Presentation is loading. Please wait.

Presentation is loading. Please wait.

Proving Mutual Termination of single-threaded programs

Published byФаина Ершова Modified over 5 years ago

Similar presentations

Presentation on theme: "Proving Mutual Termination of single-threaded programs"— Presentation transcript:

1 Proving Mutual Termination of single-threaded programs
6/10/2019 Proving Mutual Termination of single-threaded programs Dima Elenbogen Ofer Strichman Shmuel Katz Technion, Haifa, Israel 00:12:46

2 Notion of equivalence for this presentation
6/10/2019 Notion of equivalence for this presentation Goal: verification of the mutual termination of two similar programs. Mutual termination Given equal inputs, P1 terminates , P2 terminates Undecidable 00:12:46

3 Alternative: termination of a single program
6/10/2019 Alternative: termination of a single program New tools have recently been developed: Terminator Mutant Still, there are two major problems: Incompleteness Complexity VSTTE 05 = Verified Software: Theories, Tools, Experiments . 00:12:46

4 Mutual Termination vs. Proving Termination
6/10/2019 Mutual Termination vs. Proving Termination Pros: Computationally easier to check the mutual terminations of two programs than to prove the termination of each of them. Fully automated. It does not require finding a well-founded set. Program do not necessarily terminate. Termination check has nothing to say Mutual termination can still say something useful. Cons: Defines a weaker notion. 00:12:46

5 Goals Develop proof rules for mutual termination
6/10/2019 Goals Develop proof rules for mutual termination Present an algorithm for checking mutual termination, that uses the proof rules, and is sensitive to the magnitude of change rather than the magnitude of the programs 00:12:46

6 Prerequisites Assume: A: B:
6/10/2019 Prerequisites Assume: no loops (but there are recursive functions); 1-1 mapping map between the functions of both sides: must intersect all cycles in the call graphs; the mapped functions have the same signature A: B: 2 map f1() f1’() f2() f2’() f5’() f5() f7’() f6() f3() f4() f4’() 00:12:46

7 Mutual termination (simple case)
B Side 1 Side 2 Consider the call graphs: We want to prove that A, B are mutually terminating How shall we handle the recursion ? 00:12:46

8 Call-equivalence Definition: functions A,B are call-equivalent if…
6/10/2019 Call-equivalence Definition: functions A,B are call-equivalent if… For equal inputs: For callees f,g s.t. (f,g) 2 map: f is called , g is called f and g are called with the same arguments. The order and the number of calls do not matter B(x, y) { g(0,0) if (cond2) g(x,y) if (cond3) } A(x, y) { if (cond1) f(x,y) f(0, 0) 00:12:46

9 Preliminary inference rule (simple case)
6/10/2019 Preliminary inference rule (simple case) call-equiv(A, B) mutual-terminate(A, B) (M-TERM-REC) A(x, y) { if (cond1) A(x1,y1) else … } B(w, z) { if (cond2) B(w1,z1) .. A Side 1 B Side 2 00:12:46

10 The premise is undecidable
6/10/2019 The premise is undecidable call-equiv(A, B) mutual-terminate(A, B) (M-TERM-REC) A(x, y) { if (A(x’, y’) > …) A(x1,y1) else … } B(w, z) { if (B(w’, z’) > …) B(w1,z1) .. A Side 1 B Side 2 How can we prove the premise? 00:12:46

11 Uninterpreted functions
6/10/2019 Uninterpreted functions call-equiv(A, B) mutual-terminate(A, B) (M-TERM-REC) Replace the recursive calls with calls to functions that over-approximate A, B, and are terminating by construction Natural candidates: Uninterpreted Functions Abstract all functionality. We only know they are consistent: x = y → UF(x) = UF(y) 00:12:46

12 Replacing recursive calls (1 / 2)
6/10/2019 Replacing recursive calls (1 / 2) Let FUF , GUF be F,G, after replacing the recursive call with a call to the corresponding uninterpreted functions. F(x, y) { if (cond1) F(x1,y1) else … } G(w, z) { if (cond2) G(w1,z1) .. F G Side 1 Side 2 00:12:46

13 Replacing recursive calls (2 / 2)
6/10/2019 Replacing recursive calls (2 / 2) Let FUF , GUF be F,G, after replacing the recursive call with a call to the corresponding uninterpreted functions. GUF(w, z) { if (cond2) UF(G)(w1,z1) else … .. } FUF(x, y) { if (cond1) UF(F)(x1,y1) FUF GUF UF(G) UF(F) Side 1 Side 2 00:12:46

14 Proving mutual termination
6/10/2019 Proving mutual termination Let FUF , GUF be F,G, after replacing the recursive calls with calls to uninterpreted functions. We can now rewrite the rule: This premise is decidable call-equiv(FUF, GUF) mutual-terminate(F, G) (M-TERM-SIMPLE) 00:12:46

15 General inference rule
Now we want to generalize from a single self loop to MSCCs in the call graphs: Definition: is called in A] ∀(F, G) ∈ map. call-equiv(FUF, GUF) ∀(F, G) ∈ map. mutual-terminate(F, G) (M-TERM) 00:12:46

16 Connected MSCCs {(g,g’),(f,f’),(h,h’)} 2 map Connected MSCCs…
UF(h) h UF(h’) h’ Side 1 Side 2 Connected MSCCs… Prove bottom-up Abstract mutually terminating functions Inline 00:12:46

17 Decomposition algorithm
6/10/2019 Decomposition algorithm Legend: Mutually terminating pair Mutual termination undecided yet Could not prove mutual termination Syntactically equivalent pair check Unpaired function A: B: check f1() f1’() f2() f2’() U U f5() f5’() f7’() f3() f4() f4’() U f6() U check 00:12:46

18 Mutual recursion {(g,g’),(f,f’)} 2 map
6/10/2019 Mutual recursion UF(g) UF(g’) {(g,g’),(f,f’)} 2 map g f g’ f ’ Side 1 Side 2 Find a sub-map that intersects all cycles, e.g., {(g,g’)} Only when calling functions in this sub-map, replace with uninterpreted functions 00:12:46

19 Decomposition with mutual recursion
6/10/2019 Decomposition with mutual recursion Legend: Mutually terminating pair Mutual termination undecided yet Could not prove mutual termination Syntactically equivalent pair Call-equivalent; mutual termination undecided yet A: B: check f1() f1’() f2() f5() U U U U U U f2’() f5’() U U U U U U 00:12:46

20 The Regression Verification Tool (RVT)
6/10/2019 The Regression Verification Tool (RVT) Given two C programs: loops  recursive functions. Map functions, globals, etc. After that: Decompose to the granularity of pairs of functions Use a C verification engine (CBMC) 00:12:46

21 RVT Version A Version B C program feedback CBMC Merge
6/10/2019 RVT Version A Version B Merge Rename identical globals Map functions/globals Decompose static analyses call-equivalence counterexample RVT C program feedback enforce equality of inputs replace with UFs assert call-equivalence CBMC 00:12:46

22 Improvements of completeness (1 / 2)
6/10/2019 Improvements of completeness (1 / 2) Partial equivalence Terminating executions of P1 and P2 on equal inputs result in equal outputs. Taking advantage of the partial equivalence of functions: If we know that (f, g) ∈ map are partially equivalent, then UF(f) = UF(g) We welcome additional ideas how to refine our UFs. 00:12:46

23 Improvements of completeness (2 / 2)
Ignoring input arguments that do not affect the call-equivalence of a function: This improves mapping, as some mapped function pairs may have different prototypes. 00:12:46

24 Checking the termination of functions
Suppose we know that function A terminates. Can it help us to prove the termination of A’? Define call-contain(A, A’) as: For equal inputs : For each pair (f, f’) 2 map: f ‘ is called in A’ with argument x  f is called in A with argument x ∀(F, F’) ∈ map. (term(F) ∧ call-contain(FUF ,F’UF)) ∀(F, F’) ∈ map. term(F’) (TERM) 00:12:46

25 Value of Mutual Termination
Full equivalence P1 and P2 are partially equivalent and mutually terminate. Introduced in: Luckham, Park, and M. Paterson 1970 [On formalized computer programs] Pratt 1971 [Kernel equivalence of programs and proving kernel equivalence and correctness by test cases] Regression verification of full equivalence is an important problem. Proving mutual termination is a crucial sub-task. 00:12:46

26 Questions?.. 00:12:46

27 Using (M-TERM-SIMPLE): example (1/2)
6/10/2019 Using (M-TERM-SIMPLE): example (1/2) unsigned gcd1UF (unsigned a, unsigned b) { unsigned g; if (b == 0) g = a; else { a = a % b; g = gcd1(b, a); } return g; unsigned gcd2UF (unsigned x, unsigned y) { unsigned z; z = x; if (y > 0) z = gcd2(y, z % y); } return z; a, b) x, y) ? = term UF2 UF1 00:12:46

28 Using (M-TERM-SIMPLE): example (2/2)
6/10/2019 Using (M-TERM-SIMPLE): example (2/2) Proving call-equiv(gcd1UF, gcd2UF) Equal inputs Equal guards if called then equal arguments Valid. gcd1,gcd2 are mutually terminating. 00:12:46

Download ppt "Proving Mutual Termination of single-threaded programs"

Similar presentations

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Type Checking, Inference, & Elaboration CS153: Compilers Greg Morrisett.

Type Checking, Inference, & Elaboration CS153: Compilers Greg Morrisett.
Semantics Static semantics Dynamic semantics attribute grammars

Semantics Static semantics Dynamic semantics attribute grammars
1 Turing Machines and Equivalent Models Section 13.2 The Church-Turing Thesis.

1 Turing Machines and Equivalent Models Section 13.2 The Church-Turing Thesis.
Lecture 24 MAS 714 Hartmut Klauck

Lecture 24 MAS 714 Hartmut Klauck
Functional Verification III Prepared by Stephen M. Thebaut, Ph.D. University of Florida Software Testing and Verification Lecture Notes 23.

Functional Verification III Prepared by Stephen M. Thebaut, Ph.D. University of Florida Software Testing and Verification Lecture Notes 23.
Introducing Formal Methods, Module 1, Version 1.1, Oct., 1998 1 Formal Specification and Analytical Verification L 5.

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
1 Regression-Verification Benny Godlin Ofer Strichman Technion.

1 Regression-Verification Benny Godlin Ofer Strichman Technion.
1 1 Regression Verification for Multi-Threaded Programs Sagar Chaki, SEI-Pittsburgh Arie Gurfinkel, SEI-Pittsburgh Ofer Strichman, Technion-Haifa Originally.

1 1 Regression Verification for Multi-Threaded Programs Sagar Chaki, SEI-Pittsburgh Arie Gurfinkel, SEI-Pittsburgh Ofer Strichman, Technion-Haifa Originally.
Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers

Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers
1 How to transform an analyzer into a verifier. 2 OUTLINE OF THE LECTURE a verification technique which combines abstract interpretation and Park’s fixpoint.

1 How to transform an analyzer into a verifier. 2 OUTLINE OF THE LECTURE a verification technique which combines abstract interpretation and Park’s fixpoint.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 11.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
1 Translation Validation: From Simulink to C Michael RyabtsevOfer Strichman Technion, Haifa, Israel Acknowledgement: sponsored by a grant from General.

1 Translation Validation: From Simulink to C Michael RyabtsevOfer Strichman Technion, Haifa, Israel Acknowledgement: sponsored by a grant from General.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 13.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
ISBN 0-321-33025-0 Chapter 3 Describing Syntax and Semantics.

ISBN Chapter 3 Describing Syntax and Semantics.
CMPT 354, Simon Fraser University, Fall 2008, Martin Ester 52 Database Systems I Relational Algebra.

CMPT 354, Simon Fraser University, Fall 2008, Martin Ester 52 Database Systems I Relational Algebra.
1 Introduction to Computability Theory Lecture13: Mapping Reductions Prof. Amos Israeli.

1 Introduction to Computability Theory Lecture13: Mapping Reductions Prof. Amos Israeli.
1 Basic abstract interpretation theory. 2 The general idea §a semantics l any definition style, from a denotational definition to a detailed interpreter.

1 Basic abstract interpretation theory. 2 The general idea §a semantics l any definition style, from a denotational definition to a detailed interpreter.
CPSC 411, Fall 2008: Set 12 1 CPSC 411 Design and Analysis of Algorithms Set 12: Undecidability Prof. Jennifer Welch Fall 2008.

CPSC 411, Fall 2008: Set 12 1 CPSC 411 Design and Analysis of Algorithms Set 12: Undecidability Prof. Jennifer Welch Fall 2008.

Similar presentations

Ads by Google