Proving termination of software

Byron Cook bycook_at_microsoft.com

Microsoft Research, Cambridge

Joint work with Josh Berdine, Dino Distefano, Alexey Gotsman,

Peter OHearn, Andreas Podelski, Andrey

Rybalchenko, and others

Introduction

Lines of code (x1000)

Cut-point set size

Lines of code (x1000)

Cut-point set size

Lines of code (x1000)

Cut-point set size

Lines of code (x1000)

Cut-point set size

Lines of code (x1000)

Cut-point set size

Outline

- Introduction
- Proof rule for termination
- TERMINATOR
- MUTANT/TERMINATOR
- Conclusion Discussion

Proof rule for termination

TERMINATOR

TERMINATOR

Binary reachability

x f(x,y) g(y,x)

copied 0 . . . if (!copied)

if () Hx x

Hy y copied 1

else assert(T)

while(xlty)

copied 0

Example

- Introduction
- Abstraction refinement
- Abstraction refinement for termination
- Experimental results Demo
- Conclusion Discussion

What about the false bugs?

Lines of code (x1000)

Cut-point set size

What about the false bugs?

Lines of code (x1000)

Cut-point set size

What about the false bugs?

Lines of code (x1000)

Cut-point set size

Reversing the strategy

Reversing the strategy

Reversing the strategy

Reversing the strategy

Reversing the strategy

Reversing the strategy

MUTANT/TERMINATOR

MUTANT/TERMINATOR

MUTANT/TERMINATOR example

MUTANT/TERMINATOR example

MUTANT/TERMINATOR example

MUTANT/TERMINATOR example

MUTANT/TERMINATOR example

MUTANT/TERMINATOR example

Experimental results

- Revisiting loops previously (falsely) accused

Introduction

- Termination is one of the frontiers of automatic

program correctness proof methods - Together with concurrency and shape analysis
- Applications
- OS dispatch routines
- HTTP request handling code
- Database query handling
- Standard library functions (e.g. string

manipulation, math functions, etc) - Acquire/Release (spinlocks, thread priority, etc)

Conclusion Discussion

- See http//research.microsoft.com/TERMINATOR
- Questions?

EXTRA SLIDES

x f(x,y) g(y,x)

copied 0 . . . if (!copied)

if () Hx x

Hy y copied 1

else assert(T)

while(xlty)

copied 0

- What if weve find a path that appears not to

terminate? - Prove it to be well-founded
- compute a witness (ranking relation)
- Refine the set of ranking relations

. . . if (ngt0 mgt1) cnt 0

for() AcquireLock() rst0

while(i j gt 1) i i-n

j jm

ReleaseLock() . . . .

. . . if (ngt0 mgt1) cnt 0

for() AcquireLock() rst0

while(i j gt 1) i i-n

j jm

ReleaseLock() . . . .

. . . if (ngt0 mgt1) cnt 0

for() AcquireLock() rst0

while(i j gt 1) i i-n

j jm

ReleaseLock() . . . .

. . . if (ngt0 mgt1) cnt 0

for() AcquireLock() rst0

while(i j gt 1) i i-n

j jm

ReleaseLock() . . . .

. . . if (ngt0 mgt1) cnt 0

for() AcquireLock() rst0

while(i j gt 1) i i-n

j jm

ReleaseLock() . . . .

. . . if (ngt0 mgt1) cnt 0

for() AcquireLock() rst0

while(i j gt 1) i i-n

j jm

ReleaseLock() . . . .

. . . if (ngt0 mgt1) cnt 0

for() AcquireLock() rst0

while(i j gt 1) i i-n

j jm

ReleaseLock() . . . .

. . . if (ngt0 mgt1) cnt 0

for() AcquireLock() rst0

while(i j gt 1) i i-n

j jm

ReleaseLock() . . . .

. . . if (ngt0 mgt1) cnt 0

for() AcquireLock() rst0

while(i j gt 1) i i-n

j jm

ReleaseLock() . . . .

. . . if (ngt0 mgt1) cnt 0

for() AcquireLock() rst0

while(i j gt 1) i i-n

j jm

ReleaseLock() . . . .

. . . if (ngt0 mgt1) cnt 0

for() AcquireLock() rst0

while(i j gt 1) i i-n

j jm

ReleaseLock() . . . .

L (i,j) (i,j) -i j -1 ? -i i

0 ? j - j -1

L (i,j) (i,j) -i j -1 ? -i i

0 ? j - j -1

L (i,j) (i,j) -i j -1 ? -i i

0 ? j - j -1

(-1)i (1)j (0)i (0)j -1 (-1)i (0)j

(1)i (0)j 0 (0) i (1)j (0)i

(-1)j -1

L (i,j) (i,j) -i j -1 ? -i i

0 ? j - j -1

(-1)i (1)j (0)i (0)j -1 (-1)i (0)j

(1)i (0)j 0 (0) i (1)j (0)i

(-1)j -1

0 1 0

0 0 -1

P

0 0

-1 -1 0

1 0 1

-1 0 -1

(P Q)

Q

0

(

)

-1 -1 0

1 0 1

0 1 0

0 0 -1

P

0 0 0

Q

Q

0 0 0

0 1 0

0 0 -1

P

0 0

-1 -1 0

1 0 1

-1 0 -1

(P Q)

Q

0

(

)

-1 -1 0

1 0 1

0 1 0

0 0 -1

P

0 0 0

Q

Q

0 0 0

0 1 0

0 0 -1

P

0 0

-1 -1 0

1 0 1

-1 0 -1

(P Q)

Q

0

(

)

-1 -1 0

1 0 1

0 1 0

0 0 -1

P

0 0 0

Q

Q

0 0 0

0 1 0

0 0 -1

P

0 0

-1 -1 0

1 0 1

-1 0 -1

(P Q)

Q

0

(

)

-1 -1 0

1 0 1

0 1 0

0 0 -1

P

0 0 0

Q

Q

0 0 0

0 1 0

0 0 -1

P

0 0

-1 -1 0

1 0 1

-1 0 -1

(P Q)

Q

0

(

)

-1 -1 0

1 0 1

0 1 0

0 0 -1

P

0 0 0

Q

Q

0 0 0

0 1 0

0 0 -1

P

0 0

-1 -1 0

1 0 1

-1 0 -1

(P Q)

Q

0

(

)

-1 -1 0

1 0 1

0 1 0

0 0 -1

P

0 0 0

Q

Q

0 0 0

P

1 0 0

0 1 0

0 0 1

P

0 0

Q

0 1 1

-1 -1 0

1 0 1

-1 0 -1

(P Q)

Q

0

(

)

-1 -1 0

1 0 1

0 1 0

0 0 -1

P

0 0 0

Q

Q

0 0 0

P

1 0 0

0 1 0

0 0 1

P

0 0

Q

0 1 1

-1 -1 0

1 0 1

-1 0 -1

(P Q)

Q

0

(

)

-1 -1 0

1 0 1

0 1 0

0 0 -1

P

0 0 0

Q

Q

0 0 0

P

1 0 0

Q

0 1 1

0 1 0

0 0 -1

rank(x,y)

Q

P

1 0 0

Q

0 1 1

0 1 0

0 0 -1

rank(x,y)

Q

rank(x,y) x - y

d 1

b 1

P

1 0 0

Q

0 1 1

0 1 0

0 0 -1

- R(V,V) b rank(V) ? rank(V) rank(V) d
- R is an abstraction of p (ie. p ? R)
- In this case 1 i-j ? i-j (Hi-Hj) 1

rank(x,y)

Q

rank(x,y) x - y

d 1

b 1