Termination Proofs from Tests

Aditya Nori Rahul Sharma MSR India Stanford

University

Goal

Prove termination of a program

Program terminates if all loops terminate

Hard problem, undecidable in general

Need to exploit all available information

Tests

Previous techniques are static Tests are a neglected source of information

Tests have previously been used Safety properties, empirical complexity, …

This work, use tests for termination proofs

Example: GCD

gcd(int x,int y) assume(x>0 && y>0); while( x!=y ) do if( y > x ) y = y–x; if( x > y) x = x-y; od return x;

x=1, y=1

x=2, y=1

Infer-and-Validate Approach

…while ……

…while ……

(1,1)(2,1)

…while … print x print y

…while … print x print y

DataData

…while ……assert …

…while ……assert …

x=1, y=3

ML

Infer-and-Validate Approach

…while ……

…while ……

(1,1)(2,1)

…while … print x print y

…while … print x print y

DataData

…while ……assert …

…while ……assert …

x=1, y=3

ML

Instrument the Program

gcd(int x, int y) assume(x>0 && y>0); a := x; b := y; c := 0; while( x!=y ) do c := c + 1; if( y > x ) y := y–x; if( x > y) x := x-y; od print ( a, b, c );

New variables to capture initial values

Introduce a loop counter

Print values of input variables and counter

Infer-and-Validate Approach

…while ……

…while ……

(1,1)(2,1)

…while … print x print y

…while … print x print y

DataData

…while ……assert …

…while ……assert …

x=1, y=3

ML

Generating Data

gcd(int x, int y) assume(x>0 && y>0); a := x; b := y; c := 0; while( x!=y ) do c := c + 1; if( y > x ) y := y–x; if( x > y) x := x-y; od print( a, b, c)

For on inputs ,the loop iterates times

Infer a bound using and

Infer-and-Validate Approach

…while ……

…while ……

(1,1)(2,1)

…while … print x print y

…while … print x print y

DataData

…while ……assert …

…while ……assert …

x=1, y=3

ML

Regression

Predict number of iterations (final value of c) As a linear expression in a and b

Find

Find

But we want ▪ Add as a constraint

Solvable by quadratic programming

Quadratic Program (QP)

The quadratic program is:

Solved in MATLAB quadprog(A’*A,-A’*C,-A,-C)

For gcd example, Bound

Naïve Regression

Quadratic Program

Infer-and-Validate Approach

…while ……

…while ……

(1,1)(2,1)

…while … print x print y

…while … print x print y

DataData

…while ……assert …

…while ……assert …

x=1, y=3

ML

Verification Burden

Bound:

Difficult to validate

Infer invariants from tests

assume(x>0 && y>0);a := x; b := y;c := 0; while( x!=y ) do c := c + 1; if( y > x ) y := y–x; if( x > y) x := x-y; assert(c <= a+b-2);od

Regression for Invariant

assume(x>0 && y>0);a := x; b := y; c := 0; while( x!=y ) do print(c, a, b, x, y); c := c + 1; if( y > x ) y := y–x; if( x > y) x := x-y; assert(c <= a+b-2);od

Predict a bound on c

Same tests, more data

Solve same QP

has five columns [1,a,b,x,y]

has c at every iteration

Free Invariant Obtain

Add as a free invariant

Use if checker can prove

Otherwise discard

assume(x>0 && y>0);a:=x; b:=y; c := 0; free_inv(c<=a+b-x-y);while( x!=y ) do c := c + 1; if( y > x ) y := y – x; if( x > y) x := x-y; assert(c <= a+b-2 );od

Validate

Give program to assertion checker

Inductive invariant for gcd example:

If check fails then return a cex as a new test

Non-linear Example

u := x;v := y;w := z;while ( x >= y ) do if ( z > 0 ) z := z-1; x := x+z; else y := y+1;od

Given degree 2, Bound: After rounding:

Assertion Checker

Requirements from assertion checker: Handle non-linear arithmetic Consume free invariants Produce tests as counter-examples

Micro-benchmarks: Use SGHAN’13 Handles non-linear arithmetic, no counter-

examples

Windows Device Drivers: Use Yogi (FSE’ 06) Cannot handle non-linear, produce counter-

examples

Micro-benchmarks

Experiments with WDK

Related Work

Regression: Goldsmith et al. ‘07 , Huang et al. ’10, …

Mining specifications from tests: Dallmeier et

al. `12,…

Termination: Cousot `05, ResAna, Lee et al. ’12, …

Bounds analysis: SPEED, WCET, Gulavani et al. `08, …

Invariant inference: Daikon, InvGen, Nguyen et al.`12, …

Conclusion

Use tests for termination proofs

Infer bounds and invariants using QP

Use off-the-shelf assertion checkers to validate

Future work: disjunctions, non-termination

Disjunctions Example

a = i ; b = j ;while(i<M || j<N) i = i+1; j = j+1;

Partition using predicates

Control flow refinement Sharma et al. ’11