Presentation is loading. Please wait.

Presentation is loading. Please wait.

Tutorial: Proving termination and liveness

Similar presentations


Presentation on theme: "Tutorial: Proving termination and liveness"— Presentation transcript:

1 Tutorial: Proving termination and liveness
Byron Cook Microsoft Research and Queen Mary, Univ. of London

2 Introduction

3 Introduction

4 Introduction

5 Introduction

6 Introduction

7 Introduction

8 Introduction

9 Introduction

10 Refinement-based termination proving Variance analysis
Outline Basics Refinement-based termination proving Variance analysis Recent and future work Conclusion

11 Refinement-based termination proving Variance analysis
Outline Basics Refinement-based termination proving Variance analysis Recent and future work Conclusion

12 Well-founded relations
=

13 Well-founded relations
=

14 Well-founded relations
=

15 Well-founded relations

16 Well-founded relations

17 Well-founded relations

18 Well-founded relations

19 Well-founded relations

20 Well-founded relations

21 Well-founded relations

22 Termination proof rules

23 Termination proof rules

24 Termination proof rules

25 Termination proof rules

26 Termination proof rules

27 Termination proof rules

28 Termination proof rules

29 Termination proof rules

30 Termination proof rules

31 Termination proof rule

32 Termination proof rule

33 Termination proof rule

34 Termination proof rule

35 Termination proof rule

36 Termination proof rule

37 Termination proof rule

38 Termination proof rule

39 Termination proof rule

40 Termination proof rule
assume(y>=1); x := x – y; assume(x>=1);

41 Termination proof rule
assume(y>=1); x := x – y; assume(x>=1);

42 Termination proof rule
assume(y>=1); x := x – y; assume(x>=1);

43 Termination proof rule
assume(y>=1); x := x – y; assume(x>=1);

44 Termination proof rule
assume(y>=1); x := x – y; assume(x>=1);

45 Termination proof rule

46 Termination proof rule

47 Refinement-based termination proving Variance analysis
Outline Basics Refinement-based termination proving Variance analysis Recent and future work Conclusion

48 Refinement-based termination proving Variance analysis
Outline Basics Refinement-based termination proving Variance analysis Recent and future work Conclusion

49 Refinement-based termination proving Variance analysis
Outline Basics Refinement-based termination proving Variance analysis Recent and future work Conclusion

50 Strategy: Advantages: Disadvantages: Refinement
Start with empty termination argument Iteratively weaken and re-check termination argument Weaken using linear rank function synthesis Advantages: Can use existing safety property checking technology to check argument validity Finds complex termination arguments with only linear rank functions Leads to counterexamples Accurate Disadvantages: Very slow May not terminate (in several ways)

51 Refinement

52 Refinement Ø

53 Refinement Ø

54 Refinement Ø

55 Refinement Ø

56 Refinement

57 Refinement

58 Refinement

59 Refinement

60 Refinement

61 Refinement

62 Refinement

63 Refinement

64 Refinement

65 Refinement

66 Refinement

67 Refinement

68 Refinement

69 Refinement

70 Refinement

71 Refinement

72 Refinement

73 Refinement

74 Refinement copied = 0; . x = f(x,y); while(x<y) { if (!copied) {
g(&y,x); } copied = 0; . if (!copied) { if (*) { H[x] = x; H[y] = y; copied = 1; } } else { assert(T1 || T2 || T3); while(x<y) { copied = 0;

75 Examples

76 Examples

77 Examples

78 Examples

79 Examples

80 Examples

81 Examples

82 Examples

83 Examples

84 Examples

85 The bad news

86 The bad news

87 The bad news

88 The bad news

89 The bad news

90 The bad news

91 The bad news

92 The bad news

93 The bad news

94 The bad news

95 The bad news

96 The bad news

97 More bad news

98 More bad news

99 More bad news

100 Refinement-based termination proving Variance analysis
Outline Basics Refinement-based termination proving Variance analysis Recent and future work Conclusion

101 Refinement-based termination proving Variance analysis
Outline Basics Refinement-based termination proving Variance analysis Recent and future work Conclusion

102 Refinement-based termination proving Variance analysis
Outline Basics Refinement-based termination proving Variance analysis Recent and future work Conclusion

103 Variance analysis

104 Variance analysis

105 Variance analysis Strategy: Advantages: Disadvantages:
Use abstract interpretation techniques to compute (disjunctive) over-approximation Check that the parts of the disjunction are well founded Advantages: Can use existing abstract interpretation tools to compute overapproximation Always terminates Fast Disadvantages: No counterexamples Less accurate than refinement-based approach Abstract domains (currently) not built for our application Widening can be too aggressive Redundant information kept

106 Variance analysis

107 Variance analysis

108 Variance analysis

109 Variance analysis

110 Variance analysis

111 Variance analysis

112 Variance analysis

113 Variance analysis

114 Variance analysis

115 Variance analysis

116 Variance analysis

117 Variance analysis

118 Variance analysis 1 2 3

119 Variance analysis 1 2 3

120 Variance analysis 1 2 3

121 Variance analysis 1 2 3

122 Variance analysis 1 2 3

123 Variance analysis 1 2 3

124 Variance analysis 1 2 3

125 Variance analysis 1 2.1 2.2 2 3

126 Variance analysis 1 2.1 2.2 2 3

127 Variance analysis 1 2.1 2.2 2 3

128 Variance analysis 1 2.1 2.2 2 3

129 Variance analysis 1 2.1 2.2 2 3

130 Variance analysis 1 2.1 2.2 2 3

131 Variance analysis 1 2.1 2.2 2 3

132 Variance analysis 1 2.1 2.2 2 3

133 Variance analysis 1 2.1 2.2 2 3

134 Variance analysis 1 2.1 2.2 2 3

135 Variance analysis 1 2.1 2.2 2 3

136 Variance analysis 1 2.1 2.2 2 3

137 Variance analysis 1 2.1 2.2 2 3

138 Variance analysis 1 2.1 2.2 2 3

139 Variance analysis 1 ü ü 2.1 2.2 2 3

140 Variance analysis Strategy: Advantages: Disadvantages:
Use abstract interpretation techniques to compute (disjunctive) over-approximation Check that the parts of the disjunction are well founded Advantages: Can use existing abstract interpretation tools to compute overapproximation Always terminates Fast Disadvantages: No counterexamples Less accurate than refinement-based approach Abstract domains (currently) not built for our application Widening can be too aggressive Redundant information kept

141 Variance analysis Strategy: Advantages: Disadvantages:
Use abstract interpretation techniques to compute (disjunctive) over-approximation Check that the parts of the disjunction are well founded Advantages: Can use existing abstract interpretation tools to compute overapproximation Always terminates Fast Disadvantages: No counterexamples Less accurate than refinement-based approach Abstract domains (currently) not built for our application Widening can be too aggressive Redundant information kept

142 Termination proof rules

143 Termination proof rules

144 Termination proof rule

145 Termination proof rule

146 Termination proof rule

147 Refinement-based termination proving Termination analysis
Outline Basics Refinement-based termination proving Termination analysis Recent and future work Conclusion

148 Refinement-based termination proving Termination analysis
Outline Basics Refinement-based termination proving Termination analysis Recent and future work Conclusion

149 Synthesizing pre-conditions to termination
Recent and future work Concurrency Proving thread-termination [PLDI’08] Proving that non-blocking algorithms don’t block [POPL’09] Recursion Proving termination of recursive programs [Submitted] Synthesizing pre-conditions to termination Proving conditional termination [CAV’08] Termination for non-linear programs Proving termination by divergence [SEFM’07]

150 Synthesizing pre-conditions to termination
Recent and future work Concurrency Proving thread-termination [PLDI’08] Proving that non-blocking algorithms don’t block [POPL’09] Recursion Proving termination of recursive programs [Submitted] Synthesizing pre-conditions to termination Proving conditional termination [CAV’08] Termination for non-linear programs Proving termination by divergence [SEFM’07]

151 Proving that non-blocking algorithms don’t block

152 Proving that non-blocking algorithms don’t block

153 Proving that non-blocking algorithms don’t block

154 Proving that non-blocking algorithms don’t block

155 Synthesizing pre-conditions to termination
Recent and future work Concurrency Proving thread-termination [PLDI’08] Proving that non-blocking algorithms don’t block [POPL’09] Recursion Proving termination of recursive programs [Submitted] Synthesizing pre-conditions to termination Proving conditional termination [CAV’08] Termination for non-linear programs Proving termination by divergence [SEFM’07]

156 Synthesizing pre-conditions to termination
Recent and future work Concurrency Proving thread-termination [PLDI’08] Proving that non-blocking algorithms don’t block [POPL’09] Recursion Proving termination of recursive programs [Submitted] Synthesizing pre-conditions to termination Proving conditional termination [CAV’08] Termination for non-linear programs Proving termination by divergence [SEFM’07]

157 Synthesizing pre-conditions to termination
Recent and future work Concurrency Proving thread-termination [PLDI’08] Proving that non-blocking algorithms don’t block [POPL’09] Recursion Proving termination of recursive programs [Submitted] Synthesizing pre-conditions to termination Proving conditional termination [CAV’08] Termination for non-linear programs Proving termination by divergence [SEFM’07]

158 Synthesizing pre-conditions to termination
Recent and future work Concurrency Proving thread-termination [PLDI’08] Proving that non-blocking algorithms don’t block [POPL’09] Recursion Proving termination of recursive programs [Submitted] Synthesizing pre-conditions to termination Proving conditional termination [CAV’08] Termination for non-linear programs Proving termination by divergence [SEFM’07]

159 Synthesizing pre-conditions to termination
Recent and future work Concurrency Proving thread-termination [PLDI’08] Proving that non-blocking algorithms don’t block [POPL’09] Recursion Proving termination of recursive programs [Submitted] Synthesizing pre-conditions to termination Proving conditional termination [CAV’08] Termination for non-linear programs Proving termination by divergence [SEFM’07]

160 Synthesizing preconditions to termination
Automatic termination/liveness proving is now a reality Advanced termination/liveness tools now supporting Concurrency, Pointers, Heap, Recursion, Omega-regular properties, Counterexample-generation, etc Tools: Terminator (currently being transferred into Windows SDV product) ARMC (Andrey’s publicly available version) Polyrank (from Bradley, Manna, Sipma) T2 (in development for my book and CMU course)

161 Motivation Automatic termination/liveness proving is now a reality
Advanced termination/liveness tools now supporting Concurrency, Pointers, Heap, Recursion, Omega-regular properties, Counterexample-generation, etc Tools: Terminator (currently being transferred into Windows SDV product) ARMC (Andrey’s publicly available version) Polyrank (from Bradley, Manna, Sipma) T2 (in development for my book and CMU course)

162 Automatic termination/liveness proving is now a reality
Advanced termination/liveness tools now supporting Concurrency, Pointers, Heap, Recursion, Omega-regular properties, Counterexample-generation, etc Tools: Terminator (currently being transferred into Windows SDV product) ARMC (Andrey’s publicly available version) Polyrank (from Bradley, Manna, Sipma) T2 (in development for my book and CMU course)

163 Synthesizing pre-conditions to termination
Recent and future work Concurrency Proving thread-termination [PLDI’08] Proving that non-blocking algorithms don’t block [POPL’09] Recursion Proving termination of recursive programs [Submitted] Synthesizing pre-conditions to termination Proving conditional termination [CAV’08] Termination for non-linear programs Proving termination by divergence [SEFM’07]

164 Synthesizing pre-conditions to termination
Recent and future work Concurrency Proving thread-termination [PLDI’08] Proving that non-blocking algorithms don’t block [POPL’09] Recursion Proving termination of recursive programs [Submitted] Synthesizing pre-conditions to termination Proving conditional termination [CAV’08] Termination for non-linear programs Proving termination by divergence [SEFM’07]

165 Proving termination inductively
Recent and future work Proving termination inductively Podelski & Rybalchenko [LICS’04] Ranking abstractions [ESOP’08] Liveness properties (fair termination) Proving that software eventually does something good [POPL’07b] Better support for heap-manipulating programs Automatic termination proofs for programs with shape-shifting heaps [CAV’06]

166 Proving termination inductively
Recent and future work Proving termination inductively Podelski & Rybalchenko [LICS’04] Ranking abstractions [ESOP’08] Liveness properties (fair termination) Proving that software eventually does something good [POPL’07b] Better support for heap-manipulating programs Automatic termination proofs for programs with shape-shifting heaps [CAV’06]

167 Induction

168 Induction

169 Proving termination inductively
Recent and future work Proving termination inductively Podelski & Rybalchenko [LICS’04] Ranking abstractions [ESOP’08] Liveness properties (fair termination) Proving that software eventually does something good [POPL’07b] Better support for heap-manipulating programs Automatic termination proofs for programs with shape-shifting heaps [CAV’06]

170 Recent and future work

171 Recent and future work

172 Recent and future work

173 Proving termination inductively
Recent and future work Proving termination inductively Podelski & Rybalchenko [LICS’04] Ranking abstractions [ESOP’08] Liveness properties (fair termination) Proving that software eventually does something good [POPL’07b] Better support for heap-manipulating programs Automatic termination proofs for programs with shape-shifting heaps [CAV’06]

174 Proving termination inductively
Recent and future work Proving termination inductively Podelski & Rybalchenko [LICS’04] Ranking abstractions [ESOP’08] Liveness properties (fair termination) Proving that software eventually does something good [POPL’07b] Better support for heap-manipulating programs Automatic termination proofs for programs with shape-shifting heaps [CAV’06]

175 Proving termination inductively
Recent and future work Separation logic based shape analysis for systems code: Scalable shape analysis for systems code [CAV’08] Support for concurrency: Thread-modular shape analysis [PLDI’07b] Local reasoning for storable locks and threads [APLAS’07] Shape analysis for complex data structures: Shape analysis for composite data structures [CAV’07] Producing arithmetic abstractions of programs with heap: Arithmetic strengthening for shape analysis [SAS’07] Automatic termination proofs for programs with shape-shifting heaps [CAV’06] Proving termination inductively Podelski & Rybalchenko [POPL’07a] Ranking abstractions [ESOP’08] Liveness properties (fair termination) Proving that software eventually does something good [POPL’07b] Better support for heap-manipulating programs Automatic termination proofs for programs with shape-shifting heaps [CAV’06]

176 Variance analysis, and inductive techniques
Recent and future work Separation logic based shape analysis for systems code: Scalable shape analysis for systems code [CAV’08] Support for concurrency: Thread-modular shape analysis [PLDI’07b] Local reasoning for storable locks and threads [APLAS’07] Shape analysis for complex data structures: Shape analysis for composite data structures [CAV’07] Producing arithmetic abstractions of programs with heap: Arithmetic strengthening for shape analysis [SAS’07] Automatic termination proofs for programs with shape-shifting heaps [CAV’06] acquire(); while(……) { …… } release(); Variance analysis, and inductive techniques Variance analyses from invariance analyses [POPL’07a] Ranking abstractions [ESOP’08] Liveness properties (fair termination) Proving that software eventually does something good [POPL’07b] Better support for heap-manipulating programs Automatic termination proofs for programs with shape-shifting heaps [CAV’06]

177 Variance analysis, and inductive techniques
Recent and future work Separation logic based shape analysis for systems code: Scalable shape analysis for systems code [CAV’08] Support for concurrency: Thread-modular shape analysis [PLDI’07b] Local reasoning for storable locks and threads [APLAS’07] Shape analysis for complex data structures: Shape analysis for composite data structures [CAV’07] Producing arithmetic abstractions of programs with heap: Arithmetic strengthening for shape analysis [SAS’07] Automatic termination proofs for programs with shape-shifting heaps [CAV’06] acquire(); while(……) { …… } release(); Variance analysis, and inductive techniques Variance analyses from invariance analyses [POPL’07a] Ranking abstractions [ESOP’08] Liveness properties (fair termination) Proving that software eventually does something good [POPL’07b] Better support for heap-manipulating programs Automatic termination proofs for programs with shape-shifting heaps [CAV’06]

178 Experimental results

179 Experimental results

180 Experimental results

181 Experimental results

182 Experimental results

183 Experimental results

184 Experimental results

185 Experimental results

186 Experimental results

187 Experimental results

188 Experimental results

189 Experimental results

190 Experimental results

191 Experimental results

192 Experimental results

193 Experimental results

194 Current frontiers: Bitvectors + unbounded numbers Scalability
Recent and future work Current frontiers: Bitvectors + unbounded numbers Scalability Precision Finding inductive termination arguments Non-linear systems Counterexamples/non-termination Concurrency Programs with data structures Finding better pre-conditions Programs with higher-order functions Collatz program (a.k.a. the 3n+1 problem)

195 Refinement-based termination proving Termination analysis
Outline Basics Refinement-based termination proving Termination analysis Recent and future work Conclusion

196 Refinement-based termination proving Termination analysis
Outline Basics Refinement-based termination proving Termination analysis Recent and future work Conclusion

197 Trend: use of modular termination arguments
Conclusion Trend: use of modular termination arguments Easier to construct Harder to prove valid, but techniques are available New termination proving strategies Refinement-based termination proving Variance analysis using invariance analysis Size-change, etc Result: termination proving is not impossible after all Next step: “Judgment day” Scalability, precision, concurrency, heap, commercial viability

198 See research.microsoft.com/~bycook for pointers to papers
Conclusion See research.microsoft.com/~bycook for pointers to papers Write to Thank you for your attention


Download ppt "Tutorial: Proving termination and liveness"

Similar presentations


Ads by Google