Termination Proofs for Systems Code

Andrey Rybalchenko, EPFL/MPI

joint work with Byron Cook, MSRand Andreas Podelski, MPI

PLDI’2006, Ottawa

2

Temporal verification

• Basic properties of program computations:– Reachability– Termination

• Classical reduction: From: temporal reasoning about computationsTo: first-order reasoning over auxiliary assertions

(e.g. invariants, ranking functions)• Proof rules:

– conditions on auxiliary assertions implying the property

• Challenge:– find adequate auxiliary assertions automatically

3

State-of-the-art

• Tools for reachability properties of software:– Astree, BLAST, F-Soft, MAGIC, SatAbs, SLAM,...

• Termination checkers for TRS, Prolog, functional languages, ‘toy’ imperative programs:– CiME, AProVE, TerminWeb, TerminLog, PolyRank, ...

• Our goal: Termination tool for software verification

4

Overview

• Classical assertions:– reachability (invariants)– termination (ranking functions)– limitations

• Transition invariants– checking – incremental construction

• Practical implementation

5

Invariants

• Given program (Init, Next) and property Good• Q: Init [ Next^+(Init) µ Good ?

• Find invariant Inv µ States• To prove:

1. Init µ Inv

2. Next(Inv) µ Inv

3. Inv µ Good

transitive closure

6

Inv: automated construction

• Incremental algorithm:

Inv := Initwhile Next(Inv) * Inv do

Inv := Inv [ Inv

od

• Failed Next(Inv) µ Inv checks determine Inv

• Keep Inv small wrt. Good• Classical fixpoint algorithms (w/ abstraction)

7

Ranking functions

• Given program (Init, Next)• Q: do infinite computations exists ?

• Find ranking function R: States -> Naturals• Define ranking relation

Rank := { (s, s’) | R(s) ¸ 0 and R(s’) · R(s)-1 }• To prove:

Next µ Rank

• Termination proof depends on reachability:Next Å Reach µ Rank

if (y ¸ 1) { while (x ¸ 0) { x = x – y;

}

}

Ranking function

R(x, y) := x

Ranking relation

Rank := (x ¸ 0 Æ x’ · x - 1)

8

• Incremental algorithm?

Rank := ;while Next * Rank do

Rank := Rank [ Rank

od

• Termination is not preserved under union operation

• Abstraction is not possible

Rank: automated construction

Rank [ Rank:

{a, b} [ {b, a} = {(a,a), ...}

= a, a, a, a, a, a, ...

9

Alternative: Transition invariants

Next Å Reach µ Rank

vs.

Next^+ Å Reach µ Rank1 [ ... [ Rankn

• Transition invariant T = Rank1 [ ... [ Rankntransitive closure

10

• Incremental algorithm:

T := ;while Next^+ Å Reach * T do

T := T [ T

od

• Failed Next^+ Å ... µ T checks determine T

• Keep T well-founded (aka terminating) • Q: practical implementation?

Transition Invariant: automated construction

11

Implementation subtasks

• Checking:

Next^+ Å Reach µ T

• Incremental construction:

Find T if check fails

T := ;while Nex^+ Å Reach * T do

T := T [ T

od

12

Checking Next^+ Å (Acc £ Acc) µ T

• Monitor for T– runs in parallel with the program– inspects pairs of states wrt. T– goes to error if observes (s, s’) T

(s, s’) 2 T

Init 3

13

Monitor for T

• needs to store unbounded computation prefix• trade storage for non-determinism: [Biere’02]

– select arbitrary state s– for each subsequent state s’ check (s, s’) 2 T

• proceed in two phases: – selection – checking

(s, s’) 2 T

14

Monitor for T: pseudo-codevar selected := ? var phase := SELECT

while True { switch (phase) { SELECT: if ( nondet() ) { selected := current phase := CHECK } CHECK: if ( (selected, current) T ) { ERROR: } }}

Current program state

Storage for program states

15

Monitoring T: example

current 5, 1 4, 1 3, 1 2, 1 1, 1

phase SEL SEL CHK CHK CHK

selected ? ? 3, 1 3, 1 3, 1

2 T? N/A N/A N/A OK OK

Candidate to check:

T = (x ¸ 0 Æ x’ · x - 1)

if (y ¸ 1) { while (x ¸ 0) { x = x – y;

}

}

x y

16

Checking transition invariant T

• Given T construct monitor MT

• Construct product PT = P || MT

• Apply safety checker on PT:

if success: done

otherwise: counterexample

PT is program

with ERROR location

17

Implementation subtasks

• Checking:

Next+ Å (Acc £ Acc) µ T

• Incremental construction:

Find T if check fails

T := ;while Nex^+ Å Reach * T do

T := T [ T

od

18

Counterexample for T

current 5, 1 6, 1 7, 1

phase SEL CHK CHK

selected ? 6, 1 6, 1

2 T? N/A N/A ERROR

Candidate to check:

T = (x ¸ 0 Æ x’ · x - 1)

if (y ¸ 1) { while (x ¸ 0) { x = x + y;

}

}

Program trace:• assume(y ¸ 1)• assume(x ¸ 0)• x := x + y• x := x + y

7 £ 6

19

Lasso = Stem + Cycle

• Counterexample = Stem.Cycle.Cycle . ...

(to termination)

Program trace:• assume(y ¸ 1)• assume(x ¸ 0)• x := x + y• x := x + y

Stem

Cycle

Selection

phase

Checking

phase

20

From lasso to T

• Counterexample is spurious if Cycle^ is infeasible

• if exist Rank ¶ Cycle then

T = Rank

• elsereturn “counterexample Stem.Cycle^ ”

Algorithms and tools exist:

PolyRank, RankFinder, ...

21

Example T

Candidate to check:

T = ( x · z Æ x’ ¸ x + 1 )

if (y ¸ 1) { while (x · z) { if (nondet()) {

x = x + y;

} else

z = z – y;

}

}

}

Counterexample (lasso):• assume(y ¸ 1)• assume(x · z)• z := z – y

T = ( x · z Æ z’ · z – 1 )

Transition invariant:

T = ( x · z Æ x’ · x + 1 ) Ç ( x · z Æ z’ · z – 1 )

22

Incremental algorithm for termination

T := ;while True do PT := P || MT

if safe( PT ) then return “terminates” else Stem, Cycle := counterexample if exists Rank ¶ Cycle then T := T [ Rank else return “counterexample Stem.Cycle” od

Creates program with error stateApplies temporal

safety checker

Applies termination

checker on a single path

23

Terminator• Input: program written in C

• Output: – termination proof: transition invariant– counterexample: lasso = stem + cycle– divergence (due to the halting problem)

• Language features supported – nested loops, gotos– pointers, aliasing– (mutually) recursive function calls

• Implementation based on SLAM/SDV

• Scalability: (on drivers from WinDDK)– several TLOC in minutes

24

Experiments on WinDDK

0

5

10

15

20

25

30

35

40

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23

0

10

20

30

40

50

60

70

80

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23

Lines of code (x1000)

Cut-point set size

Termination proofs

Termination bugs

25

Termination bugs

• True bugs recognized by developers• Sources of false bugs:

– Heap modelling– Handling of bit operations

0

2

4

6

8

10

12

1 3 5 7 9 11 13 15 17 19 21 23

True bugs

False bugs

26

Conclusion

• Proving termination can be easy:– Temporal reduction to transition invariants [lics’04]– Incremental computation guided by counterexamples

[sas’05]– Checking using tools for reachability (abstraction,

lazyness, precision,...)[this paper]

• Next steps: – Advanced applicability: heap, bit operations,...– General liveness properties w/ fairness

27

Inductive transition invariants

• Reachability check for PT succeeds• Invariant InvT for PT constructed

over program and monitor variables

• Meaning of InvT:TInd := { (s, s’) | (s’, s) 2 InvT } TInd µ T

1. Next Å (Init £ States) µ TInd

2. TInd ± Next µ TInd

Inductive transition invariant