1 / 37

Proving Termination in Systems: Addressing Termination Bugs with TREX Technique

Termination bugs pose significant challenges in systems and application code, causing issues such as application hangs and unresponsive behavior. This paper explores techniques for proving termination using local termination provers and transition invariants. It introduces the TREX approach, which iteratively finds a proof of termination or identifies counterexamples. By analyzing loop contexts and deriving invariants, TREX improves the efficiency of termination proofs. We present examples illustrating the method and its effectiveness in addressing real-world termination problems.

slade
Télécharger la présentation

Proving Termination in Systems: Addressing Termination Bugs with TREX Technique

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Alternation for Termination 1 2 2 2 William Harris, AkashLal, AdityaNori SriramRajamani 1 2

  2. Termination bugs are a real problem in systems and application code.

  3. A Quick Search “bug code hangs”: “Gecko mediaplayer hangs the browser” “Eclipse hangs after 5 minutes or so of working” “BUG: Silverlight makes browser hang after BeginSaveChanges on some machines” “BUG: VB Hangs While Automating Excel Using OLE Control” …

  4. Key challenge to proving termination:Analyzing the context of a loop

  5. An Example with Non-Trivial Context f(int d, z) { int x, y; while (x > 0 && y > 0) { if (*) { x := x – d; y := *; z := z – 1; } else { y := y – d; } } } main() { int k; int z = 1; while (z < k) { z := 2 * z; } f(1, z); f(2, z); }

  6. Local Termination Provers For a fixed over-approximation of a loop, find a proof of termination

  7. Local ProversSucceeding while (x > 0 && y > 0) { • assume(d > 0); if (*) { x := x – d; y := *; z := z – 1; } else { y := y – d; } } x y

  8. Local Provers Failing f(intd) { intx, y; while (x > 0 && y > 0) { assume(d > 0); if (*) { x := x – d; y := *; z := z – 1; } else { y := y – d; } } } main() { f(1); f(2); } ??

  9. Transition Invariants From stem and cycle of a loop, guess and check a proof of termination

  10. Advantage of Transition Invariants A stem to a loop can include information about the loop’s context.

  11. Transition Invariants Succeeding f(int d) { while (x > 0 && y > 0) { if (*) { x := x – d; y := *; } else { y := y – d; } } } while (x > 0 && y > 0) { x := x – d; y := *; } x • main() { • f(1); • f(2); }

  12. Transition Invariants Succeeding f(int d) { while (x > 0 && y > 0) { if (*) { x := x – d; y := *; } else { y := y – d; } } } while (x > 0 && y > 0) { y := y - d; } y • main() { • f(1); • f(2); }

  13. Disadvantage of Transition Invariants Stem and cycle can lead to incorrect guesses for proof of termination.

  14. Transition Invariants Failing f(intd) { f(int d, int z) { int x, y; while (x > 0 && y > 0) { if (*) { x := x – d; y := *; z := z – 1; } else { y := y – d; } } } main() { int k; int z = 1; while (z < k) { z := 2 * z; } f(1); f(1, z); f(2); f(2, z); }

  15. Key Insight of TREX From cycles through a loop, inferinvariants for proving termination.

  16. Context Analysis via TREX f(int d, z) { int x, y; while (x > 0 && y > 0) { assume(d > 0); if (*) { x := x – d; y := *; z := z – 1; } else { y := y – d; } } } main() { int k; int z = 1; while (z < k) { z := 2 * z; } f(1, z); f(2, z); }

  17. Payoff of TREX’s Approach TREX can apply local proversto find a proof of termination quickly

  18. Analysis via TREX f(int d, z) { int x, y; while (x > 0 && y > 0) { assume(d > 0); if (*) { x := x – d; y := *; z := z – 1; } else { y := y – d; } } } main() { int k; int z = 1; while (z < k) { z := 2 * z; } f(1, z); f(2, z); } x, y

  19. TREX in More Detail • TREX by example • Experiments

  20. TREX iterativelyfinds a proof of termination,or finds a counterexample to termination, or refinesstronger program invariants The TREX Algorithm

  21. TREX IterationStep 1 Find a proof of termination by applying a local termination prover

  22. TREX IterationStep 1 f(int d, z) { int x, y; while (x > 0 && y > 0) { if (*) { x := x – d; y := *; z := z – 1; } else { y := y – d; } } } main() { int k; int z = 1; while (z < k) { z := 2 * z; } f(1, z); f(2, z); } ??

  23. TREX Iteration Step 2 If local prover fails, then find a counterexample cycle

  24. TREX Iteration Step 2 f(int d, z) { int x, y; while (x > 0 && y > 0) { if (*) { x := x – d; y := *; z := z – 1; } else { y := y – d; } } } main() { int k; int z = 1; while (z < k) { z := 2 * z; } f(1, z); f(2, z); } while (x > 0 && y > 0) { y := y – d; }

  25. TREX Iteration Step 3 From the counterexample cycle, find a sufficient condition for non-terminationby applying a non-termination prover(TNT)

  26. Applying a Non-Termination Prover while (x > 0 && y > 0) { y := y – d; } Non-termination if: y > 0 && d <= 0

  27. TREX IterationStep 4 Check if the sufficient condition is reachable

  28. TREXIterationStep 4 Non-termination if: y > 0 && d <= 0 f(int d, z) { int x, y; while (x > 0 && y > 0) { assert(d > 0); if (*) { x := x – d; y := *; z := z – 1; } else { y := y – d; } } } main() { int k; int z = 1; while (z < k) { z := 2 * z; } f(1, z); f(2, z); } while (x > 0 && y > 0) { y := y – d; }

  29. TREX Iteration Step 5 If the sufficient condition is unreachable, thenassume this as an invariant.

  30. TREX Iteration Step 5 f(int d, z) { int x, y; while (x > 0 && y > 0) { assert(d > 0); if (*) { x := x – d; y := *; z := z – 1; } else { y := y – d; } } } main() { int k; int z = 1; while (z < k) { z := 2 * z; } f(1, z); f(2, z); } assume(d > 0); x, y

  31. Experiments Windows Vista driver snippets

  32. Vista Driver Snippets

  33. Conclusion TREX proves termination by using cycles through a loop to infer useful program invariants

  34. Extra slides

  35. Transition Invariants Succeeding f(int d) { while (x > 0 && y > 0) { if (*) { x := x – d; y := *; } else { y := y – d; } } } • main() { • f(1); • f(2); } x, y

  36. Transition Invariants Failing f(intd) { f(int d, int z) { int x, y; while (x > 0 && y > 0) { if (*) { x := x – d; y := *; z := z – 1; } else { y := y – d; } } } main() { int k; int z = 1; while (z < k) { z := 2 * z; } f(1); f(1, z); f(2); f(2, z); } z = 1; f(1, z); while (x > 0 && y > 0) { assume(d = 1 && z = 1); if (*) { x := x – d; y := *; z := z – 1; } } z - 1

  37. Transition Invariants Failing f(intd) { f(int d, int z) { int x, y; while (x > 0 && y > 0) { if (*) { x := x – d; y := *; z := z – 1; } else { y := y – d; } } } main() { int k; int z = 1; while (z < k) { z := 2 * z; } f(1); f(1, z); f(2); f(2, z); } z = 1; z := 2 * z; f(1, z); while (x > 0 && y > 0) { assume(d = 1 && z = 2); if (*) { x := x – d; y := *; z := z – 1; } } z - 2

More Related