Insert pictures into this white area. Height should be 3.41 inches.

Assuming Termination

04 November 2011

2

DFL: Data Flow Logic

•  A Domain Specific Annotation Language –  Supporting Information Flow Modeling & Analysis

•  Informed By –  AAMP7, GHS, Cybersecurity –  JML, SPARK

•  Targeting C Source Code –  Popular Source Language

•  Specifications Anchored to Data Types (Type System) –  Extend Data Type Descriptions

•  Policies Tied to Procedures –  Become Verification Obligations and Contracts

•  Minimize Verification Complexity –  Static Type Checking (decidable) – 90% –  Functional Verification (undecidable) - 10%

•  Informed by and designed to connect to our formal modeling libraries and techniques

3

What Am I Doing

•  Language Level Reasoning –  Language Semantics –  Syntax Interpreter

•  Writing Static Analyzer (for C) in ACL2 –  Information Flow –  Like “Meta Function”

•  Efficient Execution –  Guards –  Hons –  Defattach –  Termination

•  Rewriter – good luck

•  Verify Analyzer –  Like “Meta Rule” –  Leverage ACL2 (bash)

4

Assuming Termination

•  Extends Manolios/Moore defpun –  Any tail recursive function has a witness –  No need to provide a measure

•  Don’t prove termination

•  Admits (nearly) any proposed function definition –  Termination Predicate (tail recursive) –  Measure (partial) –  Definition (modified)

5

Components

•  Termination Predicate –  Identifies inputs for which recursion terminates –  Matches recursion of function body –  Tail Recursive

•  Partial measure –  Decreases when function terminates –  Not tail recursive

•  Definition –  Modified to include termination check –  Suggests an Induction

6

Simple Example

(defun foo (st) (if (done st) (base st) (alt (foo (step st)))))

(= (foo-terminates st) (if (done st) t (foo-terminates (step st))))

(implies (foo-terminates st) (= (foo-measure st) (if (done st) 0 (1+ (foo-measure (step st)))))

(defun foo (st) (declare (xargs :mesaure (foo-measure st))) (if (not (foo-terminates st)) (base st) (if (done st) (base st) (alt (foo (step st))))))

7

Implementations

•  Defminterm –  Compiles definition into tail recursive function –  Proof unwinds compilation

•  Defung (Slind) –  More Direct Implementation –  Efficient Execution

•  Replacement for :program mode •  Kaufmann suggestion •  Mutually Recursive Guard •  Makes reasoning more awkward

•  Commonalities –  Interesting (but schematic) proofs leading up to defn –  Doesn’t scale to large definitions

•  NOW WHAT?

8

ACL2 Integration

•  Maybe it could become part of ACL2 ..

•  Auxiliary Functions (termination, measure) –  Derived from body of desired definition

•  mk-term •  mk-measure

–  Can we prove derivation correct? •  What does that mean?

(defun foo (st) (declare (xargs :measure :assume)) (if (done st) (base st) (alt (foo (step st)))))

9

Basic Evaluator

(DEFUN EVAL2 (X A) (COND ((SYMBOLP X) (AND X (CDR (ASSOC-EQ X A)))) ((ATOM X) NIL) ((EQ (CAR X) 'QUOTE) (CAR (CDR X))) ((CONSP (CAR X)) (EVAL2 (CAR (CDR (CDR (CAR X)))) (PAIRLIS$ (CAR (CDR (CAR X)))

(EVAL2-LIST (CDR X) A)))) (T NIL)))

10

Modified Evaluator

(DEFUN EVAL1 (X) (COND ((ATOM X) NIL) ((EQ (CAR X) 'QUOTE) (CAR (CDR X))) ((CONSP (CAR X)) (EVAL1 (beta-reduce-term (CAR (CDR (CDR (CAR X))))

(CAR (CDR (CAR X))) (EVAL1-LIST (CDR X)))))

(T NIL)))

(defthm eval2-to-eval1 (equal (eval2 term a)

(eval1 (beta-reduce-term term (strip-keys a) (strip-vals a)) )))

11

Extended Evaluator

(DEFUN EVAL (X defs) (COND ((ATOM X) NIL) ((EQ (CAR X) 'QUOTE) (CAR (CDR X))) ((CONSP (CAR X)) (EVAL (beta-reduce-term (CAR (CDR (CDR (CAR X))))

(CAR (CDR (CAR X))) (EVAL-LIST (CDR X) defs)) defs))

(T (let ((fn (car X)) (args (cdr X))) (let ((hit (assoc fn defs))) (if hit

(let ((formals (car (cdr hit))) (body (cadr (cdr hit))))

(eval (beta-reduce-term body formals (eval-list args defs)) defs))

(eval-base `(,fn ,@(eval-list args defs)))))))))

12

Termination Conjectures

(equal (eval-term (mk-term body) defns) (eval-term body defns))

(equal (eval (mk-term body) defns)) (eval-term body defns)

• Is it possible? • Is it enough?