3 Review Proving termination of mathematical relations Program termination = WF transition relation Subrelations of WF-relations are WF-relations Proving WF can be reduced to finding a larger ranking relation Accurate transition relations often too hard to compute Supporting invariants needed to establish termination Unions of WF-relations not WF, but transitive closure can be used to offset the problem Local termination lemmas useful when proving structured relations WF
1 Proving program termination Lecture 5 February 4 th, 2008
TexPoint fonts used in EMF. Read the TexPoint manual before you
delete this box.: A 2 Notes No new homework for now Remember: no
class next week 3 Review Proving termination of mathematical
relations Program termination = WF transition relation Subrelations
of WF-relations are WF-relations Proving WF can be reduced to
finding a larger ranking relation Accurate transition relations
often too hard to compute Supporting invariants needed to establish
termination Unions of WF-relations not WF, but transitive closure
can be used to offset the problem Local termination lemmas useful
when proving structured relations WF 4 Review Synthesis for
mathematical relations Linear ranking functions ranging over simple
types (i.e. not the ordinals) can be reliably synthesized for
certain classes of relations Synthesis is possible for more complex
settings, but not very reliable 5 Review But what about programs? 6
Review But what about programs? Complex control-flow graphs (e.g.,
gotos, nested loops, etc) Procedures and recursion Arrays and
pointers Dynamically allocated (and deallocated) memory Concurrency
7 Review But what about programs? Complex control-flow graphs
(e.g., gotos, nested loops, etc) Procedures and recursion Arrays
and pointers Dynamically allocated (and deallocated) memory
Concurrency 8 Today Today: Programs and existing tools for proving
invariance/safety 9 Today Today: Programs and existing tools for
proving invariance/safety 10 Programs 11 Programs 12 Programs 13
Programs 14 Programs 15 Programs 16 Programs 17 Programs 18
Programs 19 Programs 20 Programs 21 Programs 22 Programs 23
Programs 24 Programs 25 Programs 26 Programs 27 Programs 28
Programs 29 Programs 30 Programs 31 Programs 32 Programs 33
Verification and analysis tools for invariance Great progress has
been made in the last 5 years in tools for proving invariance
properties of programs Automatic invariance analysis Not property
driven Facts derived from a given abstract domain Termination (of
the tool) usually guaranteed Automatic invariance verification
Usually property driven Termination (of the tool) not guaranteed
Today: a very operational summary of some example tools 34
Verification and analysis tools for invariance Great progress has
been made in the last 5 years in tools for proving invariance
properties of programs Automatic invariance analysis Not property
driven Facts derived from a given abstract domain Termination (of
the tool) usually guaranteed Automatic invariance verification
Usually property driven Termination (of the tool) not guaranteed
Today: a very operational summary of some example tools 35
Invariance analysis 36 Invariance analysis 37 Invariance analysis
38 Invariance analysis 39 Invariance analysis 40 Invariance
analysis 41 Invariance analysis 42 Invariance analysis 43
Invariance analysis 44 Invariance analysis 45 Invariance analysis
46 Invariance analysis 47 Invariance analysis 48 Invariance
analysis 49 Invariance analysis 50 Invariance analysis 51 Abstract
domains Provide standard operations Assign, assume, Emptiness check
Abstract version of union, intersect Widening, narrowing Popular
domain: Octagon represents convex sets expressed as conjunction of
two variable inequalities with unit co-effecients Implementation
based on difference bound matrices 52 Abstract domains Provide
standard operations Assign, assume, Emptiness check Abstract
version of union, intersect Widening, narrowing Popular domain:
Octagon represents convex sets expressed as conjunction of two
variable inequalities with unit co-effecients Implementation based
on difference bound matrices 53 Abstract domains Provide standard
operations Assign, assume, Emptiness check Abstract version of
union, intersect Widening, narrowing Popular domain: Octagon
represents convex sets expressed as conjunction of two variable
inequalities with unit co-effecients Implementation based on
difference bound matrices 54 Abstract domains Provide standard
operations Assign, assume, Emptiness check Abstract version of
union, intersect Widening, narrowing Popular domain: Octagon
represents convex sets expressed as conjunction of two variable
inequalities with unit co-effecients Implementation based on
difference bound matrices 55 Abstract domains Provide standard
operations Assign, assume, Emptiness check Abstract version of
union, intersect Widening, narrowing Popular domain: Octagon
represents convex sets expressed as conjunction of two variable
inequalities with unit co-effecients Implementation based on
difference bound matrices 56 Abstract domains Provide standard
operations Assign, assume, Emptiness check Abstract version of
union, intersect Widening, narrowing Popular domain: Octagon
represents convex sets expressed as conjunction of two variable
inequalities with unit co-effecients Implementation based on
difference bound matrices 57 Verification and analysis tools for
invariance Great progress has been made in the last 5 years in
tools for proving invariance properties of programs Automatic
invariance analysis Not property driven Facts derived from a given
abstract domain Termination (of the tool) usually guaranteed
Automatic invariance verification Usually property driven
Termination (of the tool) not guaranteed Today: a very operational
summary of some example tools 58 Verification and analysis tools
for invariance Great progress has been made in the last 5 years in
tools for proving invariance properties of programs Automatic
invariance analysis Not property driven Facts derived from a given
abstract domain Termination (of the tool) usually guaranteed
Automatic invariance verification Usually property driven
Termination (of the tool) not guaranteed Today: a very operational
summary of some example tools 59 Invariance verification for
invariance 60 Invariance verification for invariance 61 Symbolic
execution based on decision procedure SLAM Driver passes rule Rule
violation found Rule Example: SLAM Refine Step Abstract Step Check
Step Instrumen t Step Construction of abstract programs w/ WPs for
commands and a decision procedure Reachability for abstract
programs Code 62 Example: SLAM 63 Example: SLAM 64 Example: SLAM 65
Example: SLAM 66 Example: SLAM 67 Example: SLAM 68 Example: SLAM 69
Example: SLAM 70 Example: SLAM 71 Example: SLAM 72 Example: SLAM 73
Example: SLAM 74 Example: SLAM 75 Example: SLAM 76 Example: SLAM 77
Example: SLAM 78 Example: SLAM 79 Example: SLAM 80 Example: SLAM 81
Example: SLAM 82 Example: SLAM 83 Example: SLAM 84 Example: SLAM 85
Example: SLAM 86 Example: SLAM 87 Example: SLAM 88 Example: SLAM 89
Verification and analysis tools for invariance Great progress has
been made in the last 5 years in tools for proving invariance
properties of programs Automatic invariance analysis Not property
driven Facts derived from a given abstract domain Termination (of
the tool) usually guaranteed Automatic invariance verification
Usually property driven Termination (of the tool) not guaranteed
Today: a very operational summary of some example tools 90
Verification and analysis tools for invariance Great progress has
been made in the last 5 years in tools for proving invariance
properties of programs Automatic invariance analysis Not property
driven Facts derived from a given abstract domain Termination (of
the tool) usually guaranteed Automatic invariance verification
Usually property driven Termination (of the tool) not guaranteed
Today: a very operational summary of some example tools
