Halting problem no problem Byron Cook Microsoft Research
Halting problem, no problem! Byron Cook · Microsoft Research Cambridge + Andreas Podelski, Andrey Rybalchenko & the East London Massive http: //research. microsoft. com/Terminator 1
Introduction 2
Introduction 3
Introduction 4
Introduction 5
Introduction 6
Introduction 7
Introduction 8
Outline Introduction Sequential programs Concurrent programs Extensions, optimizations, etc Conclusion 9
Outline Introduction Sequential programs Concurrent programs Extensions, optimizations, etc Conclusion 10
Terminator for sequential programs Termination/liveness prover for sequential C code § Liveness example: “every call to A() is eventually followed by a call to B()” Iteratively finds and checks the validity of a candidate termination argument Nifty trick § Iterative search considers potential counterexamples to termination in isolation of the rest of the program (conditionals, nested loops, recursion, pointers, function pointers, gotos, etc) 11
Well-founded relations Program termination = 12
Well-founded relations Program termination = 13
Well-founded relations 14
Well-founded relations 15
Well-founded relations 16
Well-founded relations 17
Well-founded relations 18
Termination proof rule 19
Termination proof rule 20
Termination proof rule 21
Termination proof rule 22
Termination proof rule 23
Termination proof rule 24
Termination proof rule 25
Termination proof rule 26
Termination proof rule 27
Termination proof rule 28
Termination proof rule 29
Termination proof rule 30
Terminator 31
Terminator 32
Terminator 33
Terminator Ø 34
Terminator Ø 35
Terminator Ø 36
Terminator 37
Terminator 38
Terminator 39
Terminator 40
Terminator 41
Terminator 42
Terminator 43
Terminator 44
Terminator 45
Terminator 46
Terminator 47
Terminator 48
Examples 49
Examples 50
Examples 51
Examples 52
Examples 53
Examples 54
Examples 55
Examples 56
Experimental results More details on Terminator and experiments § Termination proofs for systems code [PLDI’ 06] Experiments were performed in [PLDI’ 06] on 30 Windows device drivers (<35 k LOC) We’ve found some interesting bugs in cases where Terminator has failed to find a proof 57
Example Introduction Abstraction & refinement for termination Experimental results & Demo Conclusion & Discussion 58
Outline Introduction Sequential programs Concurrent programs Extensions, optimizations, etc Conclusion 59
Outline Introduction Sequential programs Concurrent programs Extensions, optimizations, etc Conclusion 60
Proving thread termination Until recently program termination tools didn’t natively support multithreaded programs Most of the code that we’re interested in verifying is multithreaded 61
Introduction Until recently program termination tools didn’t natively support multithreaded programs: Most of the code that we’re interested in verifying is multithreaded 62
Introduction Until recently program termination tools didn’t natively support multithreaded programs: Most of the code that we’re interested in verifying is multithreaded 63
Introduction 64
Introduction 65
Concurrent programs Thread-modular algorithm finds an environment model binary relation expressed as CNF formula Implements iterative weakening & strengthening based on spurious counterexamples § Strengthening: add conjuncts § Weakening: add disjuncts Nifty trick § Iterative search considers potential counterexamples to termination in isolation of the other threads 66
Example 67
Example 68
Example 69
Example 70
Example 71
Example 72
Example 73
Example 74
Example 75
Example 76
Example 77
Example 78
Example 79
Example 80
Example 81
Example 82
Example 83
Example 84
Example 85
Example 86
Example 87
Example 88
Example 89
Example 90
Example 91
Example 92
Example 93
Experimental results More details on Terminator concurrency extension and experiments § Proving thread termination [PLDI’ 07] Experiments were performed in [PLDI’ 07] on 30 Windows device drivers (<35 k LOC) We’ve found some interesting bugs in cases where Terminator has failed to find a proof 94
Introduction 95
Introduction 96
Introduction 97
Outline Introduction Sequential programs Concurrent programs Extensions, optimizations, etc Conclusion 98
Outline Introduction Sequential programs Concurrent programs Extensions, optimizations, etc Conclusion 99
Extensions, optimizations, etc Better performance with “variance analyses” § Variance analyses from invariance analyses [POPL’ 07 a] Support for the full spectrum of liveness properties (fair termination) § Proving that software eventually does something good [POPL’ 07 b] Rank function synthesis for simple non-linear cases § Proving termination by divergence [SEFM’ 07] Better support for heap-manipulating programs § Automatic termination proofs for programs with shape-shifting heaps [CAV’ 06] 100
Variance analyses 101
Variance analyses 102
Variance analyses 103
Variance analyses 104
Variance analyses 105
Variance analyses 106
Variance analyses 107
Variance analyses 108
Variance analyses 109
Variance analyses 110
Extensions, optimizations, etc Better performance with “variance analyses” § Variance analyses from invariance analyses [POPL’ 07 a] Support for the full spectrum of liveness properties (fair termination) § Proving that software eventually does something good [POPL’ 07 b] Rank function synthesis for simple non-linear cases § Proving termination by divergence [SEFM’ 07] Better support for heap-manipulating programs § Automatic termination proofs for programs with shape-shifting heaps [CAV’ 06] 111
Experimental results 112
Experimental results 113
Experimental results 114
Experimental results 115
Experimental results 116
Experimental results 117
Experimental results 118
Experimental results 119
Experimental results 120
Experimental results 121
Experimental results 122
Experimental results 123
Experimental results 124
Experimental results 125
Experimental results 126
Experimental results 127
Outline Introduction Sequential programs Concurrent programs Extensions, optimizations, etc Conclusion 128
Outline Introduction Sequential programs Concurrent programs Extensions, optimizations, etc Conclusion 129
Conclusion Reactive systems need terminating components Termination is one of the frontiers of automatic program correctness proof tools § Together with shape and concurrency Terminator automatically proves termination (and other liveness properties) of programs 130
Conclusion See research. microsoft. com/Terminator Write to bycook@microsoft. com Thank you for your attention 131
- Slides: 131