Proving Mutual Termination of single-threaded programs 6/10/2019 Proving Mutual Termination of single-threaded programs Dima Elenbogen Ofer Strichman Shmuel Katz Technion, Haifa, Israel 00:12:46

Notion of equivalence for this presentation 6/10/2019 Notion of equivalence for this presentation Goal: verification of the mutual termination of two similar programs. Mutual termination Given equal inputs, P1 terminates , P2 terminates Undecidable 00:12:46

Alternative: termination of a single program 6/10/2019 Alternative: termination of a single program New tools have recently been developed: Terminator Mutant … Still, there are two major problems: Incompleteness Complexity VSTTE 05 = Verified Software: Theories, Tools, Experiments . 00:12:46

Mutual Termination vs. Proving Termination 6/10/2019 Mutual Termination vs. Proving Termination Pros: Computationally easier to check the mutual terminations of two programs than to prove the termination of each of them. Fully automated. It does not require finding a well-founded set. Program do not necessarily terminate. Termination check has nothing to say Mutual termination can still say something useful. Cons: Defines a weaker notion. 00:12:46

Goals Develop proof rules for mutual termination 6/10/2019 Goals Develop proof rules for mutual termination Present an algorithm for checking mutual termination, that uses the proof rules, and is sensitive to the magnitude of change rather than the magnitude of the programs 00:12:46

Prerequisites Assume: A: B: 6/10/2019 Prerequisites Assume: no loops (but there are recursive functions); 1-1 mapping map between the functions of both sides: must intersect all cycles in the call graphs; the mapped functions have the same signature A: B: 2 map f1() f1’() f2() f2’() f5’() f5() f7’() f6() f3() f4() f4’() 00:12:46

Mutual termination (simple case) B Side 1 Side 2 Consider the call graphs: We want to prove that A, B are mutually terminating How shall we handle the recursion ? 00:12:46

Call-equivalence Definition: functions A,B are call-equivalent if… 6/10/2019 Call-equivalence Definition: functions A,B are call-equivalent if… For equal inputs: For callees f,g s.t. (f,g) 2 map: f is called , g is called f and g are called with the same arguments. The order and the number of calls do not matter B(x, y) { g(0,0) if (cond2) g(x,y) if (cond3) } A(x, y) { if (cond1) f(x,y) f(0, 0) 00:12:46

Preliminary inference rule (simple case) 6/10/2019 Preliminary inference rule (simple case) call-equiv(A, B) mutual-terminate(A, B) (M-TERM-REC) A(x, y) { … if (cond1) A(x1,y1) else … } B(w, z) { if (cond2) B(w1,z1) .. A Side 1 B Side 2 00:12:46

The premise is undecidable 6/10/2019 The premise is undecidable call-equiv(A, B) mutual-terminate(A, B) (M-TERM-REC) A(x, y) { … if (A(x’, y’) > …) A(x1,y1) else … } B(w, z) { if (B(w’, z’) > …) B(w1,z1) .. A Side 1 B Side 2 How can we prove the premise? 00:12:46

Uninterpreted functions 6/10/2019 Uninterpreted functions call-equiv(A, B) mutual-terminate(A, B) (M-TERM-REC) Replace the recursive calls with calls to functions that over-approximate A, B, and are terminating by construction Natural candidates: Uninterpreted Functions Abstract all functionality. We only know they are consistent: x = y → UF(x) = UF(y) 00:12:46

Replacing recursive calls (1 / 2) 6/10/2019 Replacing recursive calls (1 / 2) Let FUF , GUF be F,G, after replacing the recursive call with a call to the corresponding uninterpreted functions. F(x, y) { … if (cond1) F(x1,y1) else … } G(w, z) { if (cond2) G(w1,z1) .. F G Side 1 Side 2 00:12:46

Replacing recursive calls (2 / 2) 6/10/2019 Replacing recursive calls (2 / 2) Let FUF , GUF be F,G, after replacing the recursive call with a call to the corresponding uninterpreted functions. GUF(w, z) { … if (cond2) UF(G)(w1,z1) else … .. } FUF(x, y) { if (cond1) UF(F)(x1,y1) FUF GUF UF(G) UF(F) Side 1 Side 2 00:12:46

Proving mutual termination 6/10/2019 Proving mutual termination Let FUF , GUF be F,G, after replacing the recursive calls with calls to uninterpreted functions. We can now rewrite the rule: This premise is decidable call-equiv(FUF, GUF) mutual-terminate(F, G) (M-TERM-SIMPLE) 00:12:46

General inference rule Now we want to generalize from a single self loop to MSCCs in the call graphs: Definition: is called in A] ∀(F, G) ∈ map. call-equiv(FUF, GUF) ∀(F, G) ∈ map. mutual-terminate(F, G) (M-TERM) 00:12:46

Connected MSCCs {(g,g’),(f,f’),(h,h’)} 2 map Connected MSCCs… UF(h) h UF(h’) h’ Side 1 Side 2 Connected MSCCs… Prove bottom-up Abstract mutually terminating functions Inline 00:12:46

Decomposition algorithm 6/10/2019 Decomposition algorithm Legend: Mutually terminating pair Mutual termination undecided yet Could not prove mutual termination Syntactically equivalent pair check Unpaired function A: B: check f1() f1’() f2() f2’() U U f5() f5’() f7’() f3() f4() f4’() U f6() U check 00:12:46

Mutual recursion {(g,g’),(f,f’)} 2 map 6/10/2019 Mutual recursion UF(g) UF(g’) {(g,g’),(f,f’)} 2 map g f g’ f ’ Side 1 Side 2 Find a sub-map that intersects all cycles, e.g., {(g,g’)} Only when calling functions in this sub-map, replace with uninterpreted functions 00:12:46

Decomposition with mutual recursion 6/10/2019 Decomposition with mutual recursion Legend: Mutually terminating pair Mutual termination undecided yet Could not prove mutual termination Syntactically equivalent pair Call-equivalent; mutual termination undecided yet A: B: check f1() f1’() f2() f5() U U U U U U f2’() f5’() U U U U U U 00:12:46

The Regression Verification Tool (RVT) 6/10/2019 The Regression Verification Tool (RVT) Given two C programs: loops  recursive functions. Map functions, globals, etc. After that: Decompose to the granularity of pairs of functions Use a C verification engine (CBMC) 00:12:46

RVT Version A Version B C program feedback CBMC Merge 6/10/2019 RVT Version A Version B Merge Rename identical globals Map functions/globals Decompose static analyses call-equivalence counterexample RVT C program feedback enforce equality of inputs replace with UFs assert call-equivalence CBMC 00:12:46

Improvements of completeness (1 / 2) 6/10/2019 Improvements of completeness (1 / 2) Partial equivalence Terminating executions of P1 and P2 on equal inputs result in equal outputs. Taking advantage of the partial equivalence of functions: If we know that (f, g) ∈ map are partially equivalent, then UF(f) = UF(g) We welcome additional ideas how to refine our UFs. 00:12:46

Improvements of completeness (2 / 2) Ignoring input arguments that do not affect the call-equivalence of a function: This improves mapping, as some mapped function pairs may have different prototypes. 00:12:46

Checking the termination of functions Suppose we know that function A terminates. Can it help us to prove the termination of A’? Define call-contain(A, A’) as: For equal inputs : For each pair (f, f’) 2 map: f ‘ is called in A’ with argument x  f is called in A with argument x ∀(F, F’) ∈ map. (term(F) ∧ call-contain(FUF ,F’UF)) ∀(F, F’) ∈ map. term(F’) (TERM) 00:12:46

Value of Mutual Termination Full equivalence P1 and P2 are partially equivalent and mutually terminate. Introduced in: Luckham, Park, and M. Paterson 1970 [On formalized computer programs] Pratt 1971 [Kernel equivalence of programs and proving kernel equivalence and correctness by test cases] Regression verification of full equivalence is an important problem. Proving mutual termination is a crucial sub-task. 00:12:46

Questions?.. 00:12:46

Using (M-TERM-SIMPLE): example (1/2) 6/10/2019 Using (M-TERM-SIMPLE): example (1/2) unsigned gcd1UF (unsigned a, unsigned b) { unsigned g; if (b == 0) g = a; else { a = a % b; g = gcd1(b, a); } return g; unsigned gcd2UF (unsigned x, unsigned y) { unsigned z; z = x; if (y > 0) z = gcd2(y, z % y); } return z; a, b) x, y) ? = term UF2 UF1 00:12:46

Using (M-TERM-SIMPLE): example (2/2) 6/10/2019 Using (M-TERM-SIMPLE): example (2/2) Proving call-equiv(gcd1UF, gcd2UF) Equal inputs Equal guards if called then equal arguments Valid. gcd1,gcd2 are mutually terminating. 00:12:46