Presentation is loading. Please wait.

Presentation is loading. Please wait.

Alternation for Termination William Harris, Akash Lal, Aditya Nori Sriram Rajamani 1 1 2 2 2 2.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Alternation for Termination William Harris, Akash Lal, Aditya Nori Sriram Rajamani 1 1 2 2 2 2."— Presentation transcript:

1 Alternation for Termination William Harris, Akash Lal, Aditya Nori Sriram Rajamani 1 1 2 2 2 2

2 Termination bugs are a real problem in systems and application code.

3 “Gecko mediaplayer hangs the browser” “Eclipse hangs after 5 minutes or so of working” “BUG: Silverlight makes browser hang after BeginSaveChanges on some machines” “BUG: VB Hangs While Automating Excel Using OLE Control” … A Quick Search “bug code hangs”:

4 Key challenge to proving termination: Analyzing the context of a loop

5 An Example with Non-Trivial Context f(int d, z) { int x, y; while (x > 0 && y > 0) { if (*) { x := x – d; y := *; z := z – 1; } else { y := y – d; } } main() { int k; int z = 1; while (z < k) { z := 2 * z; } f(1, z); f(2, z); }

6 Local Termination Provers For a fixed over-approximation of a loop, find a proof of termination

7 Local Provers Succeeding while (x > 0 && y > 0) { assume(d > 0); if (*) { x := x – d; y := *; z := z – 1; } else { y := y – d; } y x

8 Local Provers Failing f(int d) { int x, y; while (x > 0 && y > 0) { assume(d > 0); if (*) { x := x – d; y := *; z := z – 1; } else { y := y – d; } } } main() { f(1); f(2); } ??

9 Transition Invariants From stem and cycle of a loop, guess and check a proof of termination

10 Advantage of Transition Invariants A stem to a loop can include information about the loop’s context.

11 Transition Invariants Succeeding f(int d) { while (x > 0 && y > 0) { if (*) { x := x – d; y := *; } else { y := y – d; } } main() { f(1); f(2); } while (x > 0 && y > 0) { x := x – d; y := *; } x

12 Transition Invariants Succeeding f(int d) { while (x > 0 && y > 0) { if (*) { x := x – d; y := *; } else { y := y – d; } } main() { f(1); f(2); } while (x > 0 && y > 0) { y := y - d; } y

13 Disadvantage of Transition Invariants Stem and cycle can lead to incorrect guesses for proof of termination.

14 Transition Invariants Failing f(int d) { f(int d, int z) { int x, y; while (x > 0 && y > 0) { if (*) { x := x – d; y := *; z := z – 1; } else { y := y – d; } } } main() { int k; int z = 1; while (z < k) { z := 2 * z; } f(1); f(1, z); f(2); f(2, z); }

15 Key Insight of TREX From cycles through a loop, infer invariants for proving termination.

16 Context Analysis via TREX f(int d, z) { int x, y; while (x > 0 && y > 0) { assume(d > 0); if (*) { x := x – d; y := *; z := z – 1; } else { y := y – d; } } } main() { int k; int z = 1; while (z < k) { z := 2 * z; } f(1, z); f(2, z); }

17 Payoff of TREX’s Approach TREX can apply local provers to find a proof of termination quickly

18 Analysis via TREX f(int d, z) { int x, y; while (x > 0 && y > 0) { assume(d > 0); if (*) { x := x – d; y := *; z := z – 1; } else { y := y – d; } } } main() { int k; int z = 1; while (z < k) { z := 2 * z; } f(1, z); f(2, z); } x, y

19 TREX in More Detail TREX by example Experiments

20 TREX iteratively finds a proof of termination, or finds a counterexample to termination, or refines stronger program invariants The TREX Algorithm

21 TREX Iteration Step 1 Find a proof of termination by applying a local termination prover

22 f(int d, z) { int x, y; while (x > 0 && y > 0) { if (*) { x := x – d; y := *; z := z – 1; } else { y := y – d; } } } main() { int k; int z = 1; while (z < k) { z := 2 * z; } f(1, z); f(2, z); } TREX Iteration Step 1 ??

23 TREX Iteration Step 2 If local prover fails, then find a counterexample cycle

24 TREX Iteration Step 2 f(int d, z) { int x, y; while (x > 0 && y > 0) { if (*) { x := x – d; y := *; z := z – 1; } else { y := y – d; } } } main() { int k; int z = 1; while (z < k) { z := 2 * z; } f(1, z); f(2, z); } while (x > 0 && y > 0) { y := y – d; }

25 TREX Iteration Step 3 From the counterexample cycle, find a sufficient condition for non-termination by applying a non-termination prover (TNT)

26 Applying a Non-Termination Prover while (x > 0 && y > 0) { y := y – d; } Non-termination if: y > 0 && d <= 0

27 TREX Iteration Step 4 Check if the sufficient condition is reachable

28 TREX Iteration Step 4 f(int d, z) { int x, y; while (x > 0 && y > 0) { assert(d > 0); if (*) { x := x – d; y := *; z := z – 1; } else { y := y – d; } } } main() { int k; int z = 1; while (z < k) { z := 2 * z; } f(1, z); f(2, z); } while (x > 0 && y > 0) { y := y – d; } Non-termination if: y > 0 && d <= 0

29 TREX Iteration Step 5 If the sufficient condition is unreachable, then assume this as an invariant.

30 TREX Iteration Step 5 f(int d, z) { int x, y; while (x > 0 && y > 0) { assert(d > 0); if (*) { x := x – d; y := *; z := z – 1; } else { y := y – d; } } } main() { int k; int z = 1; while (z < k) { z := 2 * z; } f(1, z); f(2, z); } assume(d > 0); x, y

31 Experiments Windows Vista driver snippets

32 Vista Driver Snippets Driver Name TREX time (s)Terminator* time (s)TREX speedup 113.832.12.3 215.348.03.1 37.95.90.7 43.112.33.9 56.48.81.4 63.013.84.6 710.211.81.2 89.411.01.2 9TO --- 102.510.34.1

33 Conclusion TREX proves termination by using cycles through a loop to infer useful program invariants

34 Extra slides

35 Transition Invariants Succeeding f(int d) { while (x > 0 && y > 0) { if (*) { x := x – d; y := *; } else { y := y – d; } main() { f(1); f(2); } x, y

36 Transition Invariants Failing f(int d) { f(int d, int z) { int x, y; while (x > 0 && y > 0) { if (*) { x := x – d; y := *; z := z – 1; } else { y := y – d; } } } main() { int k; int z = 1; while (z < k) { z := 2 * z; } f(1); f(1, z); f(2); f(2, z); } while (x > 0 && y > 0) { assume(d = 1 && z = 1); if (*) { x := x – d; y := *; z := z – 1; } z - 1 z = 1; f(1, z);

37 Transition Invariants Failing f(int d) { f(int d, int z) { int x, y; while (x > 0 && y > 0) { if (*) { x := x – d; y := *; z := z – 1; } else { y := y – d; } } } main() { int k; int z = 1; while (z < k) { z := 2 * z; } f(1); f(1, z); f(2); f(2, z); } while (x > 0 && y > 0) { assume(d = 1 && z = 2); if (*) { x := x – d; y := *; z := z – 1; } z - 2 z = 1; z := 2 * z; f(1, z);

Download ppt "Alternation for Termination William Harris, Akash Lal, Aditya Nori Sriram Rajamani 1 1 2 2 2 2."

Similar presentations

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
De necessariis pre condiciones consequentia sine machina P. Consobrinus, R. Consobrinus M. Aquilifer, F. Oratio.

De necessariis pre condiciones consequentia sine machina P. Consobrinus, R. Consobrinus M. Aquilifer, F. Oratio.
Termination Proofs from Tests

Termination Proofs from Tests
A Program Transformation For Faster Goal-Directed Search Akash Lal, Shaz Qadeer Microsoft Research.

A Program Transformation For Faster Goal-Directed Search Akash Lal, Shaz Qadeer Microsoft Research.
50.530: Software Engineering Sun Jun SUTD. Week 10: Invariant Generation.

50.530: Software Engineering Sun Jun SUTD. Week 10: Invariant Generation.
Reasoning About Code; Hoare Logic, continued

Reasoning About Code; Hoare Logic, continued
Model-based reasoning meets code verification Michael Butler 21 May 2014 WG 2.3 Meeting 55, Orlando.

Model-based reasoning meets code verification Michael Butler 21 May 2014 WG 2.3 Meeting 55, Orlando.
© Anvesh Komuravelli Spacer Automatic Abstraction in SMT-Based Unbounded Software Model Checking Anvesh Komuravelli Carnegie Mellon University Joint work.

© Anvesh Komuravelli Spacer Automatic Abstraction in SMT-Based Unbounded Software Model Checking Anvesh Komuravelli Carnegie Mellon University Joint work.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 13.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
1 Thorough Static Analysis of Device Drivers Byron Cook – Microsoft Research Joint work with: Tom Ball, Vladimir Levin, Jakob Lichtenberg,

1 Thorough Static Analysis of Device Drivers Byron Cook – Microsoft Research Joint work with: Tom Ball, Vladimir Levin, Jakob Lichtenberg,
Rahul Sharma, Saurabh Gupta, Bharath Hariharan, Alex Aiken, and Aditya Nori (Stanford, UC Berkeley, Microsoft Research India) Verification as Learning.

Rahul Sharma, Saurabh Gupta, Bharath Hariharan, Alex Aiken, and Aditya Nori (Stanford, UC Berkeley, Microsoft Research India) Verification as Learning.
Proofs from Tests Nels E. Beckman Aditya V. Nori Sriram K. Rajamani Robert J. Simmons Carnegie Mellon UniversityMicrosoft Research India Carnegie Mellon.

Proofs from Tests Nels E. Beckman Aditya V. Nori Sriram K. Rajamani Robert J. Simmons Carnegie Mellon UniversityMicrosoft Research India Carnegie Mellon.
An Integration of Program Analysis and Automated Theorem Proving Bill J. Ellis & Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt.

An Integration of Program Analysis and Automated Theorem Proving Bill J. Ellis & Andrew Ireland School of Mathematical & Computer Sciences Heriot-Watt.
Termination Proofs for Systems Code Andrey Rybalchenko, EPFL/MPI joint work with Byron Cook, MSR and Andreas Podelski, MPI PLDI’2006, Ottawa.

Termination Proofs for Systems Code Andrey Rybalchenko, EPFL/MPI joint work with Byron Cook, MSR and Andreas Podelski, MPI PLDI’2006, Ottawa.
Using Statically Computed Invariants Inside the Predicate Abstraction and Refinement Loop Himanshu Jain Franjo Ivančić Aarti Gupta Ilya Shlyakhter Chao.

Using Statically Computed Invariants Inside the Predicate Abstraction and Refinement Loop Himanshu Jain Franjo Ivančić Aarti Gupta Ilya Shlyakhter Chao.
Software Engineering: Where are we? And where do we go from here? V22.0474-001 Software Engineering Lecture 23 Clark Barrett New York University 4/17/2006.

Software Engineering: Where are we? And where do we go from here? V Software Engineering Lecture 23 Clark Barrett New York University 4/17/2006.
Abstractions. Outline Informal intuition Why do we need abstraction? What is an abstraction and what is not an abstraction A framework for abstractions.

Abstractions. Outline Informal intuition Why do we need abstraction? What is an abstraction and what is not an abstraction A framework for abstractions.
Synergy: A New Algorithm for Property Checking

Synergy: A New Algorithm for Property Checking
Automatically Validating Temporal Safety Properties of Interfaces Thomas Ball and Sriram K. Rajamani Software Productivity Tools, Microsoft Research Presented.

Automatically Validating Temporal Safety Properties of Interfaces Thomas Ball and Sriram K. Rajamani Software Productivity Tools, Microsoft Research Presented.
Houdini: An Annotation Assistant for ESC/Java Cormac Flanagan and K. Rustan M. Leino Compaq Systems Research Center.

Houdini: An Annotation Assistant for ESC/Java Cormac Flanagan and K. Rustan M. Leino Compaq Systems Research Center.

Similar presentations

Ads by Google