Proving thread termination

1
Proving thread termination Byron Cook
(Microsoft Research) Andreas Podelski
(Freiburg) Andrey Rybalchenko (MPI/EPFL)
PLDI07 presentation, June 13th 2007
2
Proving thread termination Byron Cook
(Microsoft Research) Andreas Podelski
(Freiburg) Andrey Rybalchenko (MPI/EPFL)
PLDI07 presentation, June 13th 2007
3
Introduction

• Todays program termination tools do not natively
  support multithreaded programs
• Most of the code that were interested in
  verifying is multithreaded
• Today Terminator meets concurrency

4
Introduction
5
Introduction
Byron Cook bycook_at_microsoft.com
Microsoft Research, Cambridge Joint work with
Andreas Podelski and Andrey Rybalchenko
6
Introduction

• Todays program termination tools do not natively
  support multithreaded programs
• Most of the code that were interested in
  verifying is multithreaded
• Today Terminator meets concurrency

7
Introduction

• Todays program termination tools do not natively
  support multithreaded programs
• Most of the code that were interested in
  verifying is multithreaded
• Today Terminator meets concurrency

8
Introduction

• Todays program termination tools do not natively
  support multithreaded programs
• Most of the code that were interested in
  verifying is multithreaded
• Today Terminator meets concurrency

9
Introduction

10
Introduction

11
Terminator for multithreaded programs

• Whats in the paper?
• Terminator for coarse-grained multithreaded
  programs
• Thread-modular algorithm finds an environment
  model binary relation expressed as CNF formula
• Implements iterative weakening strengthening
  based on spurious counterexamples
• Strengthening add conjuncts
• Weakening add disjuncts
• Nifty trick
• Iterative search considers counterexamples to
  termination in isolation of the other threads

12
Terminator for multithreaded programs

• Thread-termination Thread T is thread
  terminating in P if in each P-computation T makes
  only finite many steps.
• Important to note
• Were not ruling out deadlock
• Deadlock is a safety property that other tools
  should rule out
• Thus not proving that functions called in T
  eventually return control back to their caller
• For now were ignoring fairness
• In practice code should not depend on fairness
  for termination
• Example

13
Example
14
Example
15
Example
16
Example
17
Example
18
Example
19
Example
20
Example
21
Example
22
Example
23
Example
24
Example
25
Example
26
Example
27
Example
28
Example
29
Example
30
Example
31
Example
32
Example
33
Example
34
Example
35
Example
36
Example
37
Example
38
Example
39
Experimental results

• Details of the procedure and experiments are in
  the paper
• Experiments were performed on Windows device
  drivers
• Weve found a couple of interesting bugs when the
  procedure failed to find a proof

40
Introduction

41
Introduction

42
Introduction
43

• In conclusion
• Terminator failed to support multithreaded
  programs
• Most of the code that were interested in
  verifying is multithreaded
• Todays focus Terminator for thread-termination
• Key observation proofs of termination in
  isolation of the environment can be used to
  determine what a thread expects from its
  environment.

44

• Observations
• Few rounds of refinement required in practice.
• Programmers typically use defensive techniques
  regarding termination, thus the arguments and
  environment assumptions are mostly local
• Thread-modular techniques work here because were
  only specifying variance (i.e. x x) and not
  invariance (i.e. xgt0)