Proving program termination and liveness

1
Proving program termination and liveness Byron
Cook Cambridge theory mini-course October 22nd,
2007 Lecture III of III
TexPoint fonts used in EMF. Read the TexPoint
manual before you delete this box. A
2
Outline

• Foundations
• Checking termination
• Rank function synthesis
• Termination analysis
• Counterexamples refinement
• Liveness
• Concurrency

3
Outline

• Foundations
• Checking termination
• Rank function synthesis
• Termination analysis
• Counterexamples refinement
• Liveness
• Concurrency

4
Refinement
5
Refinement
6
Refinement
7
Refinement
8
Refinement
9
Refinement
x x 1
assume(xgt0)
assume(xz)
assume(wgt0)
y 33 z
x x 1
x x 1
r r e
x x 1
assume(xgt0)
assume(rtrue)
y y 1
x x 1
w w - x
w 5 w
assume(wgtz)
z -z
x x 1
y 100
assume(k2gt0)
assume(glt100)
assume(tlt0)
assume(ggt0)
w w k
w g g
x x 1
x x 1
z w
p p3
k k / 3
y 3 y
10
Refinement
x x 1
assume(xgt0)
assume(xz)
assume(wgt0)
y 33 z
x x 1
x x 1
r r e
x x 1
assume(xgt0)
assume(rtrue)
y y 1
x x 1
w w - x
w 5 w
assume(wgtz)
z -z
x x 1
y 100
assume(k2gt0)
assume(glt100)
assume(tlt0)
assume(ggt0)
w w k
w g g
x x 1
x x 1
z w
p p3
k k / 3
y 3 y
11
Refinement
x x 1
assume(xgt0)
assume(xz)
assume(wgt0)
y 33 z
x x 1
x x 1
r r e
x x 1
assume(xgt0)
assume(rtrue)
y y 1
x x 1
w w - x
w 5 w
assume(wgtz)
z -z
x x 1
y 100
assume(k2gt0)
assume(glt100)
assume(tlt0)
assume(ggt0)
w w k
w g g
x x 1
x x 1
z w
p p3
k k / 3
y 3 y
12
Refinement
x x 1
assume(xgt0)
assume(xz)
assume(wgt0)
y 33 z
x x 1
x x 1
r r e
x x 1
assume(xgt0)
assume(rtrue)
y y 1
x x 1
w w - x
w 5 w
assume(wgtz)
z -z
x x 1
y 100
assume(k2gt0)
assume(glt100)
assume(tlt0)
assume(ggt0)
w w k
w g g
x x 1
x x 1
z w
p p3
k k / 3
y 3 y
13
(No Transcript)
14
(No Transcript)
15
(No Transcript)
16
Refinement
17
Refinement
18
Refinement
19
Tying the pieces together
20
Tying the pieces together
21
Tying the pieces together
22
Tying the pieces together
23
Tying the pieces together
24
The bad news
25
The bad news
26
The bad news
27
The bad news
28
The bad news
29
The bad news
30
The bad news
31
The bad news
32
The bad news
33
The bad news
34
Outline

• Foundations
• Checking termination
• Rank function synthesis
• Termination analysis
• Counterexamples refinement
• Liveness
• Concurrency

35
Outline

• Foundations
• Checking termination
• Rank function synthesis
• Termination analysis
• Counterexamples refinement
• Liveness
• Concurrency

36
Proving liveness properties

• Myth Liveness can always be boiled down to
  termination
• Almost, but not quite!!
• Fact liveness can always be boiled down to fair
  termination
• Fair termination is standard termination with
  fairness constraints on the executions
• Weak fairness Buchi acceptance conditions
  justice
• Strong fairness Streett/Rabin acceptance
  conditions compassion

37
Proving liveness properties

• Myth Liveness can always be boiled down to
  termination
• Almost, but not quite!!
• Fact liveness can always be boiled down to fair
  termination
• Fair termination is standard termination with
  fairness constraints on the executions
• Weak fairness Buchi acceptance conditions
  justice
• Strong fairness Streett/Rabin acceptance
  conditions compassion

38
Proving liveness properties

• Fairness constraints remove classes of
  counterexamples from consideration
• The program doesnt terminate, but terminates if
  certain paths are ignored
• Fairness constraints describe those paths

39
Strong fairness

• Fair and unfair traces

40
Strong fairness

• Fair and unfair traces

41
Strong fairness

• Fair and unfair traces

42
Strong fairness

• Fair and unfair traces

43
Strong fairness

• Fair and unfair traces

44
Strong fairness

• Fair and unfair traces

45
Strong fairness
fairness any 1 any qPENDING
void f() AcquireLock()
. .
. . . ReleaseLock()
. . void main()
void f() . AcquireLock() .
. . . . .
. . . . .
ReleaseLock() . . .
. . . . void main()

if (sNONE) if (nondet())
sPENDING if
(sPENDING) sMATCHED
sNONE
AcquireLock.entry if (sNONE) if
(nondet()) sPENDING
ReleaseLock.entry if (sPENDING)
sMATCHED main.entry sNONE
46
Outline
47
Outline
48
Outline
49
Strong fairness
50
Strong fairness
51
Strong fairness
52
Strong fairness
53
Strong fairness
x f(x,y) g(y,x)

set 0 . . . if (!set)
if () old_x x
old_y y set 1
else if (fair path segment)
assert(M1 M2 M3)



while(xlty)
54
Outline

• Foundations
• Checking termination
• Rank function synthesis
• Termination analysis
• Counterexamples refinement
• Liveness
• Concurrency

in_S0 in_T0
55
Outline

• Foundations
• Checking termination
• Rank function synthesis
• Termination analysis
• Counterexamples refinement
• Liveness
• Concurrency

(!S !in_S) T in_T

in_S0 in_T0
56
Outline

• Foundations
• Checking termination
• Rank function synthesis
• Termination analysis
• Counterexamples refinement
• Liveness
• Concurrency

(!S !in_S) T in_T

in_S0 in_T0

• Also, add the following at each command in the
  program
• if (S) in_S1
• if (T) in_T1

57
Outline

• Foundations
• Checking termination
• Rank function synthesis
• Termination analysis
• Counterexamples refinement
• Liveness
• Concurrency

if (S) in_S1 if (T) in_T1
(!S !in_S) T in_T

in_S0 in_T0

• Also, add the following at each command in the
  program
• if (S) in_S1
• if (T) in_T1

58
Outline

• Foundations
• Checking termination
• Rank function synthesis
• Termination analysis
• Counterexamples refinement
• Liveness
• Concurrency

if (S) in_S1 if (T) in_T1
(!S !in_S) T in_T

in_S0 in_T0

• Also, add the following at each command in the
  program
• if (S) in_S1
• if (T) in_T1

59
Liveness property library
60
Liveness property library
61
Liveness property library
62
Liveness property library
63
Outline

• Foundations
• Checking termination
• Rank function synthesis
• Termination analysis
• Counterexamples refinement
• Liveness
• Concurrency

64
Outline

• Foundations
• Checking termination
• Rank function synthesis
• Termination analysis
• Counterexamples refinement
• Liveness
• Concurrency

65
Outline

• Foundations
• Checking termination
• Rank function synthesis
• Termination analysis
• Counterexamples refinement
• Liveness
• Concurrency

66
Introduction

67
Introduction

68
Introduction

69
Introduction

70
Introduction

71
Concurrent programs

• Thread-modular algorithm finds an environment
  model binary relation expressed as CNF formula
• Implements iterative weakening strengthening
  based on spurious counterexamples
• Strengthening add conjuncts
• Weakening add disjuncts
• Nifty trick
• Iterative search considers potential
  counterexamples to termination in isolation of
  the other threads
• Extremely weak rely/guarantee rule currently used
  

72
Concurrent programs

• Thread-termination Thread T is thread
  terminating in P if in each P-computation T makes
  only finite many steps.
• Important to note
• Were not ruling out deadlock
• Deadlock is a safety property that other tools
  should rule out
• Thus not proving that functions called in T
  eventually return control back to their caller

73
Concurrent programs

• Thread-modular algorithm finds an environment
  model binary relation expressed as CNF formula
• Implements iterative weakening strengthening
  based on spurious counterexamples
• Strengthening add conjuncts
• Weakening add disjuncts
• Nifty trick
• Iterative search considers potential
  counterexamples to termination in isolation of
  the other threads
• Extremely weak rely/guarantee rule currently used
  

74
Example
75
Example
76
Example
77
Example
78
Example
79
Example
80
Example
81
Example
82
Example
83
Example
84
Example
85
Example
86
Example
87
Example
88
Example
89
Example
90
Example
91
Example
92
Example
93
Example
94
Example
95
Example
96
Example
97
Example
98
Example
99
Example
100
Example
101
Example
102
Example
103
Example
104
Example
105
Example
106
Example
107
Example
108
Outline

• Foundations
• Checking termination
• Rank function synthesis
• Termination analysis
• Counterexamples refinement
• Liveness
• Concurrency

109
Outline

• Foundations
• Checking termination
• Rank function synthesis
• Termination analysis
• Counterexamples refinement
• Liveness
• Concurrency