Termination Proofs from Tests

Slides:

Advertisements

Similar presentations

Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.

Advertisements

Technologies for finding errors in object-oriented software K. Rustan M. Leino Microsoft Research, Redmond, WA Lecture 1 Summer school on Formal Models.

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 116.

1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 107.

1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 40.

1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 28.

1 Copyright © 2013 Elsevier Inc. All rights reserved. Chapter 75.

1 Reasoning with Promela Safety properties bad things do not happen can check by inspecting finite behaviours Liveness properties good things do eventually.

1 Data Link Protocols By Erik Reeber. 2 Goals Use SPIN to model-check successively more complex protocols Using the protocols in Tannenbaums 3 rd Edition.

Copyright W. Howden1 Programming by Contract CSE 111 6/4/2014.

MAT Program Verification Designing a Program and its Proof Together Antero Kangas

Standard Algorithms Find the highest number. ! Your name and today’s date ! Find the maximum Dim numbers(20) As Integer.

© 2009 Microsoft Corporation. All rights reserved. Automatic Verification of Heap Manipulation using Separation Logic Josh Berdine with thanks to Byron.

Automated Verification with HIP and SLEEK Asankhaya Sharma.

SPEED: Precise & Efficient Static Estimation of Symbolic Computational Complexity Sumit Gulwani MSR Redmond TexPoint fonts used in EMF. Read the TexPoint.

PLDI’2005Page 1June 2005 Example (C code) int double(int x) { return 2 * x; } void test_me(int x, int y) { int z = double(x); if (z==y) { if (y == x+10)

Shape Analysis by Graph Decomposition R. Manevich M. Sagiv Tel Aviv University G. Ramalingam MSR India J. Berdine B. Cook MSR Cambridge.

A Program Transformation For Faster Goal-Directed Search Akash Lal, Shaz Qadeer Microsoft Research.

50.530: Software Engineering Sun Jun SUTD. Week 10: Invariant Generation.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

1 PROPERTIES OF A TYPE ABSTRACT INTERPRETATER. 2 MOTIVATION OF THE EXPERIMENT § a well understood case l type inference in functional programming à la.

1 Regression-Verification Benny Godlin Ofer Strichman Technion.

1 1 Regression Verification for Multi-Threaded Programs Sagar Chaki, SEI-Pittsburgh Arie Gurfinkel, SEI-Pittsburgh Ofer Strichman, Technion-Haifa Originally.

Reasoning About Code; Hoare Logic, continued

Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers

Inferring Disjunctive Postconditions Corneliu Popeea and Wei-Ngan Chin School of Computing National University of Singapore - ASIAN

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.

1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)

Rahul Sharma, Saurabh Gupta, Bharath Hariharan, Alex Aiken, and Aditya Nori (Stanford, UC Berkeley, Microsoft Research India) Verification as Learning.

Program Analysis as Constraint Solving Sumit Gulwani (MSR Redmond) Ramarathnam Venkatesan (MSR Redmond) Saurabh Srivastava (Univ. of Maryland) TexPoint.

Rahul Sharma Işil Dillig, Thomas Dillig, and Alex Aiken Stanford University Simplifying Loop Invariant Generation Using Splitter Predicates.

Termination Proofs for Systems Code Andrey Rybalchenko, EPFL/MPI joint work with Byron Cook, MSR and Andreas Podelski, MPI PLDI’2006, Ottawa.

1 Regression-Verification Benny Godlin Ofer Strichman Technion.

Synergy: A New Algorithm for Property Checking

Alternation for Termination William Harris, Akash Lal, Aditya Nori Sriram Rajamani

A Numerical Abstract Domain based on Expression Abstraction + Max Operator with Application in Timing Analysis Sumit Gulwani (MSR Redmond) Bhargav Gulavani.

Constraint-based Invariant Inference. Invariants Dictionary Meaning: A function, quantity, or property which remains unchanged Property (in our context):

Verification of Java Programs using Symbolic Execution and Loop Invariant Generation Corina Pasareanu (Kestrel Technology LLC) Willem Visser (RIACS/USRA)

1 Inference Rules and Proofs (Z); Program Specification and Verification Inference Rules and Proofs (Z); Program Specification and Verification.

Rahul Sharma Joint work with Aditya Nori (MSR India) and Alex Aiken (Stanford)

Aditya V. Nori, Sriram K. Rajamani Microsoft Research India.

Rahul Sharma, Aditya V. Nori, Alex Aiken Stanford MSR India Stanford.

Program Correctness. 2 Program Verification An object is a finite state machine: –Its attribute values are its state. –Its methods optionally: Transition.

Rahul Sharma, Eric Schkufza, Berkeley Churchill, Alex Aiken.

Proving Non-Termination Gupta, Henzinger, Majumdar, Rybalchenko, Ru-Gang Xu presentation by erkan.

13 Aug 2013 Program Verification. Proofs about Programs Why make you study logic? Why make you do proofs? Because we want to prove properties of programs.

The Yogi Project Software property checking via static analysis and testing Aditya V. Nori, Sriram K. Rajamani, Sai Deep Tetali, Aditya V. Thakur Microsoft.

This Week Lecture on relational semantics Exercises on logic and relations Labs on using Isabelle to do proofs.

Introduction to Software Analysis CS Why Take This Course? Learn methods to improve software quality – reliability, security, performance, etc.

Synergy: A New Algorithm for Property Checking Bhargav S. Gulavani (IIT Bombay)‏ Yamini Kannan (Microsoft Research India)‏ Thomas A. Henzinger (EPFL)‏

Operational Semantics Mooly Sagiv Reference: Semantics with Applications Chapter 2 H. Nielson and F. Nielson

Rahul Sharma, Eric Schkufza, Berkeley Churchill, Alex Aiken.

Conditionally Correct Superoptimization Rahul Sharma, Eric Schkufza, Berkeley Churchill, Alex Aiken (Stanford University)

© Anvesh Komuravelli Spacer Model Checking with Proofs and Counterexamples Anvesh Komuravelli Carnegie Mellon University Joint work with Arie Gurfinkel,

Spring 2017 Program Analysis and Verification

Learning Invariants using Decision Trees and Implication Counterexamples Pranav Garg Amazon India.

Linear Bounded Automata LBAs

Lecture 5 Floyd-Hoare Style Verification

Programming Languages 2nd edition Tucker and Noonan

الوحدة الرابعة البرمجة وصياغة حل المسائل البرمجة وأهميتها أهداف الدرس الأول مفهوم البرمجة. الفرق بين المبرمج ومستخدم البرنامج. الحاجة إلى البرامج.

Output Variables {true} S {i = j} i := j; or j := i;

CIS 720 Lecture 5.

Algorithms An algorithm is a set of instructions used to solve a specific problem In order to be useful, an algorithm must have the following properties:

Program correctness Axiomatic semantics

50.530: Software Engineering

Programming Languages 2nd edition Tucker and Noonan

COP4020 Programming Languages

Presentation transcript:

Termination Proofs from Tests Aditya Nori Rahul Sharma MSR India Stanford University

Goal Prove termination of a program Program terminates if all loops terminate Hard problem, undecidable in general Need to exploit all available information

Tests Previous techniques are static Tests have previously been used Tests are a neglected source of information Tests have previously been used Safety properties, empirical complexity, … This work, use tests for termination proofs

Example: GCD gcd(int x,int y) assume(x>0 && y>0); while( x!=y ) do if( y > x ) y = y–x; if( x > y) x = x-y; od return x; x=1, y=1 x=2, y=1 ⋮

Infer-and-Validate Approach (1,1) (2,1) ⋮ … while … … while … print x print y x=1, y=3 Data … while … assert … ML

Infer-and-Validate Approach (1,1) (2,1) ⋮ … while … … while … print x print y x=1, y=3 Data … while … assert … ML

Instrument the Program gcd(int x, int y) assume(x>0 && y>0); a := x; b := y; c := 0; while( x!=y ) do c := c + 1; if( y > x ) y := y–x; if( x > y) x := x-y; od print ( a, b, c ); New variables to capture initial values Introduce a loop counter Print values of input variables and counter

Infer-and-Validate Approach (1,1) (2,1) ⋮ … while … … while … print x print y x=1, y=3 Data … while … assert … ML

Generating Data For 𝑖∈ℕ, on inputs 𝐴 𝑖 , the loop iterates 𝐶 𝑖 times 𝐴≡ 1 𝑎 𝑏 1 1 1 1 2 1 1 1 3 𝐶≡ 𝑐 0 1 2 For 𝑖∈ℕ, on inputs 𝐴 𝑖 , the loop iterates 𝐶 𝑖 times Infer a bound using 𝐴 and 𝐶 gcd(int x, int y) assume(x>0 && y>0); a := x; b := y; c := 0; while( x!=y ) do c := c + 1; if( y > x ) y := y–x; if( x > y) x := x-y; od print( a, b, c)

Infer-and-Validate Approach (1,1) (2,1) ⋮ … while … … while … print x print y x=1, y=3 Data … while … assert … ML

Regression Predict number of iterations (final value of c) As a linear expression in a and b Find w 1 , w 2 , w 3 :𝑤 1 + 𝑤 2 𝑎 𝑖 + 𝑤 3 𝑏 𝑖 ≈ 𝑐 𝑖 Find w 1 , w 2 , w 3 : min 𝑖=1 𝑛 𝑤 1 + 𝑤 2 𝑎 𝑖 + 𝑤 3 𝑏 𝑖 − 𝑐 𝑖 2 But we want 𝑤 1 + 𝑤 2 𝑎+ 𝑤 3 𝑏≥𝑐 Add 𝑤 1 + 𝑤 2 𝑎 𝑖 + 𝑤 3 𝑏 𝑖 ≥ 𝑐 𝑖 as a constraint Solvable by quadratic programming

Quadratic Program (QP) The quadratic program is: min 1 2 𝑤 𝑇 𝐴 𝑇 𝐴𝑤− 𝑤 𝑇 𝐴 𝑇 𝐶 𝑠.𝑡. 𝐴𝑤≥𝐶 Solved in MATLAB quadprog(A’*A,-A’*C,-A,-C) For gcd example, 𝑤=[−2,1,1] Bound 𝑐≤𝑎+𝑏−2

Naïve Regression

Quadratic Program

Infer-and-Validate Approach (1,1) (2,1) ⋮ … while … … while … print x print y x=1, y=3 Data … while … assert … ML

Verification Burden Bound: 𝑐≤𝑎+𝑏−2 Difficult to validate assume(x>0 && y>0); a := x; b := y; c := 0; while( x!=y ) do c := c + 1; if( y > x ) y := y–x; if( x > y) x := x-y; assert(c <= a+b-2); od Bound: 𝑐≤𝑎+𝑏−2 Difficult to validate Infer invariants from tests

Regression for Invariant assume(x>0 && y>0); a := x; b := y; c := 0; while( x!=y ) do print(c, a, b, x, y); c := c + 1; if( y > x ) y := y–x; if( x > y) x := x-y; assert(c <= a+b-2); od Predict a bound on c Same tests, more data Solve same QP 𝐴 has five columns [1,a,b,x,y] 𝐶 has c at every iteration

Free Invariant Obtain 𝑐≤𝑎+𝑏−𝑥−𝑦 Add as a free invariant assume(x>0 && y>0); a:=x; b:=y; c := 0; free_inv(c<=a+b-x-y); while( x!=y ) do c := c + 1; if( y > x ) y := y – x; if( x > y) x := x-y; assert(c <= a+b-2 ); od Obtain 𝑐≤𝑎+𝑏−𝑥−𝑦 Add as a free invariant Use if checker can prove Otherwise discard

𝑐≤𝑎+𝑏−𝑥−𝑦∧𝑥>0∧𝑦>0 Validate Give program to assertion checker Inductive invariant for gcd example: 𝑐≤𝑎+𝑏−𝑥−𝑦∧𝑥>0∧𝑦>0 If check fails then return a cex as a new test

Non-linear Example u := x;v := y;w := z; while ( x >= y ) do if ( z > 0 ) z := z-1; x := x+z; else y := y+1; od Given degree 2, 𝐴≡[1,𝑢,𝑣,𝑤,𝑢𝑣,𝑣𝑤,𝑤𝑢, 𝑢 2 , 𝑣 2 , 𝑤 2 ] Bound: 𝑐≤1.9+𝑢−𝑣+0.95𝑤+0.24 𝑤 2 After rounding: 𝑐≤2+𝑢−𝑣+𝑤+ 𝑤 2

Assertion Checker Requirements from assertion checker: Handle non-linear arithmetic Consume free invariants Produce tests as counter-examples Micro-benchmarks: Use SGHAN’13 Handles non-linear arithmetic, no counter-examples Windows Device Drivers: Use Yogi (FSE’ 06) Cannot handle non-linear, produce counter-examples

Micro-benchmarks

Experiments with WDK

Related Work Regression: Goldsmith et al. ‘07 , Huang et al. ’10, … Mining specifications from tests: Dallmeier et al. `12,… Termination: Cousot `05, ResAna, Lee et al. ’12, … Bounds analysis: SPEED, WCET, Gulavani et al. `08, … Invariant inference: Daikon, InvGen, Nguyen et al.`12, …

Conclusion Use tests for termination proofs Infer bounds and invariants using QP Use off-the-shelf assertion checkers to validate Future work: disjunctions, non-termination

Disjunctions Example Partition using predicates 𝑎<𝑀∧𝑏≥𝑁⇒𝑐≤𝑀−𝑎 𝑎≥𝑀∧𝑏<𝑁⇒𝑐≤𝑁−𝑏 𝑎<𝑀∧𝑏<𝑁⇒ 𝑐≤𝑀+𝑁−𝑎−𝑏 Control flow refinement Sharma et al. ’11 a = i ; b = j ; while(i<M || j<N) i = i+1; j = j+1;