Certification of Termination for Integer Transition Systems

Transcription

1 Certification of Termination for Integer Transition Systems Marc Brockschmidt, Sebastiaan Joosten, René Thiemann and Akihisa Yamada Supported by FWF project Y 757

2 Reliable software Formally verified theory about termination Theory about termination Termination checker Termination OK Termination proof Formally verified Termination proof checker Generate Termination proof checker Accept / Reject

3 Reliable software Formally verified theory about termination Theory about termination Termination checker Termination OK Termination proof Formally verified Termination proof checker Generate Termination proof checker Accept / Reject

4 Reliable software Formally verified theory about termination Theory about termination Termination checker Termination OK Termination proof Formally verified Termination proof checker Generate Termination proof checker Isabelle / HOL Accept / Reject

5 Outline How to assure termination? Program as labeled transition system Finding termination arguments What is essential in the proof of termination? What else can we check?

6 Program as labeled transition system (LTS) Place in the program => Label Variable update => Transition condition Termination => No infinite path from the start node

7 Program as LTS (example) function contains(list xs, y){ while (xs!= null){ if (xs.elem.equals(y)) return true; xs = xs.next; } return false; } xc!= 0 xc 0 xc' = xc - 1 y' = y xs.elem!= y start xc = 0 1b xs.elem == y xc' = xc y' = y xc!= 0

8 Program as LTS (example) Conditional termination can be encoded as extra conditions function contains(list xs, y){ } while (xs!= null){ if (xs.elem.equals(y)) xs = xs.next; } return false; return true; If all constraints are conjunctions of linear inequalities over Integers, we call it an ITS xc!= 0 xc 0 xc' = xc - 1 y' = y xs.elem!= y start xc = 0 1b xs.elem == y xc' = xc y' = y xc!= 0

9 Termination of LTS Original LTS Cooperation coorporation graph X A C C B D D X Better termination proving through cooperation Marc Brockschmidt, Byron Cook, Carsten Fuhs

10 Termination of LTS Original LTS Cooperation coorporation graph X Only if v = 1 v := 1 A v := 0 C C B v := 0 D D Result: - argument why the cycle cannot occur infinitely often - updated Cooperation graph X

11 Termination-proof of LTS Original coorporation-like Cooperation like-graph A C B D

12 Infinite path through original => Infinite path through cooperation graph Original coorporation-like Cooperation like-graph A C B D

13 Termination-proof of LTS finite (transitions R) copy_prog T P R lts T R cooperation_sn T P lts_termination T R

14 Termination-proof of LTS Give a function f(l,a) l: label a: assignment of variables in state with label l f is non-increasing for all (remaining) transitions f is decreasing for to-be-deleted transitions there is a bound, i.e. f cannot decrease infinitely often

15 Termination-proof of LTS Original LTS x 0 y' = y x' = x A C x' = x y > 0 x 0 y' = y x' = x A C x' = x y > 0 x 0 y' = y x' = x e1 B e2 e3 D x' = x y > 0 x' = x - 1 y' =? x > 0 x' = x - 1 y' =? x > 0 x' = x - 1 y' =? x > 0

16 Termination-proof of LTS x 0 y' = y x' = x e1 B e2 e3 D x' = x y > 0 f(b,x,y,z) = x f(d,x,y,z) = x e2 and e3 preserve this value. Proof: use x = x e1 strictly decreases it Proof: use x = x - 1 x' = x - 1 y' =? x > 0 Consequently, e1 cannot occur infinitely often (can be removed)

17 Termination-proof of LTS x 0 y' = y x' = x e1 B e2 e3 D x' = x y > 0 f(b,x,y,z) = y f(d,x,y,z) = y e2 preserves this value. Proof: use y = y e3 strictly decreases it Proof: use y = y - 1 x' = x - 1 y' =? x > 0 Consequently, e3 cannot occur infinitely often (can be removed)

18 Termination-proof of LTS x 0 y' = y x' = x e1 B e2 e3 D x' = x - 1 y' =? x > 0 x' = x y > 0 f(b,x,y,z) = 1 f(d,x,y,z) = 2 e2 strictly decreases the value Proof: use no equalities Consequently, e2 cannot occur infinitely often (can be removed)

19 Termination-proof of LTS B e1 e3 D x' = x y > 0 No transitions can be taken infinitely often Program terminates x' = x - 1 y' =? x > 0

20 Strengthening proofs Use invariants Split nodes Add helper-variables Use of Lexicographic order in the decrease-function

21 Termination-proof of LTS Original LTS A x 0 x' = x + y

22 Termination-proof of LTS Original LTS A x 0 y 0 y < 0 y < 0 A'' x' = x + y A' x 0 x' = x + y x 0 y 0 x' = x + y x 0 x' = x + y

23 Proof of equivalence Original LTS A x 0 x' = x + y x 0 y 0 y < 0 y < 0 A'' x' = x + y A' x 0 y 0 x' = x + y x 0 x' = x + y Initial node: True => y 0 y < 0 proof by contradiction: y -1 && -y 0 adding the inequalities gives: 0-1 Similar proofs for the other transitions.

24 Proof of termination Original LTS In A, the invariant y < 0 holds A x 0 x' = x + y x 0 y 0 y < 0 y < 0 A'' x' = x + y A' x 0 y 0 x' = x + y x 0 x' = x + y The edge from A to A can be eliminated through ranking function f(l,x,y) = x (using invariant y < 0) The edge from A to A can be eliminated through f(l,x,y) = y The edge from A to A can be eliminated through f(l,x,y) = (l == A? 0 : 1)

25 Proof of termination State LTS R Give an LTS P + invariants for each state + a proof that the invariants hold + a proof that P can simulate R + a proof that cooperation graph P terminates If P has edges: give a function f, a set of edges T + a proof for each edge in T that f decreases + for other edges in P : proof that f does not increase + a proof of termination for P - T

26 Todo? Parser Minor theory details Anything that comes up during testing

27 Other properties? LTS allows non-determinism Checking invariants ( safety checker ) can be used for: Runtime / resource analysis (of linear bounds)

28 Other theories? Formalised currently: Linear integer inequalities Lexicographic combinations of arbitrary existing theories (curently only linear integer inequalities) Many other theories can be expressed this way: Booleans as 0/1 integers Bitvectors as lists of Booleans

29 Other theories? Tell us about your proofs! Keep an eye out for CeTA 2.28: