View
213
Download
0
Embed Size (px)
Citation preview
Termination Proofs for Systems Code
Andrey Rybalchenko, EPFL/MPI
joint work with Byron Cook, MSRand Andreas Podelski, MPI
PLDI’2006, Ottawa
2
Temporal verification
• Basic properties of program computations:– Reachability– Termination
• Classical reduction: From: temporal reasoning about computationsTo: first-order reasoning over auxiliary assertions
(e.g. invariants, ranking functions)• Proof rules:
– conditions on auxiliary assertions implying the property
• Challenge:– find adequate auxiliary assertions automatically
3
State-of-the-art
• Tools for reachability properties of software:– Astree, BLAST, F-Soft, MAGIC, SatAbs, SLAM,...
• Termination checkers for TRS, Prolog, functional languages, ‘toy’ imperative programs:– CiME, AProVE, TerminWeb, TerminLog, PolyRank, ...
• Our goal: Termination tool for software verification
4
Overview
• Classical assertions:– reachability (invariants)– termination (ranking functions)– limitations
• Transition invariants– checking – incremental construction
• Practical implementation
5
Invariants
• Given program (Init, Next) and property Good• Q: Init [ Next^+(Init) µ Good ?
• Find invariant Inv µ States• To prove:
1. Init µ Inv
2. Next(Inv) µ Inv
3. Inv µ Good
transitive closure
6
Inv: automated construction
• Incremental algorithm:
Inv := Initwhile Next(Inv) * Inv do
Inv := Inv [ Inv
od
• Failed Next(Inv) µ Inv checks determine Inv
• Keep Inv small wrt. Good• Classical fixpoint algorithms (w/ abstraction)
7
Ranking functions
• Given program (Init, Next)• Q: do infinite computations exists ?
• Find ranking function R: States -> Naturals• Define ranking relation
Rank := { (s, s’) | R(s) ¸ 0 and R(s’) · R(s)-1 }• To prove:
Next µ Rank
• Termination proof depends on reachability:Next Å Reach µ Rank
if (y ¸ 1) { while (x ¸ 0) { x = x – y;
}
}
Ranking function
R(x, y) := x
Ranking relation
Rank := (x ¸ 0 Æ x’ · x - 1)
8
• Incremental algorithm?
Rank := ;while Next * Rank do
Rank := Rank [ Rank
od
• Termination is not preserved under union operation
• Abstraction is not possible
Rank: automated construction
Rank [ Rank:
{a, b} [ {b, a} = {(a,a), ...}
= a, a, a, a, a, a, ...
9
Alternative: Transition invariants
Next Å Reach µ Rank
vs.
Next^+ Å Reach µ Rank1 [ ... [ Rankn
• Transition invariant T = Rank1 [ ... [ Rankntransitive closure
10
• Incremental algorithm:
T := ;while Next^+ Å Reach * T do
T := T [ T
od
• Failed Next^+ Å ... µ T checks determine T
• Keep T well-founded (aka terminating) • Q: practical implementation?
Transition Invariant: automated construction
11
Implementation subtasks
• Checking:
Next^+ Å Reach µ T
• Incremental construction:
Find T if check fails
T := ;while Nex^+ Å Reach * T do
T := T [ T
od
12
Checking Next^+ Å (Acc £ Acc) µ T
• Monitor for T– runs in parallel with the program– inspects pairs of states wrt. T– goes to error if observes (s, s’) T
(s, s’) 2 T
Init 3
13
Monitor for T
• needs to store unbounded computation prefix• trade storage for non-determinism: [Biere’02]
– select arbitrary state s– for each subsequent state s’ check (s, s’) 2 T
• proceed in two phases: – selection – checking
(s, s’) 2 T
14
Monitor for T: pseudo-codevar selected := ? var phase := SELECT
while True { switch (phase) { SELECT: if ( nondet() ) { selected := current phase := CHECK } CHECK: if ( (selected, current) T ) { ERROR: } }}
Current program state
Storage for program states
15
Monitoring T: example
current 5, 1 4, 1 3, 1 2, 1 1, 1
phase SEL SEL CHK CHK CHK
selected ? ? 3, 1 3, 1 3, 1
2 T? N/A N/A N/A OK OK
Candidate to check:
T = (x ¸ 0 Æ x’ · x - 1)
if (y ¸ 1) { while (x ¸ 0) { x = x – y;
}
}
x y
16
Checking transition invariant T
• Given T construct monitor MT
• Construct product PT = P || MT
• Apply safety checker on PT:
if success: done
otherwise: counterexample
PT is program
with ERROR location
17
Implementation subtasks
• Checking:
Next+ Å (Acc £ Acc) µ T
• Incremental construction:
Find T if check fails
T := ;while Nex^+ Å Reach * T do
T := T [ T
od
18
Counterexample for T
current 5, 1 6, 1 7, 1
phase SEL CHK CHK
selected ? 6, 1 6, 1
2 T? N/A N/A ERROR
Candidate to check:
T = (x ¸ 0 Æ x’ · x - 1)
if (y ¸ 1) { while (x ¸ 0) { x = x + y;
}
}
Program trace:• assume(y ¸ 1)• assume(x ¸ 0)• x := x + y• x := x + y
7 £ 6
19
Lasso = Stem + Cycle
• Counterexample = Stem.Cycle.Cycle . ...
(to termination)
Program trace:• assume(y ¸ 1)• assume(x ¸ 0)• x := x + y• x := x + y
Stem
Cycle
Selection
phase
Checking
phase
20
From lasso to T
• Counterexample is spurious if Cycle^ is infeasible
• if exist Rank ¶ Cycle then
T = Rank
• elsereturn “counterexample Stem.Cycle^ ”
Algorithms and tools exist:
PolyRank, RankFinder, ...
21
Example T
Candidate to check:
T = ( x · z Æ x’ ¸ x + 1 )
if (y ¸ 1) { while (x · z) { if (nondet()) {
x = x + y;
} else
z = z – y;
}
}
}
Counterexample (lasso):• assume(y ¸ 1)• assume(x · z)• z := z – y
T = ( x · z Æ z’ · z – 1 )
Transition invariant:
T = ( x · z Æ x’ · x + 1 ) Ç ( x · z Æ z’ · z – 1 )
22
Incremental algorithm for termination
T := ;while True do PT := P || MT
if safe( PT ) then return “terminates” else Stem, Cycle := counterexample if exists Rank ¶ Cycle then T := T [ Rank else return “counterexample Stem.Cycle” od
Creates program with error stateApplies temporal
safety checker
Applies termination
checker on a single path
23
Terminator• Input: program written in C
• Output: – termination proof: transition invariant– counterexample: lasso = stem + cycle– divergence (due to the halting problem)
• Language features supported – nested loops, gotos– pointers, aliasing– (mutually) recursive function calls
• Implementation based on SLAM/SDV
• Scalability: (on drivers from WinDDK)– several TLOC in minutes
24
Experiments on WinDDK
0
5
10
15
20
25
30
35
40
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
0
10
20
30
40
50
60
70
80
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
Lines of code (x1000)
Cut-point set size
Termination proofs
Termination bugs
25
Termination bugs
• True bugs recognized by developers• Sources of false bugs:
– Heap modelling– Handling of bit operations
0
2
4
6
8
10
12
1 3 5 7 9 11 13 15 17 19 21 23
True bugs
False bugs
26
Conclusion
• Proving termination can be easy:– Temporal reduction to transition invariants [lics’04]– Incremental computation guided by counterexamples
[sas’05]– Checking using tools for reachability (abstraction,
lazyness, precision,...)[this paper]
• Next steps: – Advanced applicability: heap, bit operations,...– General liveness properties w/ fairness
27
Inductive transition invariants
• Reachability check for PT succeeds• Invariant InvT for PT constructed
over program and monitor variables
• Meaning of InvT:TInd := { (s, s’) | (s’, s) 2 InvT } TInd µ T
1. Next Å (Init £ States) µ TInd
2. TInd ± Next µ TInd
Inductive transition invariant