1,054 research outputs found
Size-Change Termination as a Contract
Termination is an important but undecidable program property, which has led
to a large body of work on static methods for conservatively predicting or
enforcing termination. One such method is the size-change termination approach
of Lee, Jones, and Ben-Amram, which operates in two phases: (1) abstract
programs into "size-change graphs," and (2) check these graphs for the
size-change property: the existence of paths that lead to infinite decreasing
sequences.
We transpose these two phases with an operational semantics that accounts for
the run-time enforcement of the size-change property, postponing (or entirely
avoiding) program abstraction. This choice has two key consequences: (1)
size-change termination can be checked at run-time and (2) termination can be
rephrased as a safety property analyzed using existing methods for systematic
abstraction.
We formulate run-time size-change checks as contracts in the style of Findler
and Felleisen. The result compliments existing contracts that enforce partial
correctness specifications to obtain contracts for total correctness. Our
approach combines the robustness of the size-change principle for termination
with the precise information available at run-time. It has tunable overhead and
can check for nontermination without the conservativeness necessary in static
checking. To obtain a sound and computable termination analysis, we apply
existing abstract interpretation techniques directly to the operational
semantics, avoiding the need for custom abstractions for termination. The
resulting analyzer is competitive with with existing, purpose-built analyzers
Proving termination using abstract interpretation
PhDOne way to develop more robust software is to use formal program verification. Formal program
verification requires the construction of a formal mathematical proof of the programs correctness.
In the past ten years or so there has been much progress in the use of automated tools
to formally prove properties of programs. However many such tools focus on proving safety
properties: that something bad does not happen. Liveness properties, where we try to prove
that something good will happen, have received much less attention. Program termination is
an example of a liveness property. It has been known for a long time that to prove program
termination we need to discover some function which maps program states to a well-founded
set. Essentially we need to find one global argument for why the program terminates. Finding
such an argument which overapproximates the entire program is very difficult. Recently, Podelski
and Rybalchenko discovered a more compositional proof rule to find disjunctive termination
arguments. Disjunctive termination arguments requires a series of termination arguments that
individually may only cover part of the program but when put together give a reason for why
the entire program will terminate. Thus we do not need to search for one overall reason for
termination but we can break the problem down and focus on smaller parts of the program.
This thesis develops a series of abstract interpreters for proving the termination of imperative
programs. We make three contributions, each of which makes use of the Podelski-Rybalchenko
result.
Firstly we present a technique to re-use domains and operators from abstract interpreters for
safety properties to produce termination analysers. This technique produces some very fast
termination analysers, but is limited by the underlying safety domain used.
We next take the natural step forward: we design an abstract domain for termination. This
abstract domain is built from ranking functions: in essence the abstract domain only keeps track
of the information necessary to prove program termination. However, the abstract domain is
limited to proving termination for language with iteration.
In order to handle recursion we use metric spaces to design an abstract domain which can handle
recursion over the unit type. We define a framework for designing abstract interpreters for liveness
properties such as termination. The use of metric spaces allows us to model the semantics
of infinite computations for programs with recursion over the unit type so that we can design
an abstract interpreter in a systematic manner. We have to ensure that the abstract interpreter is
well-behaved with respect to the metric space semantics, and our framework gives a way to do
this
On the Termination of Linear and Affine Programs over the Integers
The termination problem for affine programs over the integers was left open
in\cite{Braverman}. For more that a decade, it has been considered and cited as
a challenging open problem. To the best of our knowledge, we present here the
most complete response to this issue: we show that termination for affine
programs over Z is decidable under an assumption holding for almost all affine
programs, except for an extremely small class of zero Lesbegue measure. We use
the notion of asymptotically non-terminating initial variable values} (ANT, for
short) for linear loop programs over Z. Those values are directly associated to
initial variable values for which the corresponding program does not terminate.
We reduce the termination problem of linear affine programs over the integers
to the emptiness check of a specific ANT set of initial variable values. For
this class of linear or affine programs, we prove that the corresponding ANT
set is a semi-linear space and we provide a powerful computational methods
allowing the automatic generation of these sets. Moreover, we are able to
address the conditional termination problem too. In other words, by taking ANT
set complements, we obtain a precise under-approximation of the set of inputs
for which the program does terminate.Comment: arXiv admin note: substantial text overlap with arXiv:1407.455
Towards Extending the Range of Bugs That Automated Program Repair Can Handle
Modern automated program repair (APR) is well-tuned to finding and repairing
bugs that introduce observable erroneous behavior to a program. However, a
significant class of bugs does not lead to such observable behavior (e.g.,
liveness/termination bugs, non-functional bugs, and information flow bugs).
Such bugs can generally not be handled with current APR approaches, so, as a
community, we need to develop complementary techniques.
To stimulate the systematic study of alternative APR approaches and hybrid
APR combinations, we devise a novel bug classification system that enables
methodical analysis of their bug detection power and bug repair capabilities.
To demonstrate the benefits, we analyze the repair of termination bugs in
sequential and concurrent programs. The study shows that integrating dynamic
APR with formal analysis techniques, such as termination provers and software
model checkers, reduces complexity and improves the overall reliability of
these repairs.Comment: Accepted for publication in the 22nd IEEE International Conference on
Software Quality, Reliability and Security (QRS 2022
The natural history of bugs: using formal methods to analyse software related failures in space missions
Space missions force engineers to make complex trade-offs between many different constraints including cost, mass, power, functionality and reliability. These constraints create a continual need to innovate. Many advances rely upon software, for instance to control and monitor the next generation ‘electron cyclotron resonance’ ion-drives for deep space missions.Programmers face numerous challenges. It is extremely difficult to conduct valid ground-based tests for the code used in space missions. Abstract models and simulations of satellites can be misleading. These issues are compounded by the use of ‘band-aid’ software to fix design mistakes and compromises in other aspects of space systems engineering. Programmers must often re-code missions in flight. This introduces considerable risks. It should, therefore, not be a surprise that so many space missions fail to achieve their objectives. The costs of failure are considerable. Small launch vehicles, such as the U.S. Pegasus system, cost around 4 million up to 73 million from the failure of a single uninsured satellite. It is clearly important that we learn as much as possible from those failures that do occur. The following pages examine the roles that formal methods might play in the analysis of software failures in space missions
A Fixpoint Semantics of Event Systems with and without Fairness Assumptions
We present a fixpoint semantics of event systems. The semantics is presented
in a general framework without concerns of fairness. Soundness and completeness
of rules for deriving "leads-to" properties are proved in this general
framework. The general framework is instantiated to minimal progress and weak
fairness assumptions and similar results are obtained. We show the power of
these results by deriving sufficient conditions for "leads-to" under minimal
progress proving soundness of proof obligations without reasoning over
state-traces
A shared memory algorithm and proof for the alternative construct in CSP
technical reportCommunicating Sequential Processes (CSP) is a paradigm for communication and synchronization among distributed processes. The alternative construct is a key feature of CSP that allows nondeterministic selection of one among several possible communicants. Previous algorithms for this construct assume a message passing architecture and are not appropriate for multiprocessor systems that feature shared memory. This paper describes a distributed algorithm for the alternative construct that exploits the capabilities of a parallel computer with shared memory. The algorithm assumes a generalized version of Hoare's original alternative construct that allows output commands to be included in guards. A correctness proof of the proposed algorithm is presented to show that the algorithm conforms to some safety and liveness criteria. Extensions to allow termination of processes and to ensure fairness in guard selection are also given. Keywords: communicating sequential processes; alternative operation; shared memory multiprocessor; parallel processing
Linear Encodings of Bounded LTL Model Checking
We consider the problem of bounded model checking (BMC) for linear temporal
logic (LTL). We present several efficient encodings that have size linear in
the bound. Furthermore, we show how the encodings can be extended to LTL with
past operators (PLTL). The generalised encoding is still of linear size, but
cannot detect minimal length counterexamples. By using the virtual unrolling
technique minimal length counterexamples can be captured, however, the size of
the encoding is quadratic in the specification. We also extend virtual
unrolling to Buchi automata, enabling them to accept minimal length
counterexamples.
Our BMC encodings can be made incremental in order to benefit from
incremental SAT technology. With fairly small modifications the incremental
encoding can be further enhanced with a termination check, allowing us to prove
properties with BMC. Experiments clearly show that our new encodings improve
performance of BMC considerably, particularly in the case of the incremental
encoding, and that they are very competitive for finding bugs. An analysis of
the liveness-to-safety transformation reveals many similarities to the BMC
encodings in this paper. Using the liveness-to-safety translation with
BDD-based invariant checking results in an efficient method to find shortest
counterexamples that complements the BMC-based approach.Comment: Final version for Logical Methods in Computer Science CAV 2005
special issu
- …