1. 1 Proving program termination Lecture 5 · February 4 th, 2008 TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A

2. 2 Notes No new homework for now Remember: no class next week

3. 3 Review Proving termination of mathematical relations  Program termination = WF transition relation  Subrelations of WF-relations are WF-relations  Proving WF can be reduced to finding a larger ranking relation  Accurate transition relations often too hard to compute  Supporting invariants needed to establish termination  Unions of WF-relations not WF, but transitive closure can be used to offset the problem  Local termination lemmas useful when proving structured relations WF

4. 4 Review Synthesis for mathematical relations  Linear ranking functions ranging over simple types (i.e. not the ordinals) can be reliably synthesized for certain classes of relations  Synthesis is possible for more complex settings, but not very reliable

5. 5 Review But what about programs?

6. 6 Review But what about programs? Complex control-flow graphs (e.g., gotos, nested loops, etc) Procedures and recursion Arrays and pointers Dynamically allocated (and deallocated) memory Concurrency

7. 7 Review But what about programs? Complex control-flow graphs (e.g., gotos, nested loops, etc) Procedures and recursion Arrays and pointers Dynamically allocated (and deallocated) memory Concurrency

8. 8 Today Today: Programs and existing tools for proving invariance/safety

9. 9 Today Today: Programs and existing tools for proving invariance/safety

10. 10 Programs

11. 11 Programs

12. 12 Programs

13. 13 Programs

14. 14 Programs

15. 15 Programs

16. 16 Programs

17. 17 Programs

18. 18 Programs

19. 19 Programs

20. 20 Programs

21. 21 Programs

22. 22 Programs

23. 23 Programs

24. 24 Programs

25. 25 Programs

26. 26 Programs

27. 27 Programs

28. 28 Programs

29. 29 Programs

30. 30 Programs

31. 31 Programs

32. 32 Programs

33. 33 Verification and analysis tools for invariance Great progress has been made in the last 5 years in tools for proving invariance properties of programs Automatic invariance analysis  Not property driven  Facts derived from a given abstract domain  Termination (of the tool) usually guaranteed Automatic invariance verification  Usually property driven  Termination (of the tool) not guaranteed Today: a very operational summary of some example tools

34. 34 Verification and analysis tools for invariance Great progress has been made in the last 5 years in tools for proving invariance properties of programs Automatic invariance analysis  Not property driven  Facts derived from a given abstract domain  Termination (of the tool) usually guaranteed Automatic invariance verification  Usually property driven  Termination (of the tool) not guaranteed Today: a very operational summary of some example tools

35. 35 Invariance analysis

36. 36 Invariance analysis

37. 37 Invariance analysis

38. 38 Invariance analysis

39. 39 Invariance analysis

40. 40 Invariance analysis

41. 41 Invariance analysis

42. 42 Invariance analysis

43. 43 Invariance analysis

44. 44 Invariance analysis

45. 45 Invariance analysis

46. 46 Invariance analysis

47. 47 Invariance analysis

48. 48 Invariance analysis

49. 49 Invariance analysis

50. 50 Invariance analysis

51. 51 Abstract domains Provide standard operations  Assign, assume,  Emptiness check  Abstract version of union, intersect  Widening, narrowing Popular domain: Octagon represents convex sets expressed as conjunction of two variable inequalities with unit co-effecients Implementation based on difference bound matrices

52. 52 Abstract domains Provide standard operations  Assign, assume,  Emptiness check  Abstract version of union, intersect  Widening, narrowing Popular domain: Octagon represents convex sets expressed as conjunction of two variable inequalities with unit co-effecients Implementation based on difference bound matrices

53. 53 Abstract domains Provide standard operations  Assign, assume,  Emptiness check  Abstract version of union, intersect  Widening, narrowing Popular domain: Octagon represents convex sets expressed as conjunction of two variable inequalities with unit co-effecients Implementation based on difference bound matrices

54. 54 Abstract domains Provide standard operations  Assign, assume,  Emptiness check  Abstract version of union, intersect  Widening, narrowing Popular domain: Octagon represents convex sets expressed as conjunction of two variable inequalities with unit co-effecients Implementation based on difference bound matrices

55. 55 Abstract domains Provide standard operations  Assign, assume,  Emptiness check  Abstract version of union, intersect  Widening, narrowing Popular domain: Octagon represents convex sets expressed as conjunction of two variable inequalities with unit co-effecients Implementation based on difference bound matrices

56. 56 Abstract domains Provide standard operations  Assign, assume,  Emptiness check  Abstract version of union, intersect  Widening, narrowing Popular domain: Octagon represents convex sets expressed as conjunction of two variable inequalities with unit co-effecients Implementation based on difference bound matrices

57. 57 Verification and analysis tools for invariance Great progress has been made in the last 5 years in tools for proving invariance properties of programs Automatic invariance analysis  Not property driven  Facts derived from a given abstract domain  Termination (of the tool) usually guaranteed Automatic invariance verification  Usually property driven  Termination (of the tool) not guaranteed Today: a very operational summary of some example tools

58. 58 Verification and analysis tools for invariance Great progress has been made in the last 5 years in tools for proving invariance properties of programs Automatic invariance analysis  Not property driven  Facts derived from a given abstract domain  Termination (of the tool) usually guaranteed Automatic invariance verification  Usually property driven  Termination (of the tool) not guaranteed Today: a very operational summary of some example tools

59. 59 Invariance verification for invariance

60. 60 Invariance verification for invariance

61. 61 Symbolic execution based on decision procedure SLAM Driver passes rule Rule violation found Rule Example: SLAM Refine Step Abstract Step Check Step Instrumen t Step Construction of abstract programs w/ WPs for commands and a decision procedure Reachability for abstract programs Code

62. 62 Example: SLAM

63. 63 Example: SLAM

64. 64 Example: SLAM

65. 65 Example: SLAM

66. 66 Example: SLAM

67. 67 Example: SLAM

68. 68 Example: SLAM

69. 69 Example: SLAM

70. 70 Example: SLAM

71. 71 Example: SLAM

72. 72 Example: SLAM

73. 73 Example: SLAM

74. 74 Example: SLAM

75. 75 Example: SLAM

76. 76 Example: SLAM

77. 77 Example: SLAM

78. 78 Example: SLAM

79. 79 Example: SLAM

80. 80 Example: SLAM

81. 81 Example: SLAM

82. 82 Example: SLAM

83. 83 Example: SLAM

84. 84 Example: SLAM

85. 85 Example: SLAM

86. 86 Example: SLAM

87. 87 Example: SLAM

88. 88 Example: SLAM

89. 89 Verification and analysis tools for invariance Great progress has been made in the last 5 years in tools for proving invariance properties of programs Automatic invariance analysis  Not property driven  Facts derived from a given abstract domain  Termination (of the tool) usually guaranteed Automatic invariance verification  Usually property driven  Termination (of the tool) not guaranteed Today: a very operational summary of some example tools

90. 90 Verification and analysis tools for invariance Great progress has been made in the last 5 years in tools for proving invariance properties of programs Automatic invariance analysis  Not property driven  Facts derived from a given abstract domain  Termination (of the tool) usually guaranteed Automatic invariance verification  Usually property driven  Termination (of the tool) not guaranteed Today: a very operational summary of some example tools