Byron Cook
Andreas Podelski
Abstract
Concurrent programs are often designed such that certain functions executing within critical threads must terminate. Examples of such cases can be found in operating systems, web servers, e-mail clients, etc. Unfortunately, no known automatic program termination prover supports a practical method of proving the termination of threads. In this paper we describe such a procedure. The procedure's scalability is achieved through the use of environment models that abstract away the surrounding threads. The procedure's accuracy is due to a novel method of incrementally constructing environment abstractions. Our method finds the conditions that a thread requires of its environment in order to establish termination by looking at the conditions necessary to prove that certain paths through the thread represent well-founded relations if executed in isolation of the other threads. The paper gives a description of experimental results using an implementation of our procedureon Windows device drivers and adescription of a previously unknown bug found withthe tool.
- B. Alpern and F. Schneider. Defining liveness. Information processing letters, 21:181--185, 1985.Google Scholar
- I. Balaban, A. Cohen, and A. Pnueli. Ranking abstraction of recursive programs. In VMCAI'06: Verification, Model Checking, and Abstract Interpretation, 2006. Google ScholarDigital Library
- T. Ball et al. Thorough static analysis of device drivers. In EuroSys'06: European Systems Conference, 2006. Google ScholarDigital Library
- J. Berdine, A. Chawdhary, B. Cook, D. Distefano, and P. O'Hearn. Variance analyses from invariance analyses. In POPL'07: Principles of Programming Languages, 2007. Google ScholarDigital Library
- J. Berdine, B. Cook, D. Distefano, and P. O'Hearn. Automatic termination proofs for programs with shape-shifting heaps. In CAV'06: International Conference on Computer Aided Verification, 2006. Google ScholarDigital Library
- A. Biere, C. Artho, and V. Schuppan. Liveness checking as safety checking. In FMICS'02: Formal Methods for Industrial Critical Systems, 2002.Google ScholarCross Ref
- B. Blanchet, P. Cousot, R. Cousot, J. Feret, L. Mauborgne, A. Miné, D. Monniaux, and X. Rival. A static analyzer for large safety--critical software. In PLDI'03: Programming Language Design and Implementation, 2003. Google ScholarDigital Library
- A. Bouajjani, M. Bozga, P. Habermehl, R. Iosif, P. Moro, and T. Vojnar. Programs with lists are counter automata. In CAV'06: International Conference on Computer Aided Verification, 2006. Google ScholarDigital Library
- A. Bradley, Z. Manna, and H. Sipma. Linear ranking with reachability. In CAV'05: Computer-Aided Verification, 2005. Google ScholarDigital Library
- A. Bradley, Z. Manna, and H. Sipma. The polyranking principle. In ICALP'05: International Colloquium on Automata, Languages and Programming, 2005. Google ScholarDigital Library
- A. Bradley, Z. Manna, and H. Sipma. Termination analysis of integer linear loops. In CONCUR'05: Concurrency Theory, 2005. Google ScholarDigital Library
- A. Bradley, Z. Manna, and H. Sipma. Termination of polynomial programs. In VMCAI'05: Verification, Model Checking, and Abstract Interpretation, 2005. Google ScholarDigital Library
- S. Chaki, E. M. Clarke, J. Ouaknine, N. Sharygia, and N. Sinha. Efficient verification of sequential and concurrent C programs. Formal Methods in System Design, 25(2--3):129--166, 2004. Google ScholarDigital Library
- E. Clarke, O. Grumberg, and D. Peled. Model Checking. MIT Press, 2000.Google ScholarDigital Library
- E. M. Clarke, M. Talupur, and H. Veith. Environment abstraction for parameterized verification. In VMCAI'06: Verification, Model Checking, and Abstract Interpretation, 2006. Google ScholarDigital Library
- J. M. Cobleigh, D. Giannakopoulou, and C. S. Pasareanu. Learning assumptions for compositional verification. In TACAS'04: Tools and Algorithms for the Construction and Analysis of Systems, 2003. Google ScholarDigital Library
- M. Codish and C. Taboch. A semantic basis for the termination analysis of logic programs. The Journal of Logic Programming, 41(1):103--123, 1999.Google ScholarCross Ref
- M. Colón and H. Sipma. Practical methods for proving program termination. In CAV'02: Computer Aided Verification, 2002. Google ScholarDigital Library
- E. Contejean, C. Marché, B. Monate, and X. Urbain. Proving Termination of Rewriting with sc CtextitiME. In WST'03: International Workshop on Termination, 2003.Google Scholar
- B. Cook, A. Gotsman, A. Podelski, A. Rybalchenko, and M. Vardi. Proving that software eventually does something good. In POPL'07: Principles of Programming Languages, 2007. Google ScholarDigital Library
- B. Cook, A. Podelski, and A. Rybalchenko. Termination proofs for systems code. In PLDI'06: Programming Language Design and Implementation, 2006. Google ScholarDigital Library
- P. Cousot. Proving program invariance and termination by parametric abstraction, lagrangian relaxation and semidefinite programming. In VMCAI'05: Verification, Model Checking, and Abstract Interpretation, 2005. Google ScholarDigital Library
- P. Cousot and N. Halbwachs. Automatic discovery of linear restraints among variables of a program. In POPL'78: Principles of Programming Languages, 1978. Google ScholarDigital Library
- C. Flanagan, S. N. Freund, S. Qadeer, and S. A. Seshia. Modular verification of multithreaded programs. Journal on Theoretical Computer Science, 338(1-3):153--183, 2005. Google ScholarDigital Library
- C. Flanagan and P. Godefroid. Dynamic partial-order reduction for model checking software. In POPL'05: Principles of Programming Languages, 2005. Google ScholarDigital Library
- C. Flanagan and S. Qadeer. Thread-modular model checking. In SPIN'03, 2003. Google ScholarDigital Library
- P. Godefroid. Partial-order methods for the verification of concurrent systems - an approach to the state-explosion problem. PhD thesis, 1994.Google Scholar
- K. Havelund and T. Pressburger. Model checking Java programs using Java PathFinder. International Journal on Software Tools for Technology Transfer, 2(4), 1998.Google ScholarCross Ref
- T. A. Henzinger, R. Jhala, and R. Majumdar. Permissive interfaces. In FSE'05, 2005. Google ScholarDigital Library
- T. A. Henzinger, R. Jhala, R. Majumdar, and S. Qadeer. Thread-modular abstraction refinement. In CAV'03, 2003.Google ScholarCross Ref
- G. J. Holzmann. The model checker SPIN. IEEE Transactions on Software Engineering, 23(5):279--295, 1997. Google ScholarDigital Library
- B. Jacobs, K. R. M. Leino, F. Piessens, and W. Schulte. Safe concurrency for aggregate objects with invariants. In SEFM'05: Software Engineering and Formal Methods, 2005. Google ScholarDigital Library
- C. Jones. Specification and design of (parallel) programs. In IFIP Congress, 1983.Google Scholar
- V. Kahlon, A. Gupta, and N. Sinha. Symbolic model checking of concurrent programs using partial orders and on-the-fly transactions. In CAV'06: International Conference on Computer Aided Verification, 2006. Google ScholarDigital Library
- R. J. Lipton. Reduction: a method of proving properties of parallel programs. Communications of the ACM, 18(12):717--721, 1975. Google ScholarDigital Library
- Z. Manna and A. Pnueli. Axiomatic approach to total correctness of programs. Acta Informatica, 1974.Google ScholarDigital Library
- A. Miné. The octagon abstract domain. Higher-Order and Symbolic Computation, 19:31--100, 2006. Google ScholarDigital Library
- A. Podelski and A. Rybalchenko. A complete method for the synthesis of linear ranking functions. In VMCAI'04: Verification, Model Checking, and Abstract Interpretation, 2004.Google Scholar
- J. C. Reynolds. The Craft of Programming. London, 1981. Google ScholarDigital Library
- A. Tiwari. Termination of linear programs. In CAV'04: Computer Aided Verification, 2004.Google ScholarCross Ref
Index Terms
- Proving thread termination
Recommendations
Proving thread termination
PLDI '07: Proceedings of the 28th ACM SIGPLAN Conference on Programming Language Design and ImplementationConcurrent programs are often designed such that certain functions executing within critical threads must terminate. Examples of such cases can be found in operating systems, web servers, e-mail clients, etc. Unfortunately, no known automatic program ...
Proving non-termination
POPL '08: Proceedings of the 35th annual ACM SIGPLAN-SIGACT symposium on Principles of programming languagesThe search for proof and the search for counterexamples (bugs) are complementary activities that need to be pursued concurrently in order to maximize the practical success rate of verification tools.While this is well-understood in safety verification, ...
Proving non-termination
POPL '08The search for proof and the search for counterexamples (bugs) are complementary activities that need to be pursued concurrently in order to maximize the practical success rate of verification tools.While this is well-understood in safety verification, ...
Comments