Download presentation
Presentation is loading. Please wait.
1
Tutorial: Proving termination and liveness
Byron Cook Microsoft Research and Queen Mary, Univ. of London
2
Introduction
3
Introduction
4
Introduction
5
Introduction
6
Introduction
7
Introduction
8
Introduction
9
Introduction
10
Refinement-based termination proving Variance analysis
Outline Basics Refinement-based termination proving Variance analysis Recent and future work Conclusion
11
Refinement-based termination proving Variance analysis
Outline Basics Refinement-based termination proving Variance analysis Recent and future work Conclusion
12
Well-founded relations
=
13
Well-founded relations
=
14
Well-founded relations
=
15
Well-founded relations
16
Well-founded relations
17
Well-founded relations
18
Well-founded relations
19
Well-founded relations
20
Well-founded relations
21
Well-founded relations
22
Termination proof rules
23
Termination proof rules
24
Termination proof rules
25
Termination proof rules
26
Termination proof rules
27
Termination proof rules
28
Termination proof rules
29
Termination proof rules
30
Termination proof rules
31
Termination proof rule
32
Termination proof rule
33
Termination proof rule
34
Termination proof rule
35
Termination proof rule
36
Termination proof rule
37
Termination proof rule
38
Termination proof rule
39
Termination proof rule
40
Termination proof rule
assume(y>=1); x := x – y; assume(x>=1);
41
Termination proof rule
assume(y>=1); x := x – y; assume(x>=1);
42
Termination proof rule
assume(y>=1); x := x – y; assume(x>=1);
43
Termination proof rule
assume(y>=1); x := x – y; assume(x>=1);
44
Termination proof rule
assume(y>=1); x := x – y; assume(x>=1);
45
Termination proof rule
46
Termination proof rule
47
Refinement-based termination proving Variance analysis
Outline Basics Refinement-based termination proving Variance analysis Recent and future work Conclusion
48
Refinement-based termination proving Variance analysis
Outline Basics Refinement-based termination proving Variance analysis Recent and future work Conclusion
49
Refinement-based termination proving Variance analysis
Outline Basics Refinement-based termination proving Variance analysis Recent and future work Conclusion
50
Strategy: Advantages: Disadvantages: Refinement
Start with empty termination argument Iteratively weaken and re-check termination argument Weaken using linear rank function synthesis Advantages: Can use existing safety property checking technology to check argument validity Finds complex termination arguments with only linear rank functions Leads to counterexamples Accurate Disadvantages: Very slow May not terminate (in several ways)
51
Refinement
52
Refinement Ø
53
Refinement Ø
54
Refinement Ø
55
Refinement Ø
56
Refinement
57
Refinement
58
Refinement
59
Refinement
60
Refinement
61
Refinement
62
Refinement
63
Refinement
64
Refinement
65
Refinement
66
Refinement
67
Refinement
68
Refinement
69
Refinement
70
Refinement
71
Refinement
72
Refinement
73
Refinement
74
Refinement copied = 0; . x = f(x,y); while(x<y) { if (!copied) {
g(&y,x); } copied = 0; . if (!copied) { if (*) { H[x] = x; H[y] = y; copied = 1; } } else { assert(T1 || T2 || T3); while(x<y) { copied = 0;
75
Examples
76
Examples
77
Examples
78
Examples
79
Examples
80
Examples
81
Examples
82
Examples
83
Examples
84
Examples
85
The bad news
86
The bad news
87
The bad news
88
The bad news
89
The bad news
90
The bad news
91
The bad news
92
The bad news
93
The bad news
94
The bad news
95
The bad news
96
The bad news
97
More bad news
98
More bad news
99
More bad news
100
Refinement-based termination proving Variance analysis
Outline Basics Refinement-based termination proving Variance analysis Recent and future work Conclusion
101
Refinement-based termination proving Variance analysis
Outline Basics Refinement-based termination proving Variance analysis Recent and future work Conclusion
102
Refinement-based termination proving Variance analysis
Outline Basics Refinement-based termination proving Variance analysis Recent and future work Conclusion
103
Variance analysis
104
Variance analysis
105
Variance analysis Strategy: Advantages: Disadvantages:
Use abstract interpretation techniques to compute (disjunctive) over-approximation Check that the parts of the disjunction are well founded Advantages: Can use existing abstract interpretation tools to compute overapproximation Always terminates Fast Disadvantages: No counterexamples Less accurate than refinement-based approach Abstract domains (currently) not built for our application Widening can be too aggressive Redundant information kept
106
Variance analysis
107
Variance analysis
108
Variance analysis
109
Variance analysis
110
Variance analysis
111
Variance analysis
112
Variance analysis
113
Variance analysis
114
Variance analysis
115
Variance analysis
116
Variance analysis
117
Variance analysis
118
Variance analysis 1 2 3
119
Variance analysis 1 2 3
120
Variance analysis 1 2 3
121
Variance analysis 1 2 3
122
Variance analysis 1 2 3
123
Variance analysis 1 2 3
124
Variance analysis 1 2 3
125
Variance analysis 1 2.1 2.2 2 3
126
Variance analysis 1 2.1 2.2 2 3
127
Variance analysis 1 2.1 2.2 2 3
128
Variance analysis 1 2.1 2.2 2 3
129
Variance analysis 1 2.1 2.2 2 3
130
Variance analysis 1 2.1 2.2 2 3
131
Variance analysis 1 2.1 2.2 2 3
132
Variance analysis 1 2.1 2.2 2 3
133
Variance analysis 1 2.1 2.2 2 3
134
Variance analysis 1 2.1 2.2 2 3
135
Variance analysis 1 2.1 2.2 2 3
136
Variance analysis 1 2.1 2.2 2 3
137
Variance analysis 1 2.1 2.2 2 3
138
Variance analysis 1 2.1 2.2 2 3
139
Variance analysis 1 ü ü 2.1 2.2 2 3
140
Variance analysis Strategy: Advantages: Disadvantages:
Use abstract interpretation techniques to compute (disjunctive) over-approximation Check that the parts of the disjunction are well founded Advantages: Can use existing abstract interpretation tools to compute overapproximation Always terminates Fast Disadvantages: No counterexamples Less accurate than refinement-based approach Abstract domains (currently) not built for our application Widening can be too aggressive Redundant information kept
141
Variance analysis Strategy: Advantages: Disadvantages:
Use abstract interpretation techniques to compute (disjunctive) over-approximation Check that the parts of the disjunction are well founded Advantages: Can use existing abstract interpretation tools to compute overapproximation Always terminates Fast Disadvantages: No counterexamples Less accurate than refinement-based approach Abstract domains (currently) not built for our application Widening can be too aggressive Redundant information kept
142
Termination proof rules
143
Termination proof rules
144
Termination proof rule
145
Termination proof rule
146
Termination proof rule
147
Refinement-based termination proving Termination analysis
Outline Basics Refinement-based termination proving Termination analysis Recent and future work Conclusion
148
Refinement-based termination proving Termination analysis
Outline Basics Refinement-based termination proving Termination analysis Recent and future work Conclusion
149
Synthesizing pre-conditions to termination
Recent and future work Concurrency Proving thread-termination [PLDI’08] Proving that non-blocking algorithms don’t block [POPL’09] Recursion Proving termination of recursive programs [Submitted] Synthesizing pre-conditions to termination Proving conditional termination [CAV’08] Termination for non-linear programs Proving termination by divergence [SEFM’07]
150
Synthesizing pre-conditions to termination
Recent and future work Concurrency Proving thread-termination [PLDI’08] Proving that non-blocking algorithms don’t block [POPL’09] Recursion Proving termination of recursive programs [Submitted] Synthesizing pre-conditions to termination Proving conditional termination [CAV’08] Termination for non-linear programs Proving termination by divergence [SEFM’07]
151
Proving that non-blocking algorithms don’t block
152
Proving that non-blocking algorithms don’t block
153
Proving that non-blocking algorithms don’t block
154
Proving that non-blocking algorithms don’t block
155
Synthesizing pre-conditions to termination
Recent and future work Concurrency Proving thread-termination [PLDI’08] Proving that non-blocking algorithms don’t block [POPL’09] Recursion Proving termination of recursive programs [Submitted] Synthesizing pre-conditions to termination Proving conditional termination [CAV’08] Termination for non-linear programs Proving termination by divergence [SEFM’07]
156
Synthesizing pre-conditions to termination
Recent and future work Concurrency Proving thread-termination [PLDI’08] Proving that non-blocking algorithms don’t block [POPL’09] Recursion Proving termination of recursive programs [Submitted] Synthesizing pre-conditions to termination Proving conditional termination [CAV’08] Termination for non-linear programs Proving termination by divergence [SEFM’07]
157
Synthesizing pre-conditions to termination
Recent and future work Concurrency Proving thread-termination [PLDI’08] Proving that non-blocking algorithms don’t block [POPL’09] Recursion Proving termination of recursive programs [Submitted] Synthesizing pre-conditions to termination Proving conditional termination [CAV’08] Termination for non-linear programs Proving termination by divergence [SEFM’07]
158
Synthesizing pre-conditions to termination
Recent and future work Concurrency Proving thread-termination [PLDI’08] Proving that non-blocking algorithms don’t block [POPL’09] Recursion Proving termination of recursive programs [Submitted] Synthesizing pre-conditions to termination Proving conditional termination [CAV’08] Termination for non-linear programs Proving termination by divergence [SEFM’07]
159
Synthesizing pre-conditions to termination
Recent and future work Concurrency Proving thread-termination [PLDI’08] Proving that non-blocking algorithms don’t block [POPL’09] Recursion Proving termination of recursive programs [Submitted] Synthesizing pre-conditions to termination Proving conditional termination [CAV’08] Termination for non-linear programs Proving termination by divergence [SEFM’07]
160
Synthesizing preconditions to termination
Automatic termination/liveness proving is now a reality Advanced termination/liveness tools now supporting Concurrency, Pointers, Heap, Recursion, Omega-regular properties, Counterexample-generation, etc Tools: Terminator (currently being transferred into Windows SDV product) ARMC (Andrey’s publicly available version) Polyrank (from Bradley, Manna, Sipma) T2 (in development for my book and CMU course)
161
Motivation Automatic termination/liveness proving is now a reality
Advanced termination/liveness tools now supporting Concurrency, Pointers, Heap, Recursion, Omega-regular properties, Counterexample-generation, etc Tools: Terminator (currently being transferred into Windows SDV product) ARMC (Andrey’s publicly available version) Polyrank (from Bradley, Manna, Sipma) T2 (in development for my book and CMU course)
162
Automatic termination/liveness proving is now a reality
Advanced termination/liveness tools now supporting Concurrency, Pointers, Heap, Recursion, Omega-regular properties, Counterexample-generation, etc Tools: Terminator (currently being transferred into Windows SDV product) ARMC (Andrey’s publicly available version) Polyrank (from Bradley, Manna, Sipma) T2 (in development for my book and CMU course)
163
Synthesizing pre-conditions to termination
Recent and future work Concurrency Proving thread-termination [PLDI’08] Proving that non-blocking algorithms don’t block [POPL’09] Recursion Proving termination of recursive programs [Submitted] Synthesizing pre-conditions to termination Proving conditional termination [CAV’08] Termination for non-linear programs Proving termination by divergence [SEFM’07]
164
Synthesizing pre-conditions to termination
Recent and future work Concurrency Proving thread-termination [PLDI’08] Proving that non-blocking algorithms don’t block [POPL’09] Recursion Proving termination of recursive programs [Submitted] Synthesizing pre-conditions to termination Proving conditional termination [CAV’08] Termination for non-linear programs Proving termination by divergence [SEFM’07]
165
Proving termination inductively
Recent and future work Proving termination inductively Podelski & Rybalchenko [LICS’04] Ranking abstractions [ESOP’08] Liveness properties (fair termination) Proving that software eventually does something good [POPL’07b] Better support for heap-manipulating programs Automatic termination proofs for programs with shape-shifting heaps [CAV’06]
166
Proving termination inductively
Recent and future work Proving termination inductively Podelski & Rybalchenko [LICS’04] Ranking abstractions [ESOP’08] Liveness properties (fair termination) Proving that software eventually does something good [POPL’07b] Better support for heap-manipulating programs Automatic termination proofs for programs with shape-shifting heaps [CAV’06]
167
Induction
168
Induction
169
Proving termination inductively
Recent and future work Proving termination inductively Podelski & Rybalchenko [LICS’04] Ranking abstractions [ESOP’08] Liveness properties (fair termination) Proving that software eventually does something good [POPL’07b] Better support for heap-manipulating programs Automatic termination proofs for programs with shape-shifting heaps [CAV’06]
170
Recent and future work
171
Recent and future work
172
Recent and future work
173
Proving termination inductively
Recent and future work Proving termination inductively Podelski & Rybalchenko [LICS’04] Ranking abstractions [ESOP’08] Liveness properties (fair termination) Proving that software eventually does something good [POPL’07b] Better support for heap-manipulating programs Automatic termination proofs for programs with shape-shifting heaps [CAV’06]
174
Proving termination inductively
Recent and future work Proving termination inductively Podelski & Rybalchenko [LICS’04] Ranking abstractions [ESOP’08] Liveness properties (fair termination) Proving that software eventually does something good [POPL’07b] Better support for heap-manipulating programs Automatic termination proofs for programs with shape-shifting heaps [CAV’06]
175
Proving termination inductively
Recent and future work Separation logic based shape analysis for systems code: Scalable shape analysis for systems code [CAV’08] Support for concurrency: Thread-modular shape analysis [PLDI’07b] Local reasoning for storable locks and threads [APLAS’07] Shape analysis for complex data structures: Shape analysis for composite data structures [CAV’07] Producing arithmetic abstractions of programs with heap: Arithmetic strengthening for shape analysis [SAS’07] Automatic termination proofs for programs with shape-shifting heaps [CAV’06] Proving termination inductively Podelski & Rybalchenko [POPL’07a] Ranking abstractions [ESOP’08] Liveness properties (fair termination) Proving that software eventually does something good [POPL’07b] Better support for heap-manipulating programs Automatic termination proofs for programs with shape-shifting heaps [CAV’06]
176
Variance analysis, and inductive techniques
Recent and future work Separation logic based shape analysis for systems code: Scalable shape analysis for systems code [CAV’08] Support for concurrency: Thread-modular shape analysis [PLDI’07b] Local reasoning for storable locks and threads [APLAS’07] Shape analysis for complex data structures: Shape analysis for composite data structures [CAV’07] Producing arithmetic abstractions of programs with heap: Arithmetic strengthening for shape analysis [SAS’07] Automatic termination proofs for programs with shape-shifting heaps [CAV’06] acquire(); while(……) { …… } release(); Variance analysis, and inductive techniques Variance analyses from invariance analyses [POPL’07a] Ranking abstractions [ESOP’08] Liveness properties (fair termination) Proving that software eventually does something good [POPL’07b] Better support for heap-manipulating programs Automatic termination proofs for programs with shape-shifting heaps [CAV’06]
177
Variance analysis, and inductive techniques
Recent and future work Separation logic based shape analysis for systems code: Scalable shape analysis for systems code [CAV’08] Support for concurrency: Thread-modular shape analysis [PLDI’07b] Local reasoning for storable locks and threads [APLAS’07] Shape analysis for complex data structures: Shape analysis for composite data structures [CAV’07] Producing arithmetic abstractions of programs with heap: Arithmetic strengthening for shape analysis [SAS’07] Automatic termination proofs for programs with shape-shifting heaps [CAV’06] acquire(); while(……) { …… } release(); Variance analysis, and inductive techniques Variance analyses from invariance analyses [POPL’07a] Ranking abstractions [ESOP’08] Liveness properties (fair termination) Proving that software eventually does something good [POPL’07b] Better support for heap-manipulating programs Automatic termination proofs for programs with shape-shifting heaps [CAV’06]
178
Experimental results
179
Experimental results
180
Experimental results
181
Experimental results
182
Experimental results
183
Experimental results
184
Experimental results
185
Experimental results
186
Experimental results
187
Experimental results
188
Experimental results
189
Experimental results
190
Experimental results
191
Experimental results
192
Experimental results
193
Experimental results
194
Current frontiers: Bitvectors + unbounded numbers Scalability
Recent and future work Current frontiers: Bitvectors + unbounded numbers Scalability Precision Finding inductive termination arguments Non-linear systems Counterexamples/non-termination Concurrency Programs with data structures Finding better pre-conditions Programs with higher-order functions Collatz program (a.k.a. the 3n+1 problem)
195
Refinement-based termination proving Termination analysis
Outline Basics Refinement-based termination proving Termination analysis Recent and future work Conclusion
196
Refinement-based termination proving Termination analysis
Outline Basics Refinement-based termination proving Termination analysis Recent and future work Conclusion
197
Trend: use of modular termination arguments
Conclusion Trend: use of modular termination arguments Easier to construct Harder to prove valid, but techniques are available New termination proving strategies Refinement-based termination proving Variance analysis using invariance analysis Size-change, etc Result: termination proving is not impossible after all Next step: “Judgment day” Scalability, precision, concurrency, heap, commercial viability
198
See research.microsoft.com/~bycook for pointers to papers
Conclusion See research.microsoft.com/~bycook for pointers to papers Write to Thank you for your attention
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.