Alternation for Termination

Alternation for Termination

William Harris, Akash Lal, Aditya NoriSriram Rajamani

1

1

2

2

2

2

Termination bugs are a real problem in systems and application code.

“Gecko mediaplayer hangs the browser”

“Eclipse hangs after 5 minutes or so of working”

“BUG: Silverlight makes browser hang after BeginSaveChanges on some machines”

“BUG: VB Hangs While Automating Excel Using OLE Control”

…

A Quick Search “bug code hangs”:

Key challenge to proving termination:

Analyzing the context of a loop

An Example with Non-Trivial Contextf(int d, z) { int x, y;

while (x > 0 && y > 0) {if (*) {

x := x – d;y := *;z := z – 1;

} else {y := y – d;

}} }

main() { int k; int z = 1; while (z < k) { z := 2 * z; }

f(1, z); f(2, z);}

Local Termination Provers

For a fixed over-approximation of a loop, find a proof of termination

Local Provers Succeeding

while (x > 0 && y > 0) {assume(d > 0);if (*) {

x := x – d;y := *;z := z – 1;

} else {y := y – d;

}}

yx

Local Provers Failingf(int d) {

int x, y;while (x > 0 && y > 0) { assume(d > 0);

if (*) {x := x – d;y := *;z := z – 1;

} else {y := y – d;

} } }

main() { f(1); f(2);}??

Transition Invariants

From stem and cycle of a loop,guess and check a proof of termination

Advantage of Transition Invariants

A stem to a loop can include information about the loop’s context.

Transition Invariants Succeedingf(int d) {

while (x > 0 && y > 0) {if (*) {

x := x – d;y := *;

} else {y := y – d;

}} }

main() {f(1);f(2); }

while (x > 0 && y > 0) {

x := x – d; y := *;

}

x

Transition Invariants Succeedingf(int d) {

while (x > 0 && y > 0) {if (*) {

x := x – d;y := *;

} else {y := y – d;

}} }

main() {f(1);f(2); }

while (x > 0 && y > 0) {

y := y - d;}

y

Disadvantage of Transition Invariants

Stem and cycle can lead to incorrect guesses for proof of termination.

Transition Invariants Failingf(int d) {f(int d, int z) { int x, y;

while (x > 0 && y > 0) {if (*) {

x := x – d;y := *;z := z – 1;

} else {y := y – d;

} } }

main() { int k; int z = 1; while (z < k) { z := 2 * z; }

f(1); f(1, z); f(2); f(2, z);}

Key Insight of TREX

From cycles through a loop,infer invariants for proving termination.

Context Analysis via TREXf(int d, z) { int x, y;

while (x > 0 && y > 0) {assume(d > 0);if (*) {

x := x – d;y := *;z := z – 1;

} else {y := y – d;

} } }

main() { int k; int z = 1; while (z < k) { z := 2 * z; }

f(1, z); f(2, z);}

Payoff of TREX’s Approach

TREX can apply local provers to find a proof of termination quickly

Analysis via TREXf(int d, z) { int x, y;

while (x > 0 && y > 0) {assume(d > 0);if (*) {

x := x – d;y := *;z := z – 1;

} else {y := y – d;

} } }

main() { int k; int z = 1; while (z < k) { z := 2 * z; }

f(1, z); f(2, z);}

x, y

TREX in More Detail

•TREX by example

•Experiments

TREX iterativelyfinds a proof of termination,or finds a counterexample to termination, or refines stronger program invariants

The TREX Algorithm

TREX Iteration Step 1

Find a proof of terminationby applying a

local termination prover

f(int d, z) { int x, y;

while (x > 0 && y > 0) {if (*) {

x := x – d;y := *;z := z – 1;

} else {y := y – d;

} } }

main() { int k; int z = 1; while (z < k) { z := 2 * z; }

f(1, z); f(2, z);}

TREX Iteration Step 1

??

TREX Iteration Step 2

If local prover fails, then find a counterexample cycle

TREX Iteration Step 2f(int d, z) { int x, y;

while (x > 0 && y > 0) {if (*) {

x := x – d;y := *;z := z – 1;

} else {y := y – d;

} } }

main() { int k; int z = 1; while (z < k) { z := 2 * z; }

f(1, z); f(2, z);}

while (x > 0 && y > 0) { y := y – d;}

TREX Iteration Step 3

From the counterexample cycle,find a sufficient condition for

non-termination by applying anon-termination prover (TNT)

Applying a Non-Termination Prover

while (x > 0 && y > 0) { y := y – d;}

Non-termination if:y > 0 && d <= 0

TREX Iteration Step 4

Check if the sufficient conditionis reachable

TREX Iteration Step 4f(int d, z) { int x, y;

while (x > 0 && y > 0) {assert(d > 0);if (*) {

x := x – d;y := *;z := z – 1;

} else {y := y – d;

} } }

main() { int k; int z = 1; while (z < k) { z := 2 * z; }

f(1, z); f(2, z);}

while (x > 0 && y > 0) { y := y – d;}

Non-termination if:y > 0 && d <= 0

TREX Iteration Step 5

If the sufficient condition is unreachable, then assume this as an invariant.

TREX Iteration Step 5f(int d, z) { int x, y;

while (x > 0 && y > 0) {assert(d > 0);if (*) {

x := x – d;y := *;z := z – 1;

} else {y := y – d;

} } }

main() { int k; int z = 1; while (z < k) { z := 2 * z; }

f(1, z); f(2, z);}

assume(d > 0);

x, y

Experiments

Windows Vista driver snippets

Vista Driver SnippetsDriverName

TREX time (s) Terminator* time (s) TREX speedup

1 13.8 32.1 2.3

2 15.3 48.0 3.1

3 7.9 5.9 0.7

4 3.1 12.3 3.9

5 6.4 8.8 1.4

6 3.0 13.8 4.6

7 10.2 11.8 1.2

8 9.4 11.0 1.2

9 TO TO ---

10 2.5 10.3 4.1

Conclusion

TREX proves termination by using cycles through a loop to infer useful

program invariants

Extra slides

Transition Invariants Succeedingf(int d) {

while (x > 0 && y > 0) {if (*) {

x := x – d;y := *;

} else {y := y – d;

}} }

main() {f(1);f(2); }

x, y

Transition Invariants Failingf(int d) {f(int d, int z) { int x, y;

while (x > 0 && y > 0) {if (*) {

x := x – d;y := *;z := z – 1;

} else {y := y – d;

} } }

main() { int k; int z = 1; while (z < k) { z := 2 * z; }

f(1); f(1, z); f(2); f(2, z);}

while (x > 0 && y > 0) {assume(d = 1 && z = 1);if (*) {

x := x – d;y := *;z := z – 1;

} }

z - 1z = 1;

f(1, z);

Transition Invariants Failingf(int d) {f(int d, int z) { int x, y;

while (x > 0 && y > 0) {if (*) {

x := x – d;y := *;z := z – 1;

} else {y := y – d;

} } }

main() { int k; int z = 1; while (z < k) { z := 2 * z; }

f(1); f(1, z); f(2); f(2, z);}

while (x > 0 && y > 0) {assume(d = 1 && z = 2);if (*) {

x := x – d;y := *;z := z – 1;

} }

z - 2z = 1; z := 2 * z;

f(1, z);