Proving termination conditions Name Country, City, University Omer Subasi Turkey, Istanbul, Koc University Anton Dergunov Russia, Nizhny Novgorod, UNN Krasnoshtan Dmytro Ukraine, Kiev, KPI Georgiy Savchenko Russia, Krasnoyarsk, Siberian federal university Pavel Ajtkulov Russian, Izhevsk, Udmurt State University Mentor: Dr. Ben Livshits & Dr. Stephan Tobies

The Project The aim: – Investigate state of the art approaches for termination proof; – Prove termination of sample algorithms. We focused on the following cases: – Nested loops; – Recursion; – Linked list data structures. 2

Termination A program is terminating if all its executions of all its executions are finite. A program is non-terminating it there exits at least one infinite execution. 3

Motivation Functional correctness + termination proof = Total correctness The halting problem: termination is undecidable (Alan Turing). Does not mean we can’t not prove termination in every case. We can prove termination via introducing termination metrics (ranking functions). 4

Termination proof in Dafny Dafny is a programming language and verifier that enables to prove terminations of algorithms. Dafny provides annotations to specify termination metrics Many verifiers do not support termination proofs us/projects/dafny/ 5

Dafny Approach-Formalism Let U be a non-empty set of disjoint union of algebraic datatypes, tuples and variables. Algebraic datatypes: sets, sequences, lists. Let S be set of states of program. Let (Y,>=) be a well-ordered set. For instance, ℕ is a well-ordered set. 6

Formalism Cont. Define metric φ:UxS  Y such that – For ∀ transition (s,s’), φ(u,s)> φ(u,s’) – For ∀ state s, ∀ u in U, φ(u,s)>=0 – ∃ δ>0 such that for ∀ transition (s,s’) and ∀ u in U, φ(u,s)> φ(u,s’)+δ Usually this mapping is called progress measure or ranking function 7

Node #1 ReachableNodes: {1, 2, 3, 4, 5} Node #3 ReachableNodes: {3} Node #2 ReachableNodes: {2, 4, 5} Node #4 ReachableNodes: {4} Node #5 ReachableNodes: {5} method Find(x: int): returns (found:bool) decreases ReachableNodes; { if (x == data) {found := true;} else if (left != null && x < data) {found := left.Find(x);} else if (right != null && x > data) {found := right.Find(x);} else {found := false;} }

Other Approaches Compose termination arguments since constructing a ranking function can be difficult Decompose the termination check into easier ones Terminator us/um/cambridge/projects/terminator/ development of automatic methods for proving program termination and general liveness propertieshttp://research.microsoft.com/en- us/um/cambridge/projects/terminator/ 9

Our Contribution Proved termination of several Dafny programs: – QuickSort – MergeSort – Insertion sort – Insertion and search for binary search tree We have investigated state of art for termination proof. Idea: reusing termination metric to prove computational complexity of algorithms. 10

What we have learned More in-depth understanding of formal verification. Got information about proving termination properties. Got additional insights how complexity analysis can be implemented by reusing termination metric. What remains to be done 11

Thank you! Questions? 12

Possible tools partial correctness + termination = total correctness partial correctness + time > total correctness VCC provides only partial correctness Other tools: -Code contracts -Dafny -f* -spec# 13

Why dafny It is imperative, sequential, supports generic classes and dynamic allocation, and builds in specification constructs. Also -Updatable ghost variables -Recursive functions -Proof of total correctness -Types like algebraic datatypes (sets, sequences) 14

Principles of termination by Byron Cook A program is terminating if all its executions are finite. A program is non-terminating it there exits at least one infinite execution. When trying to prove termination, one tries to prove program’s transition relation is well-founded. Turing’s suggestion for proving well-foundedness: Find a map form (R,S) to a well-ordered set and then prove this map is a homomorphism. These maps are typically ranking functions. Constructing a ranking function can be difficult: Compose termination arguments. Another idea: Decompose the termination check into easier ones. 15

Notation {P}C{Q} : partial correctness [P]C[Q] : total correctness Problems with: -While loop ( for is alias in C-like languages) -Recursion -Function invocation 16

Total Correctness Specification A total correctness specification [P]C[Q] true if -Whenever C is executed in a state satisfying P, then the execution of C terminates -After C terminates Q holds With the exception of the WHILE, FOR loops, recursion and function invocation, all the axioms and rules described so far are sound for total correctness as well as partial correctness 17

Rules for Non-Looping Command Replace { and } by [ and ], respectively, in: - Assignment axiom - Consequence rules - Conditional rules - Sequencing rule - Block rule 18

Total Correctness Assignment Axiom - Assignment axiom for total correctness: Ⱶ [P [E/V ]] V := E [P ] -Note that the assignment axiom for total correctness states that assignment commands always terminate -So all function applications in expressions must terminate -This might not be the case if functions could be defined recursively EXAMPLE: X := fact(-1), where fact(n) = if n = 0 then 1 else n * fact(n - 1) 19

WHILE Rule for Total Correctnes -WHILE commands are the only commands that can cause non-termination -The idea behind the WHILE rule for total correctness is: 1) to prove WHILE S DO C terminates 2) show that some non-negative quantity decreases on each iteration of C 3) this decreasing quantity is called a variant 20

WHILE Rule for Total Correctness 21

Derived rules Multiple step rules for total correctness can be derived in the same way as for partial correctness -The rules are the same up to the brackets used -Same derivations with total correctness rules replacing partial correctness ones 22

Example 3: ghost data class ListNode { var data: int; var next: ListNode; ghost var reachableNodes: set ; //... function sum(): int reads *; decreases reachableNodes; { if next == null then data else data + next.Sum() } 23

Example 1: no termination proof is required method processArray(numbers: array ) requires numbers != null; { var i := 0; var sum := 0; while (i < numbers.Length) { sum := sum + numbers[i]; i := i + 1; } 24

Dafny programs that we have proved Termination of: QuickSort MergeSort Insertion and search for binary search tree TODO: outline the most interesting aspects of these programs 25