Proving program termination and liveness - PowerPoint PPT Presentation

1 / 125
About This Presentation
Title:

Proving program termination and liveness

Description:

Combinations of ranking functions are the modern method of arguing termination ... Checking disjunctively well-founded arguments ... – PowerPoint PPT presentation

Number of Views:65
Avg rating:3.0/5.0
Slides: 126
Provided by: Byron4
Category:

less

Transcript and Presenter's Notes

Title: Proving program termination and liveness


1
Proving program termination and liveness Byron
Cook Cambridge theory mini-course Lecture I of
III October 15, 2007
TexPoint fonts used in EMF. Read the TexPoint
manual before you delete this box. A
2
Introduction
  • The halting problem (a.k.a. program termination
    problem)
  • Given a computer program together with an
    initial state, in a finite amount of time
    determine whether the program will finish running
    or will run forever

3
Introduction
  • Halting problem has troubled us since the
    beginning of computing
  • One of the first problems proved undecidable
  • The source of unsolved puzzles
  • A matter of practical importance
  • Is every call to AcquireLock() is followed by a
    call to ReleaseLock()?
  • Does SerialPnpDispatch(..) always return control
    back to its caller?

4
Introduction
  • Halting problem has troubled us since the
    beginning of computing
  • One of the first problems proved undecidable
  • The source of unsolved puzzles
  • A matter of practical importance
  • Is every call to AcquireLock() is followed by a
    call to ReleaseLock()?
  • Does SerialPnpDispatch(..) always return control
    back to its caller?

5
Introduction
  • Halting problem has troubled us since the
    beginning of computing
  • One of the first problems proved undecidable
  • The source of unsolved puzzles
  • A matter of practical importance
  • Is every call to AcquireLock() is followed by a
    call to ReleaseLock()?
  • Does SerialPnpDispatch(..) always return control
    back to its caller?

6
Introduction
  • Common wisdom
  • Proving termination/liveness is impossible
  • Thats the halting problem
  • Truth
  • Turing didnt prove that we cannot prove
    termination
  • He did prove that theres at least one problem
    that we cannot prove terminating

7
Introduction
  • Common wisdom
  • Even if some termination proof tricks exist,
    theyll never work for real code
  • Recent advances disprove this wisdom
  • Rank function synthesis techniques
  • Termination proof techniques for complex CFGs
  • Termination analysis techniques developed
  • Methods of refining termination arguments
  • Terminator now being used to prove termination of
    device driver dispatch routines through the
    Windows SDV product

8
Introduction
  • This course
  • Foundations of termination
  • Methods of proving termination
  • Proving liveness properties
  • Proving concurrent programs terminating

9
Outline
  • Foundations
  • Checking termination
  • Termination analysis
  • Refinement synthesis
  • Liveness
  • Heap
  • Concurrency

10
Outline
  • Foundations
  • Checking termination
  • Termination analysis
  • Refinement synthesis
  • Liveness
  • Heap
  • Concurrency

11
Outline
  • Foundations
  • Checking termination
  • Termination analysis
  • Refinement synthesis
  • Liveness
  • Heap
  • Concurrency

12
Halting problem
  • The halting problem (a.k.a. program termination
    problem)
  • Given a computer program together with an
    initial state, in a finite amount of time
    determine whether the program will finish running
    or will run forever

13
Halting problem
  • Highlights of undecidability proof
  • Assume we do have a procedure, call it h
  • h program input -gt bool
  • let c(p) if h(p,p) spin() else true
  • Consider c(c)
  • If it terminates, h(c,c) returned false, thus
    c(c) shouldnt terminate
  • If it doesnt terminate, h(c,c) shouldnt have
    returned true

14
Well-founded relations
  • The halting problem (a.k.a. program termination
    problem)
  • The programs transition relation is well-founded

15
Well-founded relations
  • Notation
  • Transition relation
  • Initial states
  • Reachable states
  • Well-founded?

16
Well-founded relations
  • Goal

17
Well-founded relations
  • Goal

18
Well-founded relations
  • Goal

19
Well-founded relations
What are well-founded relations?
20
Well-founded relations
What are well-founded relations?
21
Well-founded relations
What are well-founded relations?
22
Well-founded relations
What are well-founded relations?
23
Well-founded relations
What are well-founded relations?
Well-founded relations do not permit infinite
sequences
24
Well-founded relations
What are well-founded relations?
Well-founded relations do not permit infinite
sequences
25
Well-founded relations
What are well-founded relations?
Well-founded relations do not permit infinite
sequences
26
Well-founded relations
What are well-founded relations?
27
Well-founded relations
What are well-founded relations?
28
Well-founded relations
  • Observation
  • Subrelations of WF-relations are WF
  • As an example application

29
Next
Next Ranking functions and ranking relations
30
Well-ordered sets
31
Well-ordered sets
32
Ranking functions and ranking relations

33
Ranking functions and ranking relations

34
Example
  • Example

35
Example
  • Example

36
Example
  • Example

37
Example
  • Example

38
Example
  • Example

39
Example
  • Example

40
Example
  • Example

41
Next
Next Prove a program terminating with tools
42
Example
43
Example
44
Example
45
Example
46
Example
47
Example
48
Example
49
Example
50
Example
51
Example
52
Example
53
Example
54
Example
55
Example
56
Example
57
Outline
  • Foundations
  • Checking termination
  • Termination analysis
  • Refinement synthesis
  • Liveness
  • Heap
  • Concurrency

58
Outline
  • Foundations
  • Checking termination
  • Termination analysis
  • Refinement synthesis
  • Liveness
  • Heap
  • Concurrency

59
Traces, paths, segments, etc
60
Traces, paths, segments, etc
61
Traces, paths, segments, etc
62
Cutpoints
63
Cutpoints
64
Cutpoints
65
Cutpoints
66
Cutpoints
67
Cutpoints
68
Cutpoints
69
Cutpoints
70
Cutpoints
71
Cutpoints
72
Cutpoints
73
Cutpoints
74
Isolation
  • Nesting of loops allows us to isolate pieces of
    the program
  • When proving well-foundedness of cutpoints in
    inner loops, we can ignore non-termination of the
    enclosing loop
  • When proving well-foundedness of cutpoints in
    outer loops, we can ignore non-termination of the
    inner loop

75
Isolation
  • Nesting of loops allows us to isolate pieces of
    the program
  • When proving well-foundedness of cutpoints in
    inner loops, we can ignore non-termination of the
    enclosing loop
  • When proving well-foundedness of cutpoints in
    outer loops, we can ignore non-termination of the
    inner loop

76
Isolation
  • Nesting of loops allows us to isolate pieces of
    the program
  • When proving well-foundedness of cutpoints in
    inner loops, we can ignore non-termination of the
    enclosing loop
  • When proving well-foundedness of cutpoints in
    outer loops, we can ignore non-termination of the
    inner loop

77
Isolation
  • When proving well-foundedness of cutpoints in
    inner loops, we can ignore non-termination of the
    enclosing loop
  • When proving well-foundedness of cutpoints in
    outer loops, we can ignore non-termination of the
    inner loop
  • Nesting of loops allows us to isolate pieces of
    the program

78
Isolation
  • When proving well-foundedness of cutpoints in
    inner loops, we can ignore non-termination of the
    enclosing loop
  • When proving well-foundedness of cutpoints in
    outer loops, we can ignore non-termination of the
    inner loop
  • Nesting of loops allows us to isolate pieces of
    the program

79
Isolation
  • When proving well-foundedness of cutpoints in
    inner loops, we can ignore non-termination of the
    enclosing loop
  • When proving well-foundedness of cutpoints in
    outer loops, we can ignore non-termination of the
    inner loop
  • Nesting of loops allows us to isolate pieces of
    the program

80
Isolation
  • When proving well-foundedness of cutpoints in
    inner loops, we can ignore non-termination of the
    enclosing loop
  • When proving well-foundedness of cutpoints in
    outer loops, we can ignore non-termination of the
    inner loop
  • Nesting of loops allows us to isolate pieces of
    the program

81
Cutpoints
82
Combining ranking functions
  • Combinations of ranking functions are the modern
    method of arguing termination
  • Size-change approach (used by ACL2, APROVE)
  • Disjunctive-WF (used by Terminator,
    LinearRankTerm)
  • Polyranking principle (used by PolyRank)
  • Idea use many simple ranking functions instead
    of one big complex one
  • Makes finding/expressing termination argument
    easier
  • Makes checking the subset inclusion harder

83
Disjunctively well-founded termination arguments
84
Disjunctively well-founded termination arguments
  • Example

85
Disjunctively well-founded termination arguments
while(xgt0 ygt0) if () x--
else y--
  • Example

86
Disjunctively well-founded termination arguments
while(xgt0 ygt0) if () x--
else y--
  • Example

87
Disjunctively well-founded termination arguments
while(xgt0 ygt0) if () x--
else y--
  • Example

88
Disjunctively well-founded termination arguments
while(xgt0 ygt0) if () x--
else y--
  • Example

89
Disjunctively well-founded termination arguments
while(xgt0 ygt0) if () x--
else y--
  • Example

90
Disjunctively well-founded termination arguments
while(xgt0 ygt0) if () x--
else y--
  • Example

91
Disjunctively well-founded termination arguments
  • Example

92
Disjunctively well-founded termination arguments
while(xlt0 xlt1000) if () x--
else x
  • Example

93
Disjunctively well-founded termination arguments
while(xlt0 xlt1000) if () x--
else x
  • Example

94
Disjunctively well-founded termination arguments
while(xlt0 xlt1000) if () x--
else x
  • Example

95
Disjunctively well-founded termination arguments
while(xlt0 xlt1000) if () x--
else x
  • Example

96
Nexy
Next Using cut-points with our new disjunctive
rule
97
Cutpoints
98
Cutpoints
99
Cutpoints
100
Cutpoints
101
Cutpoints
102
Isolation
  • Nesting of loops allows us to isolate pieces of
    the program
  • When proving well-foundedness of cutpoints in
    inner loops, we can ignore non-termination of the
    enclosing loop
  • When proving well-foundedness of cutpoints in
    outer loops, we can ignore non-termination of the
    inner loop

103
Isolation
  • Nesting of loops allows us to isolate pieces of
    the program
  • When proving well-foundedness of cutpoints in
    inner loops, we can ignore non-termination of the
    enclosing loop
  • When proving well-foundedness of cutpoints in
    outer loops, we can ignore non-termination of the
    inner loop

104
Isolation
  • Nesting of loops allows us to isolate pieces of
    the program
  • When proving well-foundedness of cutpoints in
    inner loops, we can ignore non-termination of the
    enclosing loop
  • When proving well-foundedness of cutpoints in
    outer loops, we can ignore non-termination of the
    inner loop

105
Isolation
  • When proving well-foundedness of cutpoints in
    inner loops, we can ignore non-termination of the
    enclosing loop
  • When proving well-foundedness of cutpoints in
    outer loops, we can ignore non-termination of the
    inner loop
  • Nesting of loops allows us to isolate pieces of
    the program

106
Isolation
  • When proving well-foundedness of cutpoints in
    inner loops, we can ignore non-termination of the
    enclosing loop
  • When proving well-foundedness of cutpoints in
    outer loops, we can ignore non-termination of the
    inner loop
  • Nesting of loops allows us to isolate pieces of
    the program

107
Isolation
  • When proving well-foundedness of cutpoints in
    inner loops, we can ignore non-termination of the
    enclosing loop
  • When proving well-foundedness of cutpoints in
    outer loops, we can ignore non-termination of the
    inner loop
  • Nesting of loops allows us to isolate pieces of
    the program

108
Isolation
  • When proving well-foundedness of cutpoints in
    inner loops, we can ignore non-termination of the
    enclosing loop
  • When proving well-foundedness of cutpoints in
    outer loops, we can ignore non-termination of the
    inner loop
  • Nesting of loops allows us to isolate pieces of
    the program

109
Isolation
110
Checking disjunctively well-founded arguments
  • Cutpoints can be easily explained with
    disjunctive well-foundedness

111
Checking disjunctively well-founded arguments
  • Cutpoints can be easily explained with
    disjunctive well-foundedness

112
Checking disjunctively well-founded arguments
  • Cutpoints can be easily explained with
    disjunctive well-foundedness

113
Checking disjunctively well-founded arguments
  • Cutpoints can be easily explained with
    disjunctive well-foundedness

6
4
5
4
5
6
114
Next
  • Next
  • Implementing the disjunctive rule in practice
    with

115
Checking disjunctively well-founded arguments
x f(x,y) g(y,x)

set 0 . . . if (!set)
if () old_x x
old_y y set 1
else assert(M1 M2 M3)



while(xlty)
set 0
116
(No Transcript)
117
(No Transcript)
118
(No Transcript)
119
(No Transcript)
120
(No Transcript)
121
Which programs terminate? And why?
122
Which programs terminate? And why?
123
Questions
  • If R is well-founded, is RR?

124
Questions
  • If RR is well-founded, is R?

125
Outline
  • Foundations
  • Checking termination
  • Termination analysis
  • Refinement synthesis
  • Liveness
  • Heap
  • Concurrency
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Proving program termination and liveness" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!