Termination,%20heaps,%20and%20hardware

1
Termination, heaps, and hardware Byron Cook
Microsoft Research Cambridge w/ Satnam Singh,
Ashutosh Gupta, and the SLAyer crew
2
Introduction

• Advances in automatic program verification and
  analysis
• Heap
• e.g. automatic memory-safety proofs found for
  Windows device drivers CAV07,CAV08
• Concurrency
• e.g. linearizability of fine-grained concurrent
  algorithms SAS07
• Termination and liveness
• e.g. Termination liveness automatically
  properties proved of Windows device drivers
  PLDI06,POPL07
• e.g. Non-blocking algorithms automatically
  proved non-blocking POPL09

3
Introduction

• Advances in automatic program verification and
  analysis
• Heap
• e.g. automatic memory-safety proofs found for
  Windows device drivers CAV07,CAV08
• Concurrency heap
• e.g. linearizability of fine-grained concurrent
  algorithms SAS07
• Termination/liveness concurrency heap
• e.g. Termination liveness automatically
  properties proved of Windows device drivers
  PLDI06,POPL07
• e.g. Non-blocking algorithms automatically
  proved non-blocking POPL09

4
Introduction

• Advances in automatic program verification and
  analysis
• Heap
• e.g. automatic memory-safety proofs found for
  Windows device drivers CAV07,CAV08
• Concurrency heap
• e.g. linearizability of fine-grained concurrent
  algorithms SAS07
• Termination/liveness concurrency heap
• e.g. Termination liveness automatically
  properties proved of Windows device drivers
  PLDI06,POPL07
• e.g. Non-blocking algorithms automatically
  proved non-blocking POPL09

5
Introduction

• Advances in automatic program verification and
  analysis
• Heap
• e.g. automatic memory-safety proofs found for
  Windows device drivers CAV07,CAV08
• Concurrency heap
• e.g. linearizability of fine-grained concurrent
  algorithms SAS07
• Termination/liveness concurrency heap
• e.g. Termination liveness automatically
  properties proved of Windows device drivers
  PLDI06,POPL07
• e.g. Non-blocking algorithms automatically
  proved non-blocking POPL09

6
Introduction
7
Introduction
8
Introduction

• How does this impact hardware design/verification?
  
• Infinite-state abstractions often useful when
  verifying large finite-state systems
• More complex assumptions can be made about the
  software running on hardware
• Opens doors to new strategies in hardware
  synthesis?

9
Introduction

• How does this impact hardware design/verification?
  
• Infinite-state abstractions often useful when
  verifying large finite-state systems
• More complex assumptions can be made about the
  software running on hardware
• Opens doors to new strategies in hardware
  synthesis?

10
Introduction

• How does this impact hardware design/verification?
  
• Infinite-state abstractions often useful when
  verifying large finite-state systems
• More complex assumptions can be made about the
  software running on hardware
• Opens doors to new strategies in hardware
  synthesis?

11
Introduction

• How does this impact hardware design/verification?
  
• Infinite-state abstractions often useful when
  verifying large finite-state systems
• More complex assumptions can be made about the
  software running on hardware
• Opens doors to new strategies in hardware
  synthesis?

12
Introduction

• How does this impact hardware design/verification?
  
• Infinite-state abstractions often useful when
  verifying large finite-state systems
• More complex assumptions can be made about the
  software running on hardware
• Opens doors to new strategies in hardware
  synthesis?

13
Introduction

• How does this impact hardware design/verification?
  
• Infinite-state abstractions often useful when
  verifying large finite-state systems
• More complex assumptions can be made about the
  software running on hardware
• Opens doors to new strategies in hardware
  synthesis?

14
Outline

• Discussion on new directions for hardware
  synthesis
• Tutorial on the newly available techniques
• Separation-logic based shape analysis
• Termination analysis/proving

15
Outline

• Discussion on new directions for hardware
  synthesis
• Tutorial on the newly available techniques
• Separation-logic based shape analysis
• Termination analysis/proving

16
Outline

• Discussion on new directions for hardware
  synthesis
• Tutorial on the newly available techniques
• Separation-logic based shape analysis
• Termination analysis/proving

17
Hardware synthesis
C file
Hardware Synthesis
18
Hardware synthesis
C file
Hardware Synthesis
19
Hardware synthesis
C file
Hardware Synthesis
20
Hardware synthesis
error
error
C file
a file
Shape Analysis
Termination Analysis
pass
pass
Bounds Synthesis
Hardware Synthesis
failure
21
Hardware synthesis
C file
22
Hardware synthesis
error
C file
a file
Shape Analysis
pass
23
Hardware synthesis
error
C file
a file
Shape Analysis
pass
24
Hardware synthesis
error
error
C file
a file
Shape Analysis
Termination Analysis
ü
pass
pass
25
Hardware synthesis
error
error
C file
a file
Shape Analysis
Termination Analysis
pass
pass
Bounds Synthesis
pass
ü
failure
26
Hardware synthesis
error
error
C file
a file
Shape Analysis
Termination Analysis
pass
pass
Bounds Synthesis
Hardware Synthesis
failure
27
Hardware synthesis
error
error
a file
C file
Shape Analysis
Termination Analysis
pass
pass
Bounds Synthesis
Hardware Synthesis
failure
28
Hardware synthesis
error
error
a file
C file
Shape Analysis
Termination Analysis
pass
pass
Bounds Synthesis
Precondition Synthesis
failure
29
Hardware synthesis
error
error
a file
C file
Shape Analysis
Termination Analysis
pass
pass
Bounds Synthesis
Precondition Synthesis
failure
30
Hardware synthesis
31
Hardware synthesis
32
Hardware synthesis
33
Hardware synthesis
error
error
a file
C file
Shape Analysis
Termination Analysis
pass
pass
Bounds Synthesis
Hardware Synthesis
failure
34
Hardware synthesis
35
Hardware synthesis
36
Hardware synthesis
37
Hardware synthesis
38
Hardware synthesis
39
Hardware synthesis
error
error
a file
C file
Shape Analysis
Termination Analysis
pass
pass
Bounds Synthesis
Hardware Synthesis
failure
40
Hardware synthesis
41
Hardware synthesis
42
Hardware synthesis
43
Hardware synthesis
44
Hardware synthesis
error
error
a file
C file
Shape Analysis
Termination Analysis
pass
pass
Bounds Synthesis
Hardware Synthesis
failure
45
Hardware synthesis
46
Hardware synthesis
47
Hardware synthesis
48
Hardware synthesis
49
Hardware synthesis
50
Hardware synthesis
int af(sz) 2
51
Hardware synthesis
int af(sz) 2
aprev1 x
52
Hardware synthesis
53
Hardware synthesis
54
Hardware synthesis
55
Hardware synthesis
56
Hardware synthesis
57
Hardware synthesis
58
Hardware synthesis
59
Hardware synthesis
60
Hardware synthesis
61
Outline

• Discussion on new directions for hardware
  synthesis
• Tutorial on the newly available techniques
• Separation-logic based shape analysis
• Termination analysis/proving

62
Outline

• Discussion on new directions for hardware
  synthesis
• Tutorial on the newly available techniques
• Separation-logic based shape analysis
• Termination analysis/proving

63
Separation-logic based shape analysis

• Possibilities
• Separation Logic LICS02
• Concurrent Separation Logic CONCUR04
• Shape analysis with the separation domain
  TACAS06
• Practical shape analysis (joins, widening, etc)
  CAV08
• Dynamic predicate synthesis CAV07
• Precondition synthesis CAV08, Abduction
  POPL09
• Recursion SAS06
• Arithmetic abstractions SAS07
• Thread-modular techniques PLDI07
• Rely/Guarantee Separation Logic (RGSep)
  CONCUR07

64
Separation-logic based shape analysis

• Possibilities
• Separation Logic LICS02
• Concurrent Separation Logic CONCUR04
• Shape analysis with the separation domain
  TACAS06
• Practical shape analysis (joins, widening, etc)
  CAV08
• Dynamic predicate synthesis CAV07
• Precondition synthesis CAV08, Abduction
  POPL09
• Recursion SAS06
• Arithmetic abstractions SAS07
• Thread-modular techniques PLDI07
• Rely/Guarantee Separation Logic (RGSep)
  CONCUR07

65
Separation logic based shape analysis

• Shape analysis abstract interpretation for
  programs with heap
• Goal to prove memory safety
• To prove memory safety you need to know A LOT
  about the shape of memory
• Thus, we get other properties about the
  heap-shapes constructed during execution
• Example at line 35 x is a pointer to a
  well-formed cyclic doubly-linked list

66
Separation logic based shape analysis

• Microsoft SLAyer
• Similar to SpaceInvader (Queen Mary), THOR (CMU),
  etc.
• Shape analysis using abstract domain drawn from
  Separation Logic (Separation Domain)
• Used to prove memory safety of device drivers,
  and make arithmetic abstractions for
  safety/liveness proving for T2

67
Separation logic based shape analysis

• Separation logic
• Classical logic (quantifers, conjunction, etc)
• Extension
• The heaplet is empty
• The heaplet has
  exactly one cell x, holding a record with field
  fy and field d5.
• The heaplet can be divided so A is
  true of exactly one partition, and B is true of
  the other
• Induction definitions

68
Separation logic based shape analysis

• Separation logic
• Classical logic (quantifers, conjunction, etc)
• Extension
• The heaplet is empty
• The heaplet has
  exactly one cell x, holding a record with field
  fy and field d5.
• The heaplet can be divided so A is
  true of exactly one partition, and B is true of
  the other
• Induction definitions

69
Separation logic based shape analysis

• Separation logic
• Classical logic (quantifers, conjunction, etc)
• Extension
• emp The heaplet is empty
• x -gt fy,d5 The heaplet has exactly one cell
  x, holding a record with field fy and field
  d5.
• A B The heaplet can be divided so A is true
  of exactly one partition, and B is true of the
  other
• Induction definitions using emp, -gt,

70
Separation logic based shape analysis

• Cyclic lists?
• Acyclic lists?
• Pan handle lists?

71
Separation logic based shape analysis
ü

• Double linked lists?
• Sorted lists?
• Lists of lists?
• Lists with back edges to head nodes?
• Trees? Balanced trees?
• Skiplists?
• DAGs? BDDs?

ü
ü
ü
ü
ü
72
Separation logic based shape analysis

• Separation logic based shape analysis
• Sets of -conjuncted formulae represent abstract
  heaps at program locations
• e.g. The programs heap
  when executing the command at location
  consists only of an acyclic list pointed to by x
  
• Forward symbolic simulation, e.g.

73
Separation logic based shape analysis

• Separation logic based shape analysis
• Use of abstraction to improve the chance of
  analysis-termination, e.g.
• Summaries for procedures, and Frame Rule

74
Separation logic based shape analysis
75
Separation logic based shape analysis
76
Separation logic based shape analysis
77
Separation logic based shape analysis
78
Separation logic based shape analysis
79
Separation logic based shape analysis
80
Separation logic based shape analysis
81
Separation logic based shape analysis
82
Separation logic based shape analysis
83
Separation logic based shape analysis
84
Separation logic based shape analysis
85
Separation logic based shape analysis
86
Separation logic based shape analysis
87
Separation logic based shape analysis
88
Separation logic based shape analysis
89
Separation logic based shape analysis
ü
90
Separation logic based shape analysis
91
Separation logic based shape analysis
92
Separation logic based shape analysis
93
Separation logic based shape analysis
94
Separation logic based shape analysis
95
Separation logic based shape analysis
96
Separation logic based shape analysis
97
Separation logic based shape analysis
ü
98
Separation-logic based shape analysis

• Possibilities
• Separation Logic LICS02
• Concurrent Separation Logic CONCUR04
• Shape analysis with the separation domain
  TACAS06
• Practical shape analysis (joins, widening, etc)
  CAV08
• Dynamic predicate synthesis CAV07
• Precondition synthesis CAV08, Abduction
  POPL09
• Recursion SAS06
• Arithmetic abstractions SAS07
• Thread-modular techniques PLDI07
• Rely/Guarantee Separation Logic (RGSep)
  CONCUR07

99
Separation logic based shape analysis
100
Separation logic based shape analysis
101
Separation logic based shape analysis
102
Separation logic based shape analysis
103
Separation logic based shape analysis
104
Outline

• Discussion on new directions for hardware
  synthesis
• Tutorial on the newly available techniques
• Separation-logic based shape analysis
• Termination analysis/proving

105
Termination

• Possibilities
• Variance analysis POPL07a
• Induction-based techniques ESOP08
• Termination argument refinement PLDI06
• Precondition synthesis CAV08
• Recursion FMSD
• Non-termination POPL08
• Rank function synthesis VMCAI04
• Liveness/fair termination POPL07b
• Rely/guarantee for liveness PLDI07a,POPL09
• Termination arguments for heap CAV06,SAS06

106
Well-founded relations

• Program termination

107
Well-founded relations

• Program termination

108
Well-founded relations
109
Well-founded relations
110
Well-founded relations
111
Well-founded relations
112
Well-founded relations
113
Well-founded relations
114
Termination proof rules
115
Termination proof rules
116
Termination proof rules
117
Termination proof rules
118
Termination proof rule
119
Termination proof rule
120
Termination proof rule
121
Termination proof rule
122
Termination proof rule
123
Termination proof rule
124
Termination proof rule
125
Termination proof rule
126
Termination proof rule
assume(xgt1)
x x y
assume(ygt1)
127
Termination proof rule
assume(xgt1)
x x y
assume(ygt1)
128
Termination proof rule
assume(xgt1)
x x y
assume(ygt1)
129
Termination proof rule
assume(xgt1)
x x y
assume(ygt1)
130
Termination proof rule
assume(xgt1)
x x y
assume(ygt1)
131
Termination proof rule
132
Termination proof rule
133
Variance analysis
134
Variance analysis
135
Variance analysis
136
Variance analysis
137
Variance analysis
138
Variance analysis
139
Variance analysis
140
Variance analysis
1
2
3
141
Variance analysis
1
2
3
142
Variance analysis
1
2
3
143
Variance analysis
1
2
3
144
Variance analysis
1
2
3
145
Variance analysis
1
2.1
2.2
2
3
146
Variance analysis
1
0
2.1
2.2
2
3
147
Variance analysis
1
0
2.1
2.2
2
3
148
Variance analysis
1
0
2.1
2.2
2
3
149
Variance analysis
1
0
2.1
2.2
2
3
150
Variance analysis
1
0
2.1
2.2
2
3
151
Variance analysis
1
0
2.1
2.2
2
3
152
Variance analysis
1
0
2.1
2.2
2
3
153
Variance analysis
1
0
2.1
2.2
2
3
154
Variance analysis
1
0
2.1
2.2
2
3
155
Variance analysis
ü
1
0
ü
2.1
2.2
2
3
156
Termination

• Possibilities
• Variance analysis POPL07a
• Induction-based techniques ESOP08
• Termination argument refinement PLDI06
• Precondition synthesis CAV08
• Recursion FMSD
• Non-termination POPL08
• Rank function synthesis VMCAI04
• Liveness/fair termination POPL07b
• Rely/guarantee for liveness PLDI07a,POPL09
• Termination arguments for heap CAV06,SAS06

157
Underapproximating weakest preconditions
158
Underapproximating weakest preconditions
159
Underapproximating weakest preconditions
160
Underapproximating weakest preconditions
161
Underapproximating weakest preconditions
162
Underapproximating weakest preconditions
163
Motivation

• Automatic termination/liveness proving is now a
  reality
• Advanced termination/liveness tools now
  supporting
• Concurrency,
• Pointers,
• Heap,
• Recursion,
• Omega-regular properties,
• Counterexample-generation,
• etc
• Tools
• Terminator (currently being transferred into
  Windows SDV product)
• ARMC (Andreys publicly available version)
• Polyrank (from Bradley, Manna, Sipma)
• T2 (in development for my book and CMU course)

164
Motivation

• Automatic termination/liveness proving is now a
  reality
• Advanced termination/liveness tools now
  supporting
• Concurrency,
• Pointers,
• Heap,
• Recursion,
• Omega-regular properties,
• Counterexample-generation,
• etc
• Tools
• Terminator (currently being transferred into
  Windows SDV product)
• ARMC (Andreys publicly available version)
• Polyrank (from Bradley, Manna, Sipma)
• T2 (in development for my book and CMU course)

165
Motivation

• Automatic termination/liveness proving is now a
  reality
• Advanced termination/liveness tools now
  supporting
• Concurrency,
• Pointers,
• Heap,
• Recursion,
• Omega-regular properties,
• Counterexample-generation,
• etc
• Tools
• Terminator (currently being transferred into
  Windows SDV product)
• ARMC (Andreys publicly available version)
• Polyrank (from Bradley, Manna, Sipma)
• T2 (in development for my book and CMU course)

166
Motivation

• Automatic termination/liveness proving is now a
  reality
• Advanced termination/liveness tools now
  supporting
• Concurrency,
• Pointers,
• Heap,
• Recursion,
• Omega-regular properties,
• Counterexample-generation,
• etc
• Tools
• Terminator (currently being transferred into
  Windows SDV product)
• ARMC (Andreys publicly available version)
• Polyrank (from Bradley, Manna, Sipma)
• T2 (in development for my book and CMU course)

167
Motivation

• Automatic termination/liveness proving is now a
  reality
• Advanced termination/liveness tools now
  supporting
• Concurrency,
• Pointers,
• Heap,
• Recursion,
• Omega-regular properties,
• Counterexample-generation,
• etc
• Tools
• Terminator (currently being transferred into
  Windows SDV product)
• ARMC (Andreys publicly available version)
• Polyrank (from Bradley, Manna, Sipma)
• T2 (in development for my book and CMU course)

168
Motivation

• Automatic termination/liveness proving is now a
  reality
• Advanced termination/liveness tools now
  supporting
• Concurrency,
• Pointers,
• Heap,
• Recursion,
• Omega-regular properties,
• Counterexample-generation,
• etc
• Tools
• Terminator (currently being transferred into
  Windows SDV product)
• ARMC (Andreys publicly available version)
• Polyrank (from Bradley, Manna, Sipma)
• T2 (in development for my book and CMU course)

169
Motivation

• Automatic termination/liveness proving is now a
  reality
• Advanced termination/liveness tools now
  supporting
• Concurrency,
• Pointers,
• Heap,
• Recursion,
• Omega-regular properties,
• Counterexample-generation,
• etc
• Tools
• Terminator (currently being transferred into
  Windows SDV product)
• ARMC (Andreys publicly available version)
• Polyrank (from Bradley, Manna, Sipma)
• T2 (in development for my book and CMU course)

170
Motivation

• Automatic termination/liveness proving is now a
  reality
• Advanced termination/liveness tools now
  supporting
• Concurrency,
• Pointers,
• Heap,
• Recursion,
• Omega-regular properties,
• Counterexample-generation,
• etc
• Tools
• Terminator (currently being transferred into
  Windows SDV product)
• ARMC (Andreys publicly available version)
• Polyrank (from Bradley, Manna, Sipma)
• T2 (in development for my book and CMU course)

171
Motivation
172
Motivation
173
Motivation
174
Motivation
175
Motivation
176
PreSynth algorithm
177
PreSynth algorithm
178
Implementation
179
Example
180
Motivation

• Automatic termination/liveness proving is now a
  reality
• Advanced termination/liveness tools now
  supporting
• Concurrency,
• Pointers,
• Heap,
• Recursion,
• Omega-regular properties,
• Counterexample-generation,
• etc
• Tools
• Terminator (currently being transferred into
  Windows SDV product)
• ARMC (Andreys publicly available version)
• Polyrank (from Bradley, Manna, Sipma)
• T2 (in development for my book and CMU course)

181
Example
182
Example
183
Example
184
Example
185
Example
186
Example
187
Example
188
Example
189
Example
190
Other examples
191
Other examples
192
Other examples
193
Other examples
194
Other examples
195
Other examples
196
Other examples
197
(No Transcript)
198
Introduction

• Advances in automatic verification and analysis
• Heap
• Concurrency
• Termination/liveness
• Impact on hardware synthesis verification
• Infinite-state abstractions often useful when
  verifying large finite-state systems
• More complex assumptions can be made about the
  software running on hardware?
• Opens doors to new strategies in hardware
  synthesis?
• Allows us to use general purpose software on
  circuits, given preconditions expressed in
  main(..) function
• Properties proved (more easily!) of
  infinite-state systems could be preserved during
  compilation to finite-state

199
Conclusion

• See research.microsoft.com/Terminator
• See also research.microsoft.com/SLAyer
• Write to bycook_at_microsoft.com
• Thank you for your attention