proving termination conditions
DESCRIPTION
Proving termination conditions. Mentor : Dr. Ben Livshits & Dr. Stephan Tobies. The Project. The aim: Investigate state of the art approaches for termination proof; Prove termination of sample algorithms. We focused on the following cases: Nested loops ; Recursion ; - PowerPoint PPT PresentationTRANSCRIPT
Proving termination conditions Name E-mail Country, City, University
Omer Subasi [email protected] Turkey, Istanbul, Koc University
Anton Dergunov [email protected] Russia, Nizhny Novgorod, UNN
Krasnoshtan Dmytro [email protected] Ukraine, Kiev, KPI
Georgiy Savchenko [email protected] Russia, Krasnoyarsk, Siberian federal university
Pavel Ajtkulov [email protected] Russian, Izhevsk, Udmurt State University
Mentor: Dr. Ben Livshits & Dr. Stephan Tobies
The Project
• The aim:– Investigate state of the art approaches for termination proof;
– Prove termination of sample algorithms.• We focused on the following cases:– Nested loops;– Recursion;– Linked list data structures.
2
Termination
• A program is terminating if all its executions of all its executions are finite.
• A program is non-terminating it there exits at least one infinite execution.
3
Motivation
Functional correctness + termination proof =Total correctness
• The halting problem: termination is undecidable (Alan Turing).
• Does not mean we can’t not prove termination in every case. We can prove termination via introducing termination metrics (ranking functions).
4
Termination proof in Dafny
• Dafny is a programming language and verifier that enables to prove terminations of algorithms.
• Dafny provides annotations to specify termination metrics
• Many verifiers do not support termination proofs
• http://research.microsoft.com/en-us/projects/dafny/
5
Dafny Approach-Formalism
• Let U be a non-empty set of disjoint union of algebraic datatypes, tuples and variables.
• Algebraic datatypes: sets, sequences, lists.• Let S be set of states of program.• Let (Y,>=) be a well-ordered set.• For instance, ℕ is a well-ordered set.
6
Formalism Cont.
• Define metric φ:UxSY such that– For ∀ transition (s,s’), φ(u,s)> φ(u,s’)– For ∀ state s, u in U∀ , φ(u,s)>=0– ∃ δ>0 such that for ∀ transition (s,s’) and u in ∀U, φ(u,s)> φ(u,s’)+δ
• Usually this mapping is called progress measure or ranking function
7
Node #1ReachableNodes: {1, 2, 3, 4, 5}
Node #3ReachableNodes: {3}
Node #2ReachableNodes: {2, 4, 5}
Node #4ReachableNodes: {4}
Node #5ReachableNodes: {5}
method Find(x: int): returns (found:bool) decreases ReachableNodes;{ if (x == data) {found := true;} else if (left != null && x < data) {found := left.Find(x);} else if (right != null && x > data) {found := right.Find(x);} else {found := false;}}
)Reachable()Reachable(
)Successor(
:,
21
21
21
NodeNode
NodeNode
TreeNodeNode
Other Approaches
• Compose termination arguments since constructing a ranking function can be difficult
• Decompose the termination check into easier ones
• Terminator http://research.microsoft.com/en-us/um/cambridge/projects/terminator/ development of automatic methods for proving program termination and general liveness properties 9
Our Contribution
• Proved termination of several Dafny programs:– QuickSort–MergeSort– Insertion sort– Insertion and search for binary search tree
• We have investigated state of art for termination proof.
• Idea: reusing termination metric to prove computational complexity of algorithms. 10
What we have learned
• More in-depth understanding of formal verification.
• Got information about proving termination properties.
• Got additional insights how complexity analysis can be implemented by reusing termination metric.
What remains to be done
•
11
Thank you!Questions?
12
Possible tools
• partial correctness + termination = total correctness• partial correctness + time > total correctness
VCC provides only partial correctnessOther tools:- Code contracts- Dafny- f*- spec#
13
Why dafny
It is imperative, sequential, supports generic classes and dynamic allocation, and builds in specification constructs.
Also- Updatable ghost variables- Recursive functions- Proof of total correctness- Types like algebraic datatypes (sets, sequences)
14
Principles of termination by Byron Cook
• A program is terminating if all its executions are finite. A program is non-terminating it there exits at least one infinite execution.
• When trying to prove termination, one tries to prove program’s transition relation is well-founded.
• Turing’s suggestion for proving well-foundedness: Find a map form (R,S) to a well-ordered set and then prove this map is a homomorphism. These maps are typically ranking functions.
• Constructing a ranking function can be difficult: Compose termination arguments.
• Another idea: Decompose the termination check into easier ones.
15
Notation
{P}C{Q} : partial correctness[P]C[Q] : total correctness
Problems with:- While loop ( for is alias in C-like languages)- Recursion- Function invocation
16
Total Correctness Specification
A total correctness specification [P]C[Q] true if- Whenever C is executed in a state satisfying P, then the execution of C terminates
- After C terminates Q holdsWith the exception of the WHILE, FOR loops, recursion and function invocation, all the axioms and rules described so far are sound for total correctness as well as partial correctness
17
Rules for Non-Looping Command
• Replace { and } by [ and ], respectively, in:- Assignment axiom- Consequence rules- Conditional rules- Sequencing rule- Block rule
18
Total Correctness Assignment Axiom
- Assignment axiom for total correctness:Ⱶ [P [E/V ]] V := E [P ]- Note that the assignment axiom for total correctness states that assignment commands always terminate
- So all function applications in expressions must terminate
- This might not be the case if functions could be defined recursively
EXAMPLE: X := fact(-1), where fact(n) = if n = 0 then 1 else n * fact(n - 1)
19
WHILE Rule for Total Correctnes
- WHILE commands are the only commands that can cause non-termination
- The idea behind the WHILE rule for total correctness is:
1) to prove WHILE S DO C terminates 2) show that some non-negative quantity decreases on each iteration of C 3) this decreasing quantity is called a variant
20
WHILE Rule for Total Correctness
•
21
Derived rules
Multiple step rules for total correctness can be derived in the same way as for partial correctness- The rules are the same up to the brackets used- Same derivations with total correctness rules replacing partial correctness ones
22
Example 3: ghost dataclass ListNode { var data: int; var next: ListNode; ghost var reachableNodes: set<ListNode>; // ...
function sum(): int reads *; decreases reachableNodes; { if next == null then data else data + next.Sum() }}
23
Example 1: no termination proof is required
method processArray(numbers: array<int>) requires numbers != null; { var i := 0; var sum := 0; while (i < numbers.Length) { sum := sum + numbers[i]; i := i + 1; }}
24
Dafny programs that we have proved
Termination of:• QuickSort• MergeSort• Insertion and search for binary search tree
• TODO: outline the most interesting aspects of these programs
25