso = Stem + Cycle
• Counterexample = Stem.Cycle.Cycle . ...
(to termination)
Program trace:• assume(y ¸ 1)• assume(x ¸ 0)• x := x + y• x := x + y
Stem
Cycle
Selection
phase
Checking
phase
![Page 20: Termination Proofs for Systems Code](https://reader035.vdocuments.net/reader035/viewer/2022062321/56813a00550346895da1c8c0/html5/thumbnails/20.jpg)
20
From lasso to T
• Counterexample is spurious if Cycle^ is infeasible
• if exist Rank ¶ Cycle then
T = Rank
• elsereturn “counterexample Stem.Cycle^ ”
Algorithms and tools exist:
PolyRank, RankFinder, ...
![Page 21: Termination Proofs for Systems Code](https://reader035.vdocuments.net/reader035/viewer/2022062321/56813a00550346895da1c8c0/html5/thumbnails/21.jpg)
21
Example T
Candidate to check:
T = ( x · z Æ x’ ¸ x + 1 )
if (y ¸ 1) { while (x · z) { if (nondet()) {
x = x + y;
} else
z = z – y;
}
}
}
Counterexample (lasso):• assume(y ¸ 1)• assume(x · z)• z := z – y
T = ( x · z Æ z’ · z – 1 )
Transition invariant:
T = ( x · z Æ x’ · x + 1 ) Ç ( x · z Æ z’ · z – 1 )
![Page 22: Termination Proofs for Systems Code](https://reader035.vdocuments.net/reader035/viewer/2022062321/56813a00550346895da1c8c0/html5/thumbnails/22.jpg)
22
Incremental algorithm for termination
T := ;while True do PT := P || MT
if safe( PT ) then return “terminates” else Stem, Cycle := counterexample if exists Rank ¶ Cycle then T := T [ Rank else return “counterexample Stem.Cycle” od
Creates program with error stateApplies temporal
safety checker
Applies termination
checker on a single path
![Page 23: Termination Proofs for Systems Code](https://reader035.vdocuments.net/reader035/viewer/2022062321/56813a00550346895da1c8c0/html5/thumbnails/23.jpg)
23
Terminator• Input: program written in C
• Output: – termination proof: transition invariant– counterexample: lasso = stem + cycle– divergence (due to the halting problem)
• Language features supported – nested loops, gotos– pointers, aliasing– (mutually) recursive function calls
• Implementation based on SLAM/SDV
• Scalability: (on drivers from WinDDK)– several TLOC in minutes
![Page 24: Termination Proofs for Systems Code](https://reader035.vdocuments.net/reader035/viewer/2022062321/56813a00550346895da1c8c0/html5/thumbnails/24.jpg)
24
Experiments on WinDDK
0
5
10
15
20
25
30
35
40
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
0
10
20
30
40
50
60
70
80
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
Lines of code (x1000)
Cut-point set size
Termination proofs
Termination bugs
![Page 25: Termination Proofs for Systems Code](https://reader035.vdocuments.net/reader035/viewer/2022062321/56813a00550346895da1c8c0/html5/thumbnails/25.jpg)
25
Termination bugs
• True bugs recognized by developers• Sources of false bugs:
– Heap modelling– Handling of bit operations
0
2
4
6
8
10
12
1 3 5 7 9 11 13 15 17 19 21 23
True bugs
False bugs
![Page 26: Termination Proofs for Systems Code](https://reader035.vdocuments.net/reader035/viewer/2022062321/56813a00550346895da1c8c0/html5/thumbnails/26.jpg)
26
Conclusion
• Proving termination can be easy:– Temporal reduction to transition invariants [lics’04]– Incremental computation guided by counterexamples
[sas’05]– Checking using tools for reachability (abstraction,
lazyness, precision,...)[this paper]
• Next steps: – Advanced applicability: heap, bit operations,...– General liveness properties w/ fairness
![Page 27: Termination Proofs for Systems Code](https://reader035.vdocuments.net/reader035/viewer/2022062321/56813a00550346895da1c8c0/html5/thumbnails/27.jpg)
27
Inductive transition invariants
• Reachability check for PT succeeds• Invariant InvT for PT constructed
over program and monitor variables
• Meaning of InvT:TInd := { (s, s’) | (s’, s) 2 InvT } TInd µ T
1. Next Å (Init £ States) µ TInd
2. TInd ± Next µ TInd
Inductive transition invariant