alternation for termination
DESCRIPTION
Alternation for Termination. 1. 2. 2. 2. William Harris , Akash Lal , Aditya Nori Sriram Rajamani. 1. 2. Termination bugs are a real problem in systems and application code. A Quick Search “bug code hangs”:. “Gecko mediaplayer hangs the browser” - PowerPoint PPT PresentationTRANSCRIPT
Alternation for Termination
William Harris, Akash Lal, Aditya NoriSriram Rajamani
1
1
2
2
2
2
Termination bugs are a real problem in systems and application code.
“Gecko mediaplayer hangs the browser”
“Eclipse hangs after 5 minutes or so of working”
“BUG: Silverlight makes browser hang after BeginSaveChanges on some machines”
“BUG: VB Hangs While Automating Excel Using OLE Control”
…
A Quick Search “bug code hangs”:
Key challenge to proving termination:
Analyzing the context of a loop
An Example with Non-Trivial Contextf(int d, z) { int x, y;
while (x > 0 && y > 0) {if (*) {
x := x – d;y := *;z := z – 1;
} else {y := y – d;
}} }
main() { int k; int z = 1; while (z < k) { z := 2 * z; }
f(1, z); f(2, z);}
Local Termination Provers
For a fixed over-approximation of a loop, find a proof of termination
Local Provers Succeeding
while (x > 0 && y > 0) {assume(d > 0);if (*) {
x := x – d;y := *;z := z – 1;
} else {y := y – d;
}}
yx
Local Provers Failingf(int d) {
int x, y;while (x > 0 && y > 0) { assume(d > 0);
if (*) {x := x – d;y := *;z := z – 1;
} else {y := y – d;
} } }
main() { f(1); f(2);}??
Transition Invariants
From stem and cycle of a loop,guess and check a proof of termination
Advantage of Transition Invariants
A stem to a loop can include information about the loop’s context.
Transition Invariants Succeedingf(int d) {
while (x > 0 && y > 0) {if (*) {
x := x – d;y := *;
} else {y := y – d;
}} }
main() {f(1);f(2); }
while (x > 0 && y > 0) {
x := x – d; y := *;
}
x
Transition Invariants Succeedingf(int d) {
while (x > 0 && y > 0) {if (*) {
x := x – d;y := *;
} else {y := y – d;
}} }
main() {f(1);f(2); }
while (x > 0 && y > 0) {
y := y - d;}
y
Disadvantage of Transition Invariants
Stem and cycle can lead to incorrect guesses for proof of termination.
Transition Invariants Failingf(int d) {f(int d, int z) { int x, y;
while (x > 0 && y > 0) {if (*) {
x := x – d;y := *;z := z – 1;
} else {y := y – d;
} } }
main() { int k; int z = 1; while (z < k) { z := 2 * z; }
f(1); f(1, z); f(2); f(2, z);}
Key Insight of TREX
From cycles through a loop,infer invariants for proving termination.
Context Analysis via TREXf(int d, z) { int x, y;
while (x > 0 && y > 0) {assume(d > 0);if (*) {
x := x – d;y := *;z := z – 1;
} else {y := y – d;
} } }
main() { int k; int z = 1; while (z < k) { z := 2 * z; }
f(1, z); f(2, z);}
Payoff of TREX’s Approach
TREX can apply local provers to find a proof of termination quickly
Analysis via TREXf(int d, z) { int x, y;
while (x > 0 && y > 0) {assume(d > 0);if (*) {
x := x – d;y := *;z := z – 1;
} else {y := y – d;
} } }
main() { int k; int z = 1; while (z < k) { z := 2 * z; }
f(1, z); f(2, z);}
x, y
TREX in More Detail
•TREX by example
•Experiments
TREX iterativelyfinds a proof of termination,or finds a counterexample to termination, or refines stronger program invariants
The TREX Algorithm
TREX Iteration Step 1
Find a proof of terminationby applying a
local termination prover
f(int d, z) { int x, y;
while (x > 0 && y > 0) {if (*) {
x := x – d;y := *;z := z – 1;
} else {y := y – d;
} } }
main() { int k; int z = 1; while (z < k) { z := 2 * z; }
f(1, z); f(2, z);}
TREX Iteration Step 1
??
TREX Iteration Step 2
If local prover fails, then find a counterexample cycle
TREX Iteration Step 2f(int d, z) { int x, y;
while (x > 0 && y > 0) {if (*) {
x := x – d;y := *;z := z – 1;
} else {y := y – d;
} } }
main() { int k; int z = 1; while (z < k) { z := 2 * z; }
f(1, z); f(2, z);}
while (x > 0 && y > 0) { y := y – d;}
TREX Iteration Step 3
From the counterexample cycle,find a sufficient condition for
non-termination by applying anon-termination prover (TNT)
Applying a Non-Termination Prover
while (x > 0 && y > 0) { y := y – d;}
Non-termination if:y > 0 && d <= 0
TREX Iteration Step 4
Check if the sufficient conditionis reachable
TREX Iteration Step 4f(int d, z) { int x, y;
while (x > 0 && y > 0) {assert(d > 0);if (*) {
x := x – d;y := *;z := z – 1;
} else {y := y – d;
} } }
main() { int k; int z = 1; while (z < k) { z := 2 * z; }
f(1, z); f(2, z);}
while (x > 0 && y > 0) { y := y – d;}
Non-termination if:y > 0 && d <= 0
TREX Iteration Step 5
If the sufficient condition is unreachable, then assume this as an invariant.
TREX Iteration Step 5f(int d, z) { int x, y;
while (x > 0 && y > 0) {assert(d > 0);if (*) {
x := x – d;y := *;z := z – 1;
} else {y := y – d;
} } }
main() { int k; int z = 1; while (z < k) { z := 2 * z; }
f(1, z); f(2, z);}
assume(d > 0);
x, y
Experiments
Windows Vista driver snippets
Vista Driver SnippetsDriverName
TREX time (s) Terminator* time (s) TREX speedup
1 13.8 32.1 2.3
2 15.3 48.0 3.1
3 7.9 5.9 0.7
4 3.1 12.3 3.9
5 6.4 8.8 1.4
6 3.0 13.8 4.6
7 10.2 11.8 1.2
8 9.4 11.0 1.2
9 TO TO ---
10 2.5 10.3 4.1
Conclusion
TREX proves termination by using cycles through a loop to infer useful
program invariants
Extra slides
Transition Invariants Succeedingf(int d) {
while (x > 0 && y > 0) {if (*) {
x := x – d;y := *;
} else {y := y – d;
}} }
main() {f(1);f(2); }
x, y
Transition Invariants Failingf(int d) {f(int d, int z) { int x, y;
while (x > 0 && y > 0) {if (*) {
x := x – d;y := *;z := z – 1;
} else {y := y – d;
} } }
main() { int k; int z = 1; while (z < k) { z := 2 * z; }
f(1); f(1, z); f(2); f(2, z);}
while (x > 0 && y > 0) {assume(d = 1 && z = 1);if (*) {
x := x – d;y := *;z := z – 1;
} }
z - 1z = 1;
f(1, z);
Transition Invariants Failingf(int d) {f(int d, int z) { int x, y;
while (x > 0 && y > 0) {if (*) {
x := x – d;y := *;z := z – 1;
} else {y := y – d;
} } }
main() { int k; int z = 1; while (z < k) { z := 2 * z; }
f(1); f(1, z); f(2); f(2, z);}
while (x > 0 && y > 0) {assume(d = 1 && z = 2);if (*) {
x := x – d;y := *;z := z – 1;
} }
z - 2z = 1; z := 2 * z;
f(1, z);