Termination Proofs for Systems Code Andrey Rybalchenko, EPFL/MPI joint work with Byron Cook, MSR and Andreas Podelski, MPI PLDI’2006, Ottawa.

Download Report

Transcript Termination Proofs for Systems Code Andrey Rybalchenko, EPFL/MPI joint work with Byron Cook, MSR and Andreas Podelski, MPI PLDI’2006, Ottawa. 

Termination Proofs
for Systems Code
Andrey Rybalchenko, EPFL/MPI
joint work with Byron Cook, MSR
and Andreas Podelski, MPI
PLDI’2006, Ottawa
Temporal verification
• Basic properties of program computations:
– Reachability
– Termination
• Classical reduction:
From: temporal reasoning about computations
To: first-order reasoning over auxiliary assertions
(e.g. invariants, ranking functions)
• Proof rules:
– conditions on auxiliary assertions implying the property
• Challenge:
– find adequate auxiliary assertions automatically
2
State-of-the-art
• Tools for reachability properties of software:
– Astree, BLAST, F-Soft, MAGIC, SatAbs, SLAM,...
• Termination checkers for TRS, Prolog,
functional languages, ‘toy’ imperative programs:
– CiME, AProVE, TerminWeb, TerminLog, PolyRank, ...
• Our goal:
Termination tool for
software verification
3
Overview
• Classical assertions:
– reachability (invariants)
– termination (ranking functions)
– limitations
• Transition invariants
– checking
– incremental construction
• Practical implementation
4
Invariants
•
•
Given program (Init, Next) and property Good
Q: Init [ Next^+(Init) µ Good ?
•
Find invariant Invtransitive
µ States
•
1.
2.
3.
To prove:
Init µ Inv
Next(Inv) µ Inv
Inv µ Good
closure
5
Inv: automated construction
• Incremental algorithm:
Inv := Init
while Next(Inv) * Inv do
Inv := Inv [ Inv
od
• Failed Next(Inv) µ Inv checks determine Inv
• Keep Inv small wrt. Good
• Classical fixpoint algorithms (w/ abstraction)
6
Ranking functions
•
•
•
•
•
•
Given program (Init, Next)
Q: do infinite computations exists ?
Ranking function
if (y ¸ 1) {
Find ranking function R: States
->y)Naturals
R(x,
:= x
while (x ¸ 0) {
Define ranking relation
Ranking relation
x
=
x
–
y;
Rank := { (s, s’) | R(s) ¸ 0 and R(s’) · R(s)-1 }
Rank := (x ¸ 0 Æ x’ · x - 1)
}
To prove:
}
Next µ Rank
Termination proof depends on reachability:
Next Å Reach µ Rank
7
Rank: automated construction
• Incremental algorithm?
Rank := ;
while Next * Rank do
Rank := Rank [ Rank
od
Rank [ Rank:
{a, b} [ {b, a} = {(a,a), ...}
 = a, a, a, a, a, a, ...
• Termination is not preserved
under union operation
• Abstraction is not possible
8
Alternative: Transition invariants
Å Reach µ Rank
vs.
Next^+ Å Reach µ Rank1 [ ... [ Rankn
Next
• Transition invariant T = Rank1 [ ... [ Rankn
transitive
closure
9
Transition Invariant: automated construction
• Incremental algorithm:
T := ;
while Next^+ Å Reach * T do
T := T [ T
od
• Failed Next^+ Å ... µ T checks determine T
• Keep T well-founded (aka terminating)
• Q: practical implementation?
10
Implementation subtasks
•
Checking:
T := ;
while Nex^+ Å Reach * T do
T := T [ T
od
Next^+ Å Reach µ T
•
Incremental construction:
Find T if check fails
11
Checking Next^+ Å (Acc £ Acc) µ T
Init 3
(s, s’) 2 T
• Monitor for T
– runs in parallel with the program
– inspects pairs of states wrt. T
– goes to error if observes (s, s’)  T
12
Monitor for T
(s, s’) 2 T
• needs to store unbounded computation prefix
• trade storage for non-determinism: [Biere’02]
– select arbitrary state s
– for each subsequent state s’ check (s, s’) 2 T
• proceed in two phases:
– selection
– checking
13
Monitor for T: pseudo-code
var selected := ?
var phase := SELECT
Storage for
program states
while True {
Current
program state
switch (phase) {
SELECT: if ( nondet() ) {
selected := current
phase := CHECK
}
CHECK: if ( (selected, current)  T ) { ERROR: }
}
}
14
Monitoring T: example
if (y ¸ 1) {
while (x ¸ 0) {
x = x – y;
}
}
x y
Candidate to check:
T = (x ¸ 0 Æ x’ · x - 1)
current
5, 1
4, 1
3, 1
2, 1
1, 1
phase
SEL
SEL
CHK
CHK
CHK
selected
?
?
3, 1
3, 1
3, 1
N/A
N/A
N/A
OK
OK
2 T?
15
Checking transition invariant T
• Given T construct monitor MT
• Construct product PT = P || MT
• Apply safety checker on PT:
if success: done
otherwise: counterexample
PT is program
with ERROR location
16
Implementation subtasks
•
Checking:
Next+ Å (Acc £ Acc) µ T
•
Incremental construction:
Find T if check fails
T := ;
while Nex^+ Å Reach * T do
T := T [ T
od
17
Counterexample for T
if (y ¸ 1) {
while (x ¸ 0) {
x = x + y;
}
}
Candidate to check:
T = (x ¸ 0 Æ x’ · x - 1)
current
5, 1
6, 1
7, 1
phase
SEL
CHK
CHK
selected
?
6, 1
6, 1
2 T?
N/A
N/A
ERROR
Program trace:
• assume(y ¸ 1)
• assume(x ¸ 0)
• x := x + y
• x := x + y
7£6
18
Lasso = Stem + Cycle
Program trace:
• assume(y ¸ 1)
• assume(x ¸ 0)
• x := x + y
• x := x + y
Stem
Selection
phase
Cycle
Checking
phase
• Counterexample = Stem.Cycle.Cycle . ...
(to termination)
19
From lasso to T
• Counterexample is spurious
if Cycle^ is infeasible
• if exist Rank ¶ Cycle then
T = Rank
Algorithms and
tools exist:
PolyRank,
RankFinder, ...
• else
return “counterexample Stem.Cycle^ ”
20
Example T
if (y ¸ 1) {
while (x · z) {
if (nondet()) {
x = x + y;
} else
z = z – y;
}
}
}
Candidate to check:
T = ( x · z Æ x’ ¸ x + 1 )
Counterexample (lasso):
• assume(y ¸ 1)
• assume(x · z)
• z := z – y
• T = ( x · z Æ z’ · z – 1 )
Transition invariant:
T = ( x · z Æ x’ · x + 1 ) Ç ( x · z Æ z’ · z – 1 )
21
Incremental algorithm for termination
Creates program
T := ;
with error state
while True do
Applies temporal
PT := P || MT
safety checker
if safe( PT ) then
return “terminates”
else
Applies
Stem, Cycle := counterexample
termination
if exists Rank ¶ Cycle then
checker on a
T := T [ Rank
single path
else
return “counterexample Stem.Cycle”
od
22
Terminator
• Input: program written in C
• Output:
– termination proof: transition invariant
– counterexample: lasso = stem + cycle
– divergence (due to the halting problem)
• Language features supported
– nested loops, gotos
– pointers, aliasing
– (mutually) recursive function calls
• Implementation based on SLAM/SDV
• Scalability: (on drivers from WinDDK)
– several TLOC in minutes
23
Experiments on WinDDK
Lines of code (x1000)
40
35
Termination
proofs
30
25
20
15
10
5
0
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
Cut-point set size
80
70
Termination
bugs
60
50
40
30
20
10
0
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
24
Termination bugs
12
10
8
True bugs
6
False bugs
4
2
0
1
3
5
7
9
11
13
15
17
19
21
23
• True bugs recognized by developers
• Sources of false bugs:
– Heap modelling
– Handling of bit operations
25
Conclusion
• Proving termination can be easy:
– Temporal reduction to transition invariants [lics’04]
– Incremental computation guided by counterexamples
[sas’05]
– Checking using tools for reachability (abstraction,
lazyness, precision,...)
[this paper]
• Next steps:
– Advanced applicability: heap, bit operations,...
– General liveness properties w/ fairness
26
Inductive transition invariants
•
•
Reachability check for PT succeeds
Invariant InvT for PT constructed
over program and monitor variables
•
Meaning of InvT:
TInd := { (s, s’) | (s’, s) 2 InvT }
TInd µ T
1. Next Å (Init £ States) µ TInd
2. TInd ± Next µ TInd
Inductive
transition
invariant
27