proving mutual termination of single-threaded programs
DESCRIPTION
Proving Mutual Termination of single-threaded programs. Dima Elenbogen Ofer Strichman Shmuel Katz Technion, Haifa, Israel. Notion of equivalence for this presentation. Goal: verification of the mutual termination of two similar programs . Mutual termination Given equal inputs, - PowerPoint PPT PresentationTRANSCRIPT
Proving Mutual Terminationof single-threaded programs
Dima Elenbogen Ofer Strichman Shmuel Katz
Technion, Haifa, Israel
08:56:27 PM
4
Notion of equivalence for this presentation
Goal: verification of the mutual termination of two similar programs.
Mutual termination
Given equal inputs, P1 terminates , P2 terminates
Undecidable
08:56:27 PM
5
Alternative: termination of a single program New tools have recently been developed:
Terminator Mutant …
Still, there are two major problems: Incompleteness Complexity
08:56:27 PM
6
Mutual Termination vs. Proving Termination
Pros: Computationally easier to check the mutual terminations of two
programs than to prove the termination of each of them. Fully automated.
It does not require finding a well-founded set. Program do not necessarily terminate.
Termination check has nothing to say Mutual termination can still say something useful.
Cons: Defines a weaker notion.
08:56:27 PM
7
Goals
Develop proof rules for mutual termination
Present an algorithm for checking mutual termination, that uses the proof rules, and is sensitive to the magnitude of change rather than the magnitude
of the programs
08:56:27 PM
8
Prerequisites
Assume: no loops (but there are recursive functions); 1-1 mapping map between the functions of both sides:
must intersect all cycles in the call graphs; the mapped functions have the same signature
A:f1()
f2()f5()
f3() f4()f6()
f1’()
f2’()
f4’()
f5’()
f7’()
B:
08:56:27 PM
2 map
2 map
2 map
2 map
9
Mutual termination (simple case)
Consider the call graphs:
We want to prove that A, B are mutually terminating How shall we handle the recursion ?
A B
Side 1 Side 2
08:56:27 PM
10
Call-equivalence
Definition: functions A,B are call-equivalent if… For equal inputs:
For callees f,g s.t. (f,g) 2 map: f is called , g is called f and g are called with the same arguments.
B(x, y) {
g(0,0)
if (cond2)
g(x,y)
if (cond3)
g(x,y)
}
A(x, y) {
if (cond1)
f(x,y)
f(0, 0)
}
08:56:27 PM
The order and the number of calls do not matter
11
Preliminary inference rule (simple case)
A(x, y) {
…
if (cond1)
A(x1,y1)
else …
…
}
B(w, z) {
…
if (cond2)
B(w1,z1)
else …
..
}
A
Side 1
B
Side 2
call-equiv(A, B)mutual-terminate(A, B)
(M-TERM-REC)
08:56:28 PM
12
The premise is undecidable
A(x, y) {
…
if (A(x’, y’) > …)
A(x1,y1)
else …
…
}
B(w, z) {
…
if (B(w’, z’) > …)
B(w1,z1)
else …
..
}
A
Side 1
B
Side 2
How can we prove the premise?
call-equiv(A, B)mutual-terminate(A, B)
(M-TERM-REC)
08:56:28 PM
13
Uninterpreted functions
Replace the recursive calls with calls to functions that over-approximate A, B, and are terminating by construction
Natural candidates: Uninterpreted Functions Abstract all functionality. We only know they are consistent: x = y → UF(x) = UF(y)
call-equiv(A, B)mutual-terminate(A, B)
(M-TERM-REC)
08:56:28 PM
F(x, y) {
…
if (cond1)
F(x1,y1)
else …
…
}
G(w, z) {
…
if (cond2)
G(w1,z1)
else …
..
}
14
Replacing recursive calls (1 / 2)
Let FUF , GUF be F,G, after replacing the recursive call with a call to the corresponding uninterpreted functions.
F
Side 1
G
Side 2
08:56:28 PM
Let FUF , GUF be F,G, after replacing the recursive call with a call to the corresponding uninterpreted functions.
GUF(w, z) {
…
if (cond2)
UF(G)(w1,z1)
else …
..
}
FUF(x, y) {
…
if (cond1)
UF(F)(x1,y1)
else …
…
}
15
Replacing recursive calls (2 / 2)
FUF
Side 1
GUF
Side 2UF(F) UF(G)
08:56:28 PM
16
Proving mutual termination
Let FUF , GUF be F,G, after replacing the recursive calls with calls to uninterpreted functions.
We can now rewrite the rule:
This premise is decidable
call-equiv(FUF, GUF)mutual-terminate(F, G) (M-TERM-SIMPLE)
08:56:28 PM
17
General inference rule
Now we want to generalize from a single self loop to MSCCs in the call graphs:
Definition: is called in A]
∀(F, G) ∈ map. call-equiv(FUF, GUF)∀(F, G) ∈ map. mutual-terminate(F, G) (M-TERM)
08:56:28 PM
18
Connected MSCCs
Connected MSCCs… Prove bottom-up Abstract mutually terminating functions Inline
Side 1 Side 2
g g’
h h’UF(h) UF(h’)
{(g,g’),(f,f’),(h,h’)} 2 map
08:56:28 PM
U
19
Decomposition algorithm
A: B:
f1()
f2()f5()
f3() f4() f6()
f1’()
f2’()
f4’()
f5’()
Mutually terminating pair
Syntactically equivalent pair
Mutual termination undecided yetCould not prove mutual termination
Legend:
check
check Unpaired function
f7’()U U
U
08:56:28 PM
check
20
Mutual recursion
Find a sub-map that intersects all cycles, e.g., {(g,g’)} Only when calling functions in this sub-map, replace with
uninterpreted functions
Side 1 Side 2
f ’
UF(g’)
g g’f
UF(g) {(g,g’),(f,f’)} 2 map
08:56:28 PM
UU
21
Decomposition with mutual recursion
A: B:
f1()
f2() f5()U
Call-equivalent; mutual termination undecided yet
check
08:56:28 PM
UUU UU
f1’()
f2’() f5’()U UUU
Mutually terminating pair
Syntactically equivalent pair
Mutual termination undecided yetCould not prove mutual termination
Legend:
22
The Regression Verification Tool (RVT)
Given two C programs: loops recursive functions.
Map functions, globals, etc.
After that: Decompose to the granularity of pairs of functions Use a C verification engine (CBMC)
08:56:28 PM
23
RVT
Version A Version B
CBMC
enforce equality of inputs
replace with UFsassert call-equivalence
feedback
call-equivalence counterexample
C program
RVT
Merge Rename identical
globals Map
functions/globals Decompose static analyses
08:56:28 PM
24
Improvements of completeness (1 / 2)
Partial equivalence
Terminating executions of P1 and P2 on equal inputs result in equal outputs.
Taking advantage of the partial equivalence of functions:
If we know that (f, g) ∈ map are partially equivalent, then UF(f) = UF(g)
We welcome additional ideas how to refine our UFs.
08:56:28 PM
25
Improvements of completeness (2 / 2)
Ignoring input arguments that do not affect the call-equivalence of a function: This improves mapping, as some mapped function pairs may
have different prototypes.
08:56:28 PM
Suppose we know that function A terminates. Can it help us to prove the termination of A’?
Define call-contain(A, A’) as: For equal inputs :
For each pair (f, f ’) 2 map:
f ‘ is called in A’ with argument x f is called in A with argument x
26
Checking the termination of functions
08:56:28 PM
∀(F, F’) ∈ map. (term(F) ∧ call-contain(FUF ,F’UF))∀(F, F’) ∈ map. term(F’)
(TERM)
28
Value of Mutual Termination
Full equivalence P1 and P2 are partially equivalent and mutually terminate.
Introduced in:• Luckham, Park, and M. Paterson 1970
[On formalized computer programs] • Pratt 1971 [Kernel equivalence of programs and proving kernel equivalence and
correctness by test cases]
Regression verification of full equivalence is an important problem.
Proving mutual termination is a crucial sub-task.
08:56:28 PM
29
Questions?..
08:56:28 PM
30
unsigned gcd1UF
(unsigned a, unsigned b) { unsigned g; if (b == 0) g = a; else { a = a % b; g = gcd1(b, a); } return g; }
unsigned gcd2UF
(unsigned x, unsigned y) { unsigned z; z = x; if (y > 0) z = gcd2(y, z % y); } return z; }
Using (M-TERM-SIMPLE): example (1/2)
=UF1
UF2
a, b) x, y)
term
08:56:28 PM
?
31
Proving call-equiv(gcd1UF, gcd2
UF)
Using (M-TERM-SIMPLE): example (2/2)
Equal inputs
Equal guards
then equal argumentsif called
Valid. gcd1,gcd2 are mutually terminating.
08:56:28 PM