Proving termination of software

1
Proving termination of software

Byron Cook bycook_at_microsoft.com
Microsoft Research, Cambridge Joint work with
Josh Berdine, Dino Distefano, Alexey Gotsman,
Peter OHearn, Andreas Podelski, Andrey
Rybalchenko, and others
2
Introduction

3
Introduction

4
Introduction
5
Introduction
6
Introduction
Lines of code (x1000)
Cut-point set size
7
Introduction
Lines of code (x1000)
Cut-point set size
8
Introduction
Lines of code (x1000)
Cut-point set size
9
Introduction
Lines of code (x1000)
Cut-point set size
10
Introduction
Lines of code (x1000)
Cut-point set size
11
Outline

• Introduction
• Proof rule for termination
• TERMINATOR
• MUTANT/TERMINATOR
• Conclusion Discussion

12
Outline

• Introduction
• Proof rule for termination
• TERMINATOR
• MUTANT/TERMINATOR
• Conclusion Discussion

13
Proof rule for termination
14
Proof rule for termination
15
Proof rule for termination
16
Proof rule for termination
17
Proof rule for termination
18
Proof rule for termination
19
Proof rule for termination
20
Proof rule for termination
21
Proof rule for termination
22
Proof rule for termination
23
Proof rule for termination
24
Proof rule for termination
25
Proof rule for termination
26
Proof rule for termination
27
Proof rule for termination
28
Proof rule for termination
29
Outline

• Introduction
• Proof rule for termination
• TERMINATOR
• MUTANT/TERMINATOR
• Conclusion Discussion

30
Outline

• Introduction
• Proof rule for termination
• TERMINATOR
• MUTANT/TERMINATOR
• Conclusion Discussion

31
Proof rule for termination
32
Proof rule for termination
33
Proof rule for termination
Ø
34
Proof rule for termination
Ø
35
Proof rule for termination
Ø
36
Proof rule for termination
37
Proof rule for termination
38
Proof rule for termination
39
Proof rule for termination
40
Proof rule for termination
41
Proof rule for termination
42
Proof rule for termination
43
Proof rule for termination
44
Proof rule for termination
45
Proof rule for termination
46
TERMINATOR
47
TERMINATOR
48
Binary reachability
x f(x,y) g(y,x)

copied 0 . . . if (!copied)
if () Hx x
Hy y copied 1
else assert(T)


while(xlty)
copied 0
49
Examples
50
Examples
51
Examples
52
Examples
53
Examples
54
Examples
55
Examples
56
Examples
57
Examples
58
Examples
59
Example

• Introduction
• Abstraction refinement
• Abstraction refinement for termination
• Experimental results Demo
• Conclusion Discussion

60
Outline

• Introduction
• Proof rule for termination
• TERMINATOR
• MUTANT/TERMINATOR
• Conclusion Discussion

61
Outline

• Introduction
• Proof rule for termination
• TERMINATOR
• MUTANT/TERMINATOR
• Conclusion Discussion

62
What about the false bugs?
Lines of code (x1000)
Cut-point set size
63
What about the false bugs?
Lines of code (x1000)
Cut-point set size
64
What about the false bugs?
Lines of code (x1000)
Cut-point set size
65
Reversing the strategy
66
Reversing the strategy
67
Reversing the strategy
68
Reversing the strategy
69
Reversing the strategy
70
Reversing the strategy
71
MUTANT/TERMINATOR
72
MUTANT/TERMINATOR
73
MUTANT/TERMINATOR example
74
MUTANT/TERMINATOR example
75
MUTANT/TERMINATOR example
76
MUTANT/TERMINATOR example
77
MUTANT/TERMINATOR example
78
MUTANT/TERMINATOR example
79
Experimental results

• Revisiting loops previously (falsely) accused

80
Introduction
81
Introduction
82
Introduction
83
Introduction
84
Introduction
85
Introduction
86
Introduction
87
Introduction
88
Introduction
89
Introduction
90
Introduction
91
Introduction
92
Introduction
93
Introduction
94
Introduction
95
Introduction
96
Introduction
97
Outline

• Introduction
• Proof rule for termination
• TERMINATOR
• MUTANT/TERMINATOR
• Conclusion Discussion

98
Outline

• Introduction
• Proof rule for termination
• TERMINATOR
• MUTANT/TERMINATOR
• Conclusion Discussion

99
Introduction

• Termination is one of the frontiers of automatic
  program correctness proof methods
• Together with concurrency and shape analysis
• Applications
• OS dispatch routines
• HTTP request handling code
• Database query handling
• Standard library functions (e.g. string
  manipulation, math functions, etc)
• Acquire/Release (spinlocks, thread priority, etc)
  

100
Conclusion Discussion

• See http//research.microsoft.com/TERMINATOR
• Questions?

101
EXTRA SLIDES
102
Binary Reachability
103
Binary reachability
104
Binary reachability
105
Binary reachability
x f(x,y) g(y,x)

copied 0 . . . if (!copied)
if () Hx x
Hy y copied 1
else assert(T)


while(xlty)
copied 0
106
Rank function synthesis
107
Rank function synthesis

• What if weve find a path that appears not to
  terminate?
• Prove it to be well-founded
• compute a witness (ranking relation)
• Refine the set of ranking relations

108
Rank function synthesis
. . . if (ngt0 mgt1) cnt 0
for() AcquireLock() rst0
while(i j gt 1) i i-n
j jm
ReleaseLock() . . . .
109
Rank function synthesis
. . . if (ngt0 mgt1) cnt 0
for() AcquireLock() rst0
while(i j gt 1) i i-n
j jm
ReleaseLock() . . . .
110
Rank function synthesis
. . . if (ngt0 mgt1) cnt 0
for() AcquireLock() rst0
while(i j gt 1) i i-n
j jm
ReleaseLock() . . . .
111
Rank function synthesis
. . . if (ngt0 mgt1) cnt 0
for() AcquireLock() rst0
while(i j gt 1) i i-n
j jm
ReleaseLock() . . . .
112
Rank function synthesis
. . . if (ngt0 mgt1) cnt 0
for() AcquireLock() rst0
while(i j gt 1) i i-n
j jm
ReleaseLock() . . . .
113
Rank function synthesis
. . . if (ngt0 mgt1) cnt 0
for() AcquireLock() rst0
while(i j gt 1) i i-n
j jm
ReleaseLock() . . . .
114
Rank function synthesis
. . . if (ngt0 mgt1) cnt 0
for() AcquireLock() rst0
while(i j gt 1) i i-n
j jm
ReleaseLock() . . . .
115
Rank function synthesis
. . . if (ngt0 mgt1) cnt 0
for() AcquireLock() rst0
while(i j gt 1) i i-n
j jm
ReleaseLock() . . . .
116
Rank function synthesis
. . . if (ngt0 mgt1) cnt 0
for() AcquireLock() rst0
while(i j gt 1) i i-n
j jm
ReleaseLock() . . . .
117
Rank function synthesis
. . . if (ngt0 mgt1) cnt 0
for() AcquireLock() rst0
while(i j gt 1) i i-n
j jm
ReleaseLock() . . . .
118
Rank function synthesis
. . . if (ngt0 mgt1) cnt 0
for() AcquireLock() rst0
while(i j gt 1) i i-n
j jm
ReleaseLock() . . . .
L (i,j) (i,j) -i j -1 ? -i i
0 ? j - j -1
119
Rank function synthesis
L (i,j) (i,j) -i j -1 ? -i i
0 ? j - j -1
120
Rank function synthesis
L (i,j) (i,j) -i j -1 ? -i i
0 ? j - j -1
(-1)i (1)j (0)i (0)j -1 (-1)i (0)j
(1)i (0)j 0 (0) i (1)j (0)i
(-1)j -1
121
Rank function synthesis
L (i,j) (i,j) -i j -1 ? -i i
0 ? j - j -1
(-1)i (1)j (0)i (0)j -1 (-1)i (0)j
(1)i (0)j 0 (0) i (1)j (0)i
(-1)j -1
122
Rank function synthesis
123
Rank function synthesis
0 1 0
0 0 -1
P

0 0
-1 -1 0
1 0 1
-1 0 -1
(P Q)


Q
0
(
)
-1 -1 0
1 0 1
0 1 0
0 0 -1

P
0 0 0
Q



Q
0 0 0
124
Rank function synthesis
0 1 0
0 0 -1
P

0 0
-1 -1 0
1 0 1
-1 0 -1
(P Q)


Q
0
(
)
-1 -1 0
1 0 1
0 1 0
0 0 -1

P
0 0 0
Q



Q
0 0 0
125
Rank function synthesis
0 1 0
0 0 -1
P

0 0
-1 -1 0
1 0 1
-1 0 -1
(P Q)


Q
0
(
)
-1 -1 0
1 0 1
0 1 0
0 0 -1

P
0 0 0
Q



Q
0 0 0
126
Rank function synthesis
0 1 0
0 0 -1
P

0 0
-1 -1 0
1 0 1
-1 0 -1
(P Q)


Q
0
(
)
-1 -1 0
1 0 1
0 1 0
0 0 -1

P
0 0 0
Q



Q
0 0 0
127
Rank function synthesis
0 1 0
0 0 -1
P

0 0
-1 -1 0
1 0 1
-1 0 -1
(P Q)


Q
0
(
)
-1 -1 0
1 0 1
0 1 0
0 0 -1

P
0 0 0
Q



Q
0 0 0
128
Rank function synthesis
0 1 0
0 0 -1
P

0 0
-1 -1 0
1 0 1
-1 0 -1
(P Q)


Q
0
(
)
-1 -1 0
1 0 1
0 1 0
0 0 -1

P
0 0 0
Q



Q
0 0 0
129
Rank function synthesis

P
1 0 0
0 1 0
0 0 1
P

0 0
Q

0 1 1
-1 -1 0
1 0 1
-1 0 -1
(P Q)


Q
0
(
)
-1 -1 0
1 0 1
0 1 0
0 0 -1

P
0 0 0
Q



Q
0 0 0
130
Rank function synthesis

P
1 0 0
0 1 0
0 0 1
P

0 0
Q

0 1 1
-1 -1 0
1 0 1
-1 0 -1
(P Q)


Q
0
(
)
-1 -1 0
1 0 1
0 1 0
0 0 -1

P
0 0 0
Q



Q
0 0 0
131
Rank function synthesis

P
1 0 0
Q

0 1 1
0 1 0
0 0 -1
rank(x,y)
Q
132
Rank function synthesis

P
1 0 0
Q

0 1 1
0 1 0
0 0 -1
rank(x,y)
Q
rank(x,y) x - y
d 1
b 1
133
Rank function synthesis

P
1 0 0
Q

0 1 1
0 1 0
0 0 -1

• R(V,V) b rank(V) ? rank(V) rank(V) d
• R is an abstraction of p (ie. p ? R)
• In this case 1 i-j ? i-j (Hi-Hj) 1

rank(x,y)
Q
rank(x,y) x - y
d 1
b 1