real-time systems, cosc-4301-01, lecture 15
DESCRIPTION
Real-Time Systems, COSC-4301-01, Lecture 15. Stefan Andrei. Reminder of the last lecture. Decomposition-based Verification of Linear Real-Time Systems Specifications. Overview of This Lecture. Termination analysis by function inversion. Introduction. - PowerPoint PPT PresentationTRANSCRIPT
04/20/23 COSC-4301-01, Lecture 15 1
Real-Time Systems, COSC-4301-01, Lecture 15
Stefan Andrei
04/20/23 COSC-4301-01, Lecture 15 2
Reminder of the last lecture
Decomposition-based Verification of Linear Real-Time Systems Specifications
04/20/23 COSC-4301-01, Lecture 15 3
Overview of This Lecture
Termination analysis by function inversion
Introduction Program’s correctness is one of the most
important problem in computer science: Partial correctness: a program P that terminates for
any given input provides the expected output; Total correctness: Partial correctness + Termination
A program P terminates if it executes a finite number of steps for any input until provides the output.
Total correctness is more important than partial correctness (M. Huth and M. Ryan: Logic in Computer Science.
Modelling and Reasoning about Systems. Cambridge Press, 2004)
04/20/23 COSC-4301-01, Lecture 15 4
Introduction (cont) The halting problem (a.k.a., the termination
problem): Given a program and a finite input, decide whether
the program finishes running or will run forever? In 1936, Alan Turing showed that the halting
problem is undecidable. Hence, there is no general algorithm to prove
program termination or to determine the runtime of a program.
The halting problem is so famous because it was one if the first problems proved undecidable.
04/20/23 COSC-4301-01, Lecture 15 5
Related Work
It has been clear since the early days of computing that a program correctness argument can be clearly partitioned into partial (conditional) correctness, and termination: C.A.R. Hoare. An Axiomatic Basis for Computer
Programming. Communications of the ACM, 12:576–580, 1969.
04/20/23 COSC-4301-01, Lecture 15 6
Related Work (cont.) Termination analysis has been developed for
different programming frameworks over the years: N. Dershowitz, N. Lindenstrauss, Y. Sagiv, and A. Serebrenik. A
General Framework for Automatic Termination Analysis of Logic Programs. Applicable Algebra in Engineering, Communication and Computing, 12(1/2):117–156, 2001.
M. Colon and H. Sipma. Practical Methods for Proving Program Termination. In 14th International Conference on Computer Aided Verification (CAV), volume 2404 of Lecture Notes in Computer Science, pages 442–454. Springer, 2002.
Byron Cook, Andreas Podelski, and Andrey Rybalchenko. Termination proofs for systems code. SIGPLAN Not., 41(6):415–426, 2006.
04/20/23 COSC-4301-01, Lecture 15 7
Related Work (cont.) There are many applications in real-time systems
for which the termination problem is motivated. The termination problem was also considered in
other papers: C.S. Lee, N.D. Jones, and A.M. Ben-Amram. The Size-Change
Principle for Program Termination. In Conference Record of the 28th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, volume 28, pages 81–92. ACM press, January 2001.
H. Anderson, S.C. Khoo, S. Andrei, and B. Luca. Calculating Polynomial Runtime Properties. In Kwangkeun Yi, editor, APLAS 05: Asian Symposium on Programming Languages and Systems, pages 230–246, Springer, 2005.
04/20/23 COSC-4301-01, Lecture 15 8
Conversion from while to recursion To the best of our knowledge, all these related works
considered termination methods where the parameters values are decreasing.
Our technique removes this restriction (Program P1 below):
04/20/23 COSC-4301-01, Lecture 15 9
x = <some real value>;
a = <some real value>;
n = <some positive integer value>;
while (n != 0 && n != 1) {
if (n % 2 == 0) { x = x * x; n = n / 2; }
else { n++; a = x * a; }
}
return a;
F1 corresponds to P1
04/20/23 COSC-4301-01, Lecture 15 10
We limit the definition of the termination analysis to function calls only.
The Runtime
The runtime (a.k.a., as the running time) of a function execution is the number of function calls until it terminates.
Such calls are the only difficult part of a runtime calculation, as other program constructs (statements, parameters transmission) add constant time delays.
04/20/23 COSC-4301-01, Lecture 15 11
Essential Arguments
The programs subject to analysis may contain arguments that are not essential for our method.
Formally, given an initial program P, we denote by [P] the projection of P by considering only the parameters that occur in the test conditions of P: An initial program P terminates if and only if [P]
terminates, too.
04/20/23 COSC-4301-01, Lecture 15 12
Essential Arguments (example) F1 is a function similar to
that used in the calculation of xn.
The projection of F1 (denoted as PF1) is given by Figure 1, where x and a are not parameters involved in the program’s termination.
Note that PF1 is a single-parameter function, as it only has n as a parameter.
04/20/23 COSC-4301-01, Lecture 15 13
The Numerical Normal Form
Given a program P expressed as a single recursive function, we say that f() is the numerical normal form of [P] if and only if: Arguments of f() are the same as arguments of [P]; Branch conditions of f() correspond to test
conditions of [P]; The body of each branch of f() corresponds to the
argument of the same branch of [P].
04/20/23 COSC-4301-01, Lecture 15 14
An Equivalent Reformulation
The termination problem for [P] is equivalent to showing that for any n N, there exists a k N such that f(k)(n) = 0, where: f(1) = f, f(k+1) = f f(k), means the function’s composition, and 0 is a constant corresponding to termination.
04/20/23 COSC-4301-01, Lecture 15 15
Equivalent Reformulation (example) The numerical normal form of PF1 can be
given by f1 : N N. The recursive calls of PF1 correspond to
function’s composition operations of f1():
04/20/23 COSC-4301-01, Lecture 15 16
PF1(n) has k recursive calls until STOP if and only if f1
(k)(n) = 0.
Our Class of Functions We consider the general numerical normal form for
functions having one parameter is F : N N such as:
04/20/23 COSC-4301-01, Lecture 15 17
where: n’0, ..., n’m-1 are constants;
x = n0, ..., x = nm-1 are terminating conditions;
0(x), ..., p-1(x) are called non-terminating conditions;
f0(x), ..., fp-1(x) are invertible functions.
The Execution Trace Tree Given a function F(), the execution trace tree is
denoted ETT(F). This tree is a pair (V,E), where V is the set of
nodes (vertices) and E is the set of arcs (edges). ETT(F) has an unlabeled root that has a number of
direct descendants equal to the number of values from the termination conditions (e.g., values n’0, ..., n’m-1).
Each arc from node y to node x every time F(x) = y has a solution.
04/20/23 COSC-4301-01, Lecture 15 18
ETT(F) for our class
04/20/23 COSC-4301-01, Lecture 15 19
_
n’0 n’m-1
n0nm-1
y
x
…
… …
…
…
F(x)=y has a solution.
Finite Fragments of ETT(F) ETT(F) may contain infinite paths. For any y N+, k N+ a finite p-ary tree with root
y, having k levels, denoted ETTk(y) = (Vk, Ek).
Each node, except the root, v Vk is labeled with a natural number, denoted by label(v).
The node v may have 1, 2, ..., p descendants depending on its label y.
That is, i {0, ..., p – 1} whenever βi(f -1i(y))
holds, then v has a descendant labeled by f -1i(y).
04/20/23 COSC-4301-01, Lecture 15 20
Connection to Termination Problem If all paths from the root are finite, then the
termination problem can be easily solved. For the inputs that are labels of ETT(F), the
termination problem holds. For the inputs not labels of ETT(F), the program runs
infinitely. We denote labels(V) as being {label(v) | v V}. One inclusion is obvious: labels(V ) N. Hence, the termination problem for F is
equivalent to: labels(V(ETT(F))) = N+.
04/20/23 COSC-4301-01, Lecture 15 21
An Example with Finite ETT
Function f2 is terminating only for inputs 0, 1, 2, and is non-terminating for the other naturals 3, 4, ...
So, the challenging case for tackling the termination problem and computing the runtime is when ETT has at least one potentially infinite path.
04/20/23 COSC-4301-01, Lecture 15 22
An Effective Non-Trivial Subclass We consider the cases when fi() are affine
functions and i() are conditions containing modulo operators (called modulo-case functions):
04/20/23 COSC-4301-01, Lecture 15 23
where F : N N, and i {0, ..., p-1}, we have ai Q+, bi Q, ai × p N and ai × i + bi N.
ETT(F) for a Modulo-Case Function Considering a modulo-case function, an arbitrary node
v of ETT(F) may have up to p descendants depending on its label y.
That is, i {0, ..., p-1} whenever (y-bi)/ai i (mod p), then v has a descendant labeled by (y-bi )/ai.
Example: ETT(f1) is an infinite binary tree.
f -11 = {(m, 2m) | m 1} {(m, m - 1) | m is even}.
04/20/23 COSC-4301-01, Lecture 15 24
ETT5(f1)
04/20/23 COSC-4301-01, Lecture 15 25
The arc (2, 1) was not generated because 1 belongs to ETT5(f1).
Our Systematic Method
s = max i={0, …, p-1} { 1/ai, 1} and (k) =
sk if s > 1 k if s = 1
where x represents the integer ceiling of x. The set {0, 1, 2, ..., (k)} will be used in our method. The main idea is to generate ETT(f) until the algorithm
finds a polynomial as an upper bound for the smallest level (sl) such that the set {0, 1, 2, ..., (k)} can be found as labels for the first sl levels of ETT(f).
04/20/23 COSC-4301-01, Lecture 15 26
Our Systematic Method (cont.) If such a polynomial is found, then the
designer can start doing the formal proof for the induction step.
If this fails, then the algorithm will search a polynomial of a higher degree.
The algorithm will look for polynomials of a predefined maximum degree, say dmax.
04/20/23 COSC-4301-01, Lecture 15 27
Algorithm A - Pseudocode
The Input: A modulo-case function f() and a positive integer dmax
The Output: ‘Yes’ (if f() is terminating) and a domain constraint
as well as an estimation of running time, otherwise ‘Polynomial up to degree dmax not found’ (if the
algorithm cannot find a polynomial for the runtime).
04/20/23 COSC-4301-01, Lecture 15 28
Algorithm A - Pseudocode (cont.)
04/20/23 COSC-4301-01, Lecture 15 29
Algorithm A - Pseudocode (cont.)
04/20/23 COSC-4301-01, Lecture 15 30
Algorithm A’s Correctness
Theorem 4.1 Let f be a modulo-case function, and dmax a positive integer. Algorithm A will provide: ‘Yes’ and a domain constraint as well as an
estimation of running time, if the algorithm proved that f is terminating;
‘Polynomial up to degree dmax not found’, if the algorithm cannot find such a polynomial as an upper bound for the runtime.
04/20/23 COSC-4301-01, Lecture 15 31
Algorithm A applied to f1()
From the definition of f1(), we get s = 2, so (k) = 2k.
The sets {0, 1, 2} and {0, 1, 2, 3, 4} are generated by level 1 and 3, respectively.
The polynomial P of degree 1 such that P(1) = 1 and P(2) = 3 is P(x) = 2x – 1.
Algorithm tests whether {0, 1, 2, ..., 23} are labels of ETT(f1) by level P(3) = 5.
According to Figure from slide 23, this assertion holds.
04/20/23 COSC-4301-01, Lecture 15 32
Algorithm A applied to f1() Checking inductive step:
suppose that {0, 1, 2, ..., 2k} are labels of ETT(f1) by the level P(k) = 2k - 1;
the method checks whether {0, 1, 2, ..., 2k, 2k + 1, ..., 2k+1} are labels of ETT(f1) by level P(k + 1) = 2k + 1.
The proof is based on the fact that f-11={(m, 2m) | m
1} {(m, m - 1) | m is even}.
Our algorithm was able to systematically prove the termination problem.
The running time is 2 × log2(n)-1.
04/20/23 COSC-4301-01, Lecture 15 33
04/20/23 COSC-4301-01, Lecture 15 34
Conclusion
This paper presented a novel and systematic approach for calculating the maximum runtime of functions for a nontrivial class of programs, based on an induction over a tree of execution traces.
Future work We are working towards a more complete
characterization of the class of functions for which the runtime and termination analysis can be done using our approach.
Comparison with state-of-the-art termination tools (e.g., Terminator);
Applying our algorithm to challenging and famous problems, e.g., the Collatz problem (a.k.a., the ‘3x+1’ problem);
Changing the class of polynomials to exponentials (or other functions) as an upper bound for labels of the ETT(F).
04/20/23 COSC-4301-01, Lecture 15 35
04/20/23 COSC-4301-01, Lecture 15 36
Summary
Termination Analysis by Function Inversion
04/20/23 COSC-4301-01, Lecture 15 37
Reading suggestions
[And08] Andrei, S.: Termination Analysis by Program Inversion. SYNASC 2008
04/20/23 COSC-4301-01, Lecture 15 38
Coming up next
Modechart
04/20/23 COSC-4301-01, Lecture 15 39
Thank you for your attention!
Questions?