Tutorial: Proving termination and liveness Byron Cook Microsoft Research and Queen Mary, Univ. of London

Introduction

Introduction

Introduction

Introduction

Introduction

Introduction

Introduction

Introduction

Refinement-based termination proving Variance analysis Outline Basics Refinement-based termination proving Variance analysis Recent and future work Conclusion

Refinement-based termination proving Variance analysis Outline Basics Refinement-based termination proving Variance analysis Recent and future work Conclusion

Well-founded relations =

Well-founded relations =

Well-founded relations =

Well-founded relations

Well-founded relations

Well-founded relations

Well-founded relations

Well-founded relations

Well-founded relations

Well-founded relations

Termination proof rules

Termination proof rules

Termination proof rules

Termination proof rules

Termination proof rules

Termination proof rules

Termination proof rules

Termination proof rules

Termination proof rules

Termination proof rule

Termination proof rule

Termination proof rule

Termination proof rule

Termination proof rule

Termination proof rule

Termination proof rule

Termination proof rule

Termination proof rule

Termination proof rule assume(y>=1); x := x – y; assume(x>=1);

Termination proof rule assume(y>=1); x := x – y; assume(x>=1);

Termination proof rule assume(y>=1); x := x – y; assume(x>=1);

Termination proof rule assume(y>=1); x := x – y; assume(x>=1);

Termination proof rule assume(y>=1); x := x – y; assume(x>=1);

Termination proof rule

Termination proof rule

Refinement-based termination proving Variance analysis Outline Basics Refinement-based termination proving Variance analysis Recent and future work Conclusion

Refinement-based termination proving Variance analysis Outline Basics Refinement-based termination proving Variance analysis Recent and future work Conclusion

Refinement-based termination proving Variance analysis Outline Basics Refinement-based termination proving Variance analysis Recent and future work Conclusion

Strategy: Advantages: Disadvantages: Refinement Start with empty termination argument Iteratively weaken and re-check termination argument Weaken using linear rank function synthesis Advantages: Can use existing safety property checking technology to check argument validity Finds complex termination arguments with only linear rank functions Leads to counterexamples Accurate Disadvantages: Very slow May not terminate (in several ways)

Refinement

Refinement Ø

Refinement Ø

Refinement Ø

Refinement Ø

Refinement

Refinement

Refinement

Refinement

Refinement

Refinement

Refinement

Refinement

Refinement

Refinement

Refinement

Refinement

Refinement

Refinement

Refinement

Refinement

Refinement

Refinement

Refinement copied = 0; . x = f(x,y); while(x<y) { if (!copied) { g(&y,x); } copied = 0; . if (!copied) { if (*) { H[x] = x; H[y] = y; copied = 1; } } else { assert(T1 || T2 || T3); while(x<y) { copied = 0;

Examples

Examples

Examples

Examples

Examples

Examples

Examples

Examples

Examples

Examples

The bad news

The bad news

The bad news

The bad news

The bad news

The bad news

The bad news

The bad news

The bad news

The bad news

The bad news

The bad news

More bad news

More bad news

More bad news

Refinement-based termination proving Variance analysis Outline Basics Refinement-based termination proving Variance analysis Recent and future work Conclusion

Refinement-based termination proving Variance analysis Outline Basics Refinement-based termination proving Variance analysis Recent and future work Conclusion

Refinement-based termination proving Variance analysis Outline Basics Refinement-based termination proving Variance analysis Recent and future work Conclusion

Variance analysis

Variance analysis

Variance analysis Strategy: Advantages: Disadvantages: Use abstract interpretation techniques to compute (disjunctive) over-approximation Check that the parts of the disjunction are well founded Advantages: Can use existing abstract interpretation tools to compute overapproximation Always terminates Fast Disadvantages: No counterexamples Less accurate than refinement-based approach Abstract domains (currently) not built for our application Widening can be too aggressive Redundant information kept

Variance analysis

Variance analysis

Variance analysis

Variance analysis

Variance analysis

Variance analysis

Variance analysis

Variance analysis

Variance analysis

Variance analysis

Variance analysis

Variance analysis

Variance analysis 1 2 3

Variance analysis 1 2 3

Variance analysis 1 2 3

Variance analysis 1 2 3

Variance analysis 1 2 3

Variance analysis 1 2 3

Variance analysis 1 2 3

Variance analysis 1 2.1 2.2 2 3

Variance analysis 1 2.1 2.2 2 3

Variance analysis 1 2.1 2.2 2 3

Variance analysis 1 2.1 2.2 2 3

Variance analysis 1 2.1 2.2 2 3

Variance analysis 1 2.1 2.2 2 3

Variance analysis 1 2.1 2.2 2 3

Variance analysis 1 2.1 2.2 2 3

Variance analysis 1 2.1 2.2 2 3

Variance analysis 1 2.1 2.2 2 3

Variance analysis 1 2.1 2.2 2 3

Variance analysis 1 2.1 2.2 2 3

Variance analysis 1 2.1 2.2 2 3

Variance analysis 1 2.1 2.2 2 3

Variance analysis 1 ü ü 2.1 2.2 2 3

Variance analysis Strategy: Advantages: Disadvantages: Use abstract interpretation techniques to compute (disjunctive) over-approximation Check that the parts of the disjunction are well founded Advantages: Can use existing abstract interpretation tools to compute overapproximation Always terminates Fast Disadvantages: No counterexamples Less accurate than refinement-based approach Abstract domains (currently) not built for our application Widening can be too aggressive Redundant information kept

Variance analysis Strategy: Advantages: Disadvantages: Use abstract interpretation techniques to compute (disjunctive) over-approximation Check that the parts of the disjunction are well founded Advantages: Can use existing abstract interpretation tools to compute overapproximation Always terminates Fast Disadvantages: No counterexamples Less accurate than refinement-based approach Abstract domains (currently) not built for our application Widening can be too aggressive Redundant information kept

Termination proof rules

Termination proof rules

Termination proof rule

Termination proof rule

Termination proof rule

Refinement-based termination proving Termination analysis Outline Basics Refinement-based termination proving Termination analysis Recent and future work Conclusion

Refinement-based termination proving Termination analysis Outline Basics Refinement-based termination proving Termination analysis Recent and future work Conclusion

Synthesizing pre-conditions to termination Recent and future work Concurrency Proving thread-termination [PLDI’08] Proving that non-blocking algorithms don’t block [POPL’09] Recursion Proving termination of recursive programs [Submitted] Synthesizing pre-conditions to termination Proving conditional termination [CAV’08] Termination for non-linear programs Proving termination by divergence [SEFM’07]

Synthesizing pre-conditions to termination Recent and future work Concurrency Proving thread-termination [PLDI’08] Proving that non-blocking algorithms don’t block [POPL’09] Recursion Proving termination of recursive programs [Submitted] Synthesizing pre-conditions to termination Proving conditional termination [CAV’08] Termination for non-linear programs Proving termination by divergence [SEFM’07]

Proving that non-blocking algorithms don’t block

Proving that non-blocking algorithms don’t block

Proving that non-blocking algorithms don’t block

Proving that non-blocking algorithms don’t block

Synthesizing pre-conditions to termination Recent and future work Concurrency Proving thread-termination [PLDI’08] Proving that non-blocking algorithms don’t block [POPL’09] Recursion Proving termination of recursive programs [Submitted] Synthesizing pre-conditions to termination Proving conditional termination [CAV’08] Termination for non-linear programs Proving termination by divergence [SEFM’07]

Synthesizing pre-conditions to termination Recent and future work Concurrency Proving thread-termination [PLDI’08] Proving that non-blocking algorithms don’t block [POPL’09] Recursion Proving termination of recursive programs [Submitted] Synthesizing pre-conditions to termination Proving conditional termination [CAV’08] Termination for non-linear programs Proving termination by divergence [SEFM’07]

Synthesizing pre-conditions to termination Recent and future work Concurrency Proving thread-termination [PLDI’08] Proving that non-blocking algorithms don’t block [POPL’09] Recursion Proving termination of recursive programs [Submitted] Synthesizing pre-conditions to termination Proving conditional termination [CAV’08] Termination for non-linear programs Proving termination by divergence [SEFM’07]

Synthesizing pre-conditions to termination Recent and future work Concurrency Proving thread-termination [PLDI’08] Proving that non-blocking algorithms don’t block [POPL’09] Recursion Proving termination of recursive programs [Submitted] Synthesizing pre-conditions to termination Proving conditional termination [CAV’08] Termination for non-linear programs Proving termination by divergence [SEFM’07]

Synthesizing pre-conditions to termination Recent and future work Concurrency Proving thread-termination [PLDI’08] Proving that non-blocking algorithms don’t block [POPL’09] Recursion Proving termination of recursive programs [Submitted] Synthesizing pre-conditions to termination Proving conditional termination [CAV’08] Termination for non-linear programs Proving termination by divergence [SEFM’07]

Synthesizing preconditions to termination Automatic termination/liveness proving is now a reality Advanced termination/liveness tools now supporting Concurrency, Pointers, Heap, Recursion, Omega-regular properties, Counterexample-generation, etc Tools: Terminator (currently being transferred into Windows SDV product) ARMC (Andrey’s publicly available version) Polyrank (from Bradley, Manna, Sipma) T2 (in development for my book and CMU course)

Motivation Automatic termination/liveness proving is now a reality Advanced termination/liveness tools now supporting Concurrency, Pointers, Heap, Recursion, Omega-regular properties, Counterexample-generation, etc Tools: Terminator (currently being transferred into Windows SDV product) ARMC (Andrey’s publicly available version) Polyrank (from Bradley, Manna, Sipma) T2 (in development for my book and CMU course)

Automatic termination/liveness proving is now a reality Advanced termination/liveness tools now supporting Concurrency, Pointers, Heap, Recursion, Omega-regular properties, Counterexample-generation, etc Tools: Terminator (currently being transferred into Windows SDV product) ARMC (Andrey’s publicly available version) Polyrank (from Bradley, Manna, Sipma) T2 (in development for my book and CMU course)

Synthesizing pre-conditions to termination Recent and future work Concurrency Proving thread-termination [PLDI’08] Proving that non-blocking algorithms don’t block [POPL’09] Recursion Proving termination of recursive programs [Submitted] Synthesizing pre-conditions to termination Proving conditional termination [CAV’08] Termination for non-linear programs Proving termination by divergence [SEFM’07]

Synthesizing pre-conditions to termination Recent and future work Concurrency Proving thread-termination [PLDI’08] Proving that non-blocking algorithms don’t block [POPL’09] Recursion Proving termination of recursive programs [Submitted] Synthesizing pre-conditions to termination Proving conditional termination [CAV’08] Termination for non-linear programs Proving termination by divergence [SEFM’07]

Proving termination inductively Recent and future work Proving termination inductively Podelski & Rybalchenko [LICS’04] Ranking abstractions [ESOP’08] Liveness properties (fair termination) Proving that software eventually does something good [POPL’07b] Better support for heap-manipulating programs Automatic termination proofs for programs with shape-shifting heaps [CAV’06]

Proving termination inductively Recent and future work Proving termination inductively Podelski & Rybalchenko [LICS’04] Ranking abstractions [ESOP’08] Liveness properties (fair termination) Proving that software eventually does something good [POPL’07b] Better support for heap-manipulating programs Automatic termination proofs for programs with shape-shifting heaps [CAV’06]

Induction

Induction

Proving termination inductively Recent and future work Proving termination inductively Podelski & Rybalchenko [LICS’04] Ranking abstractions [ESOP’08] Liveness properties (fair termination) Proving that software eventually does something good [POPL’07b] Better support for heap-manipulating programs Automatic termination proofs for programs with shape-shifting heaps [CAV’06]

Recent and future work

Recent and future work

Recent and future work

Proving termination inductively Recent and future work Proving termination inductively Podelski & Rybalchenko [LICS’04] Ranking abstractions [ESOP’08] Liveness properties (fair termination) Proving that software eventually does something good [POPL’07b] Better support for heap-manipulating programs Automatic termination proofs for programs with shape-shifting heaps [CAV’06]

Proving termination inductively Recent and future work Proving termination inductively Podelski & Rybalchenko [LICS’04] Ranking abstractions [ESOP’08] Liveness properties (fair termination) Proving that software eventually does something good [POPL’07b] Better support for heap-manipulating programs Automatic termination proofs for programs with shape-shifting heaps [CAV’06]

Proving termination inductively Recent and future work Separation logic based shape analysis for systems code: Scalable shape analysis for systems code [CAV’08] Support for concurrency: Thread-modular shape analysis [PLDI’07b] Local reasoning for storable locks and threads [APLAS’07] Shape analysis for complex data structures: Shape analysis for composite data structures [CAV’07] Producing arithmetic abstractions of programs with heap: Arithmetic strengthening for shape analysis [SAS’07] Automatic termination proofs for programs with shape-shifting heaps [CAV’06] Proving termination inductively Podelski & Rybalchenko [POPL’07a] Ranking abstractions [ESOP’08] Liveness properties (fair termination) Proving that software eventually does something good [POPL’07b] Better support for heap-manipulating programs Automatic termination proofs for programs with shape-shifting heaps [CAV’06]

Variance analysis, and inductive techniques Recent and future work Separation logic based shape analysis for systems code: Scalable shape analysis for systems code [CAV’08] Support for concurrency: Thread-modular shape analysis [PLDI’07b] Local reasoning for storable locks and threads [APLAS’07] Shape analysis for complex data structures: Shape analysis for composite data structures [CAV’07] Producing arithmetic abstractions of programs with heap: Arithmetic strengthening for shape analysis [SAS’07] Automatic termination proofs for programs with shape-shifting heaps [CAV’06] acquire(); while(……) { …… } release(); Variance analysis, and inductive techniques Variance analyses from invariance analyses [POPL’07a] Ranking abstractions [ESOP’08] Liveness properties (fair termination) Proving that software eventually does something good [POPL’07b] Better support for heap-manipulating programs Automatic termination proofs for programs with shape-shifting heaps [CAV’06]

Variance analysis, and inductive techniques Recent and future work Separation logic based shape analysis for systems code: Scalable shape analysis for systems code [CAV’08] Support for concurrency: Thread-modular shape analysis [PLDI’07b] Local reasoning for storable locks and threads [APLAS’07] Shape analysis for complex data structures: Shape analysis for composite data structures [CAV’07] Producing arithmetic abstractions of programs with heap: Arithmetic strengthening for shape analysis [SAS’07] Automatic termination proofs for programs with shape-shifting heaps [CAV’06] acquire(); while(……) { …… } release(); Variance analysis, and inductive techniques Variance analyses from invariance analyses [POPL’07a] Ranking abstractions [ESOP’08] Liveness properties (fair termination) Proving that software eventually does something good [POPL’07b] Better support for heap-manipulating programs Automatic termination proofs for programs with shape-shifting heaps [CAV’06]

Experimental results

Experimental results

Experimental results

Experimental results

Experimental results

Experimental results

Experimental results

Experimental results

Experimental results

Experimental results

Experimental results

Experimental results

Experimental results

Experimental results

Experimental results

Experimental results

Current frontiers: Bitvectors + unbounded numbers Scalability Recent and future work Current frontiers: Bitvectors + unbounded numbers Scalability Precision Finding inductive termination arguments Non-linear systems Counterexamples/non-termination Concurrency Programs with data structures Finding better pre-conditions Programs with higher-order functions Collatz program (a.k.a. the 3n+1 problem)

Refinement-based termination proving Termination analysis Outline Basics Refinement-based termination proving Termination analysis Recent and future work Conclusion

Refinement-based termination proving Termination analysis Outline Basics Refinement-based termination proving Termination analysis Recent and future work Conclusion

Trend: use of modular termination arguments Conclusion Trend: use of modular termination arguments Easier to construct Harder to prove valid, but techniques are available New termination proving strategies Refinement-based termination proving Variance analysis using invariance analysis Size-change, etc Result: termination proving is not impossible after all Next step: “Judgment day” Scalability, precision, concurrency, heap, commercial viability

See research.microsoft.com/~bycook for pointers to papers Conclusion See research.microsoft.com/~bycook for pointers to papers Write to bycook@microsoft.com Thank you for your attention