1 / 133

Proving termination of software

Byron Cook bycook_at_microsoft.com

Microsoft Research, Cambridge Joint work with

Josh Berdine, Dino Distefano, Alexey Gotsman,

Peter OHearn, Andreas Podelski, Andrey

Rybalchenko, and others

Introduction

Introduction

Introduction

Introduction

Introduction

Lines of code (x1000)

Cut-point set size

Introduction

Lines of code (x1000)

Cut-point set size

Introduction

Lines of code (x1000)

Cut-point set size

Introduction

Lines of code (x1000)

Cut-point set size

Introduction

Lines of code (x1000)

Cut-point set size

Outline

- Introduction
- Proof rule for termination
- TERMINATOR
- MUTANT/TERMINATOR
- Conclusion Discussion

Outline

- Introduction
- Proof rule for termination
- TERMINATOR
- MUTANT/TERMINATOR
- Conclusion Discussion

Proof rule for termination

Proof rule for termination

Proof rule for termination

Proof rule for termination

Proof rule for termination

Proof rule for termination

Proof rule for termination

Proof rule for termination

Proof rule for termination

Proof rule for termination

Proof rule for termination

Proof rule for termination

Proof rule for termination

Proof rule for termination

Proof rule for termination

Proof rule for termination

Outline

- Introduction
- Proof rule for termination
- TERMINATOR
- MUTANT/TERMINATOR
- Conclusion Discussion

Outline

- Introduction
- Proof rule for termination
- TERMINATOR
- MUTANT/TERMINATOR
- Conclusion Discussion

Proof rule for termination

Proof rule for termination

Proof rule for termination

Ø

Proof rule for termination

Ø

Proof rule for termination

Ø

Proof rule for termination

Proof rule for termination

Proof rule for termination

Proof rule for termination

Proof rule for termination

Proof rule for termination

Proof rule for termination

Proof rule for termination

Proof rule for termination

Proof rule for termination

TERMINATOR

TERMINATOR

Binary reachability

x f(x,y) g(y,x)

copied 0 . . . if (!copied)

if () Hx x

Hy y copied 1

else assert(T)

while(xlty)

copied 0

Examples

Examples

Examples

Examples

Examples

Examples

Examples

Examples

Examples

Examples

Example

- Introduction
- Abstraction refinement
- Abstraction refinement for termination
- Experimental results Demo
- Conclusion Discussion

Outline

- Introduction
- Proof rule for termination
- TERMINATOR
- MUTANT/TERMINATOR
- Conclusion Discussion

Outline

- Introduction
- Proof rule for termination
- TERMINATOR
- MUTANT/TERMINATOR
- Conclusion Discussion

What about the false bugs?

Lines of code (x1000)

Cut-point set size

What about the false bugs?

Lines of code (x1000)

Cut-point set size

What about the false bugs?

Lines of code (x1000)

Cut-point set size

Reversing the strategy

Reversing the strategy

Reversing the strategy

Reversing the strategy

Reversing the strategy

Reversing the strategy

MUTANT/TERMINATOR

MUTANT/TERMINATOR

MUTANT/TERMINATOR example

MUTANT/TERMINATOR example

MUTANT/TERMINATOR example

MUTANT/TERMINATOR example

MUTANT/TERMINATOR example

MUTANT/TERMINATOR example

Experimental results

- Revisiting loops previously (falsely) accused

Introduction

Introduction

Introduction

Introduction

Introduction

Introduction

Introduction

Introduction

Introduction

Introduction

Introduction

Introduction

Introduction

Introduction

Introduction

Introduction

Introduction

Outline

- Introduction
- Proof rule for termination
- TERMINATOR
- MUTANT/TERMINATOR
- Conclusion Discussion

Outline

- Introduction
- Proof rule for termination
- TERMINATOR
- MUTANT/TERMINATOR
- Conclusion Discussion

Introduction

- Termination is one of the frontiers of automatic

program correctness proof methods - Together with concurrency and shape analysis
- Applications
- OS dispatch routines
- HTTP request handling code
- Database query handling
- Standard library functions (e.g. string

manipulation, math functions, etc) - Acquire/Release (spinlocks, thread priority, etc)

Conclusion Discussion

- See http//research.microsoft.com/TERMINATOR
- Questions?

EXTRA SLIDES

Binary Reachability

Binary reachability

Binary reachability

Binary reachability

x f(x,y) g(y,x)

copied 0 . . . if (!copied)

if () Hx x

Hy y copied 1

else assert(T)

while(xlty)

copied 0

Rank function synthesis

Rank function synthesis

- What if weve find a path that appears not to

terminate? - Prove it to be well-founded
- compute a witness (ranking relation)
- Refine the set of ranking relations

Rank function synthesis

. . . if (ngt0 mgt1) cnt 0

for() AcquireLock() rst0

while(i j gt 1) i i-n

j jm

ReleaseLock() . . . .

Rank function synthesis

. . . if (ngt0 mgt1) cnt 0

for() AcquireLock() rst0

while(i j gt 1) i i-n

j jm

ReleaseLock() . . . .

Rank function synthesis

. . . if (ngt0 mgt1) cnt 0

for() AcquireLock() rst0

while(i j gt 1) i i-n

j jm

ReleaseLock() . . . .

Rank function synthesis

. . . if (ngt0 mgt1) cnt 0

for() AcquireLock() rst0

while(i j gt 1) i i-n

j jm

ReleaseLock() . . . .

Rank function synthesis

. . . if (ngt0 mgt1) cnt 0

for() AcquireLock() rst0

while(i j gt 1) i i-n

j jm

ReleaseLock() . . . .

Rank function synthesis

. . . if (ngt0 mgt1) cnt 0

for() AcquireLock() rst0

while(i j gt 1) i i-n

j jm

ReleaseLock() . . . .

Rank function synthesis

. . . if (ngt0 mgt1) cnt 0

for() AcquireLock() rst0

while(i j gt 1) i i-n

j jm

ReleaseLock() . . . .

Rank function synthesis

. . . if (ngt0 mgt1) cnt 0

for() AcquireLock() rst0

while(i j gt 1) i i-n

j jm

ReleaseLock() . . . .

Rank function synthesis

. . . if (ngt0 mgt1) cnt 0

for() AcquireLock() rst0

while(i j gt 1) i i-n

j jm

ReleaseLock() . . . .

Rank function synthesis

. . . if (ngt0 mgt1) cnt 0

for() AcquireLock() rst0

while(i j gt 1) i i-n

j jm

ReleaseLock() . . . .

Rank function synthesis

. . . if (ngt0 mgt1) cnt 0

for() AcquireLock() rst0

while(i j gt 1) i i-n

j jm

ReleaseLock() . . . .

L (i,j) (i,j) -i j -1 ? -i i

0 ? j - j -1

Rank function synthesis

L (i,j) (i,j) -i j -1 ? -i i

0 ? j - j -1

Rank function synthesis

L (i,j) (i,j) -i j -1 ? -i i

0 ? j - j -1

(-1)i (1)j (0)i (0)j -1 (-1)i (0)j

(1)i (0)j 0 (0) i (1)j (0)i

(-1)j -1

Rank function synthesis

L (i,j) (i,j) -i j -1 ? -i i

0 ? j - j -1

(-1)i (1)j (0)i (0)j -1 (-1)i (0)j

(1)i (0)j 0 (0) i (1)j (0)i

(-1)j -1

Rank function synthesis

Rank function synthesis

0 1 0

0 0 -1

P

0 0

-1 -1 0

1 0 1

-1 0 -1

(P Q)

Q

0

(

)

-1 -1 0

1 0 1

0 1 0

0 0 -1

P

0 0 0

Q

Q

0 0 0

Rank function synthesis

0 1 0

0 0 -1

P

0 0

-1 -1 0

1 0 1

-1 0 -1

(P Q)

Q

0

(

)

-1 -1 0

1 0 1

0 1 0

0 0 -1

P

0 0 0

Q

Q

0 0 0

Rank function synthesis

0 1 0

0 0 -1

P

0 0

-1 -1 0

1 0 1

-1 0 -1

(P Q)

Q

0

(

)

-1 -1 0

1 0 1

0 1 0

0 0 -1

P

0 0 0

Q

Q

0 0 0

Rank function synthesis

0 1 0

0 0 -1

P

0 0

-1 -1 0

1 0 1

-1 0 -1

(P Q)

Q

0

(

)

-1 -1 0

1 0 1

0 1 0

0 0 -1

P

0 0 0

Q

Q

0 0 0

Rank function synthesis

0 1 0

0 0 -1

P

0 0

-1 -1 0

1 0 1

-1 0 -1

(P Q)

Q

0

(

)

-1 -1 0

1 0 1

0 1 0

0 0 -1

P

0 0 0

Q

Q

0 0 0

Rank function synthesis

0 1 0

0 0 -1

P

0 0

-1 -1 0

1 0 1

-1 0 -1

(P Q)

Q

0

(

)

-1 -1 0

1 0 1

0 1 0

0 0 -1

P

0 0 0

Q

Q

0 0 0

Rank function synthesis

P

1 0 0

0 1 0

0 0 1

P

0 0

Q

0 1 1

-1 -1 0

1 0 1

-1 0 -1

(P Q)

Q

0

(

)

-1 -1 0

1 0 1

0 1 0

0 0 -1

P

0 0 0

Q

Q

0 0 0

Rank function synthesis

P

1 0 0

0 1 0

0 0 1

P

0 0

Q

0 1 1

-1 -1 0

1 0 1

-1 0 -1

(P Q)

Q

0

(

)

-1 -1 0

1 0 1

0 1 0

0 0 -1

P

0 0 0

Q

Q

0 0 0

Rank function synthesis

P

1 0 0

Q

0 1 1

0 1 0

0 0 -1

rank(x,y)

Q

Rank function synthesis

P

1 0 0

Q

0 1 1

0 1 0

0 0 -1

rank(x,y)

Q

rank(x,y) x - y

d 1

b 1

Rank function synthesis

P

1 0 0

Q

0 1 1

0 1 0

0 0 -1

- R(V,V) b rank(V) ? rank(V) rank(V) d
- R is an abstraction of p (ie. p ? R)
- In this case 1 i-j ? i-j (Hi-Hj) 1

rank(x,y)

Q

rank(x,y) x - y

d 1

b 1