Proving termination conditions
Name
E-mail
Country, City, University
Omer Subasi
osubasi@ku.edu.tr
Turkey, Istanbul, Koc University
Anton Dergunov
anton.dergunov@mail.ru
Russia, Nizhny Novgorod, UNN
Krasnoshtan Dmytro
nikolajtesla@gmail.com
Ukraine, Kiev, KPI
Georgiy Savchenko
georgiy.savchenko@gmail.com
Pavel Ajtkulov
ajtkulov@gmail.com
Mentor: Dr. Ben Livshits & Dr. Stephan Tobies
Russia, Krasnoyarsk, Siberian
federal university
Russian, Izhevsk, Udmurt State
University
The Project
• The aim:
– Investigate state of the art approaches for
termination proof;
– Prove termination of sample algorithms.
• We focused on the following cases:
– Nested loops;
– Recursion;
– Linked list data structures.
2
Termination
• A program is terminating if all its executions of
all its executions are finite.
• A program is non-terminating it there exits at
least one infinite execution.
3
Motivation
Functional correctness + termination proof =
Total correctness
• The halting problem: termination is
undecidable (Alan Turing).
• Does not mean we can’t not prove
termination in every case. We can prove
termination via introducing termination
metrics (ranking functions).
4
Termination proof in Dafny
• Dafny is a programming language and verifier
that enables to prove terminations of
algorithms.
• Dafny provides annotations to specify
termination metrics
• Many verifiers do not support termination
proofs
• http://research.microsoft.com/enus/projects/dafny/
5
Dafny Approach-Formalism
• Let U be a non-empty set of disjoint union of
algebraic datatypes, tuples and variables.
• Algebraic datatypes: sets, sequences, lists.
• Let S be set of states of program.
• Let (Y,>=) be a well-ordered set.
• For instance, ℕ is a well-ordered set.
6
Formalism Cont.
• Define metric φ:UxSY such that
– For ∀ transition (s,s’), φ(u,s)> φ(u,s’)
– For ∀ state s, ∀ u in U, φ(u,s)>=0
– ∃ δ>0 such that for ∀ transition (s,s’) and ∀ u in U,
φ(u,s)> φ(u,s’)+δ
• Usually this mapping is called progress
measure or ranking function
7
Node #1
ReachableNodes: {1, 2, 3, 4, 5}
Node #2
ReachableNodes: {2, 4, 5}
Node #4
ReachableNodes: {4}
Node #5
ReachableNodes: {5}
Node #3
ReachableNodes: {3}
Node1 , Node2  Tree :
Successor( Node1 )  Node2 
Reachable( Node1 )  Reachable( Node2 )
method Find(x: int): returns (found:bool)
decreases ReachableNodes;
{
if (x == data)
{found := true;}
else if (left != null && x < data) {found := left.Find(x);}
else if (right != null && x > data) {found := right.Find(x);}
else
{found := false;}
}
Other Approaches
• Compose termination arguments since
constructing a ranking function can be difficult
• Decompose the termination check into easier
ones
• Terminator http://research.microsoft.com/enus/um/cambridge/projects/terminator/
development of automatic methods for
proving program termination and general
liveness properties
9
Our Contribution
• Proved termination of several Dafny
programs:
– QuickSort
– MergeSort
– Insertion sort
– Insertion and search for binary search tree
• We have investigated state of art for
termination proof.
• Idea: reusing termination metric to prove
computational complexity of algorithms.
10
What we have learned
What remains to be done
•
More in-depth
understanding of formal
verification.
• Got information about
proving termination
properties.
• Got additional insights how
complexity analysis can be
implemented by reusing
termination metric.
11
Thank you!
Questions?
12
Possible tools
• partial correctness + termination = total correctness
• partial correctness + time > total correctness
VCC provides only partial correctness
Other tools:
- Code contracts
- Dafny
- f*
- spec#
13
Why dafny
It is imperative, sequential, supports generic classes
and dynamic allocation, and builds in specification
constructs.
Also
- Updatable ghost variables
- Recursive functions
- Proof of total correctness
- Types like algebraic datatypes (sets, sequences)
14
Principles of termination by
Byron Cook
• A program is terminating if all its executions are finite. A
program is non-terminating it there exits at least one
infinite execution.
• When trying to prove termination, one tries to prove
program’s transition relation is well-founded.
• Turing’s suggestion for proving well-foundedness: Find a
map form (R,S) to a well-ordered set and then prove this
map is a homomorphism. These maps are typically ranking
functions.
• Constructing a ranking function can be difficult: Compose
termination arguments.
• Another idea: Decompose the termination check into
easier ones.
15
Notation
{P}C{Q} : partial correctness
[P]C[Q] : total correctness
Problems with:
- While loop ( for is alias in C-like languages)
- Recursion
- Function invocation
16
Total Correctness Specification
A total correctness specification [P]C[Q] true if
- Whenever C is executed in a state satisfying P,
then the execution of C terminates
- After C terminates Q holds
With the exception of the WHILE, FOR loops,
recursion and function invocation, all the axioms
and rules described so far are sound for total
correctness as well as partial correctness
17
Rules for Non-Looping Command
• Replace { and } by [ and ], respectively, in:
- Assignment axiom
- Consequence rules
- Conditional rules
- Sequencing rule
- Block rule
18
Total Correctness Assignment Axiom
- Assignment axiom for total correctness:
Ⱶ [P [E/V ]] V := E [P ]
- Note that the assignment axiom for total correctness
states that assignment commands always terminate
- So all function applications in expressions must
terminate
- This might not be the case if functions could be defined
recursively
EXAMPLE: X := fact(-1), where
fact(n) = if n = 0 then 1 else n * fact(n - 1)
19
WHILE Rule for Total Correctnes
- WHILE commands are the only commands
that can cause non-termination
- The idea behind the WHILE rule for total
correctness is:
1) to prove WHILE S DO C terminates
2) show that some non-negative quantity
decreases on each iteration of C
3) this decreasing quantity is called a variant
20
WHILE Rule for Total Correctness
21
Derived rules
Multiple step rules for total correctness can be
derived in the same way as for partial correctness
- The rules are the same up to the brackets used
- Same derivations with total correctness rules
replacing partial correctness ones
22
Example 3: ghost data
class ListNode {
var data: int;
var next: ListNode;
ghost var reachableNodes: set<ListNode>;
// ...
function sum(): int
reads *;
decreases reachableNodes;
{
if next == null then data else data + next.Sum()
}
}
23
Example 1: no termination proof is required
method processArray(numbers: array<int>)
requires numbers != null; {
var i := 0;
var sum := 0;
while (i < numbers.Length) {
sum := sum + numbers[i];
i := i + 1;
}
}
24
Dafny programs that we have proved
Termination of:
• QuickSort
• MergeSort
• Insertion and search for binary search tree
• TODO: outline the most interesting aspects of
these programs
25