Aditya Nori Rahul Sharma MSR India Stanford University. Termination Proofs from Tests . Goal. Prove termination of a program Program terminates if all loops terminate H ard problem, undecidable in general Need to exploit all available information.

Termination Proofs from Tests

## Termination Proofs from Tests

### Goal

• Prove termination of a program

• Program terminates if all loops terminate

• Hard problem, undecidable in general

• Need to exploit all available information

### Tests

• Previous techniques are static

• Tests are a neglected source of information

• Tests have previously been used

• Safety properties, empirical complexity, …

• This work, use tests for termination proofs

### Example: GCD

gcd(intx,int y)

assume(x>0 && y>0);

while( x!=y ) do

if( y > x )

y = y–x;

if( x > y)

x = x-y;

od

return x;

### Instrument the Program

gcd(int x, int y)

assume(x>0 && y>0);

a := x; b := y;

c := 0;

while( x!=y ) do

c := c + 1;

if( y > x )

y := y–x;

if( x > y)

x := x-y;

od

print ( a, b, c );

• New variables to capture initial values

• Introduce a loop counter

• Print values of input variables and counter

### Generating Data

gcd(int x, int y)

assume(x>0 && y>0);

a := x; b := y;

c := 0;

while( x!=y ) do

c := c + 1;

if( y > x )

y := y–x;

if( x > y)

x := x-y;

od

print( a, b, c)

For on inputs ,

the loop iterates times

Infer a bound using and

### Regression

• Predict number of iterations (final value ofc)

• As a linear expression in a and b

• Find

• Find

• But we want

• Solved in MATLAB

• For gcd example,

• Bound

### Verification Burden

assume(x>0 && y>0);

a := x; b := y;

c := 0;

while( x!=y ) do

c := c + 1;

if( y > x )

y := y–x;

if( x > y)

x := x-y;

assert(c <= a+b-2);

od

• Bound:

• Difficult to validate

• Infer invariants from tests

### Regression for Invariant

assume(x>0 && y>0);

a := x; b := y; c := 0;

while( x!=y ) do

print(c, a, b, x, y);

c := c + 1;

if( y > x )

y := y–x;

if( x > y)

x := x-y;

assert(c <= a+b-2);

od

• Predict a bound onc

• Same tests, more data

• Solve same QP

• has five columns

• [1,a,b,x,y]

• hascat every iteration

### Free Invariant

assume(x>0 && y>0);

a:=x; b:=y; c := 0;

free_inv(c<=a+b-x-y);

while( x!=y ) do

c := c + 1;

if( y > x )

y := y – x;

if( x > y)

x := x-y;

assert(c <= a+b-2 );

od

• Obtain

• Add as a free invariant

• Use if checker can prove

### Validate

• Give program to assertion checker

• Inductive invariant for gcd example:

• If check fails then return a cex as a new test

### Non-linear Example

u := x;v := y;w := z;

while ( x >= y ) do

if ( z > 0)

z := z-1;

x := x+z;

else

y := y+1;

od

• Given degree 2,

• Bound:

• After rounding:

### Assertion Checker

• Requirements from assertion checker:

• Handle non-linear arithmetic

• Consume free invariants

• Produce tests as counter-examples

• Micro-benchmarks: Use SGHAN’13

• Handles non-linear arithmetic, no counter-examples

• Windows Device Drivers: Use Yogi (FSE’ 06)

• Cannot handle non-linear, produce counter-examples

### Related Work

• Regression: Goldsmith et al. ‘07 , Huang et al. ’10, …

• Mining specifications from tests: Dallmeier et al. `12,…

• Termination: Cousot `05, ResAna, Lee et al. ’12, …

• Bounds analysis: SPEED, WCET, Gulavani et al. `08, …

• Invariant inference: Daikon, InvGen, Nguyen et al.`12, …

### Conclusion

• Use tests for termination proofs

• Infer bounds and invariants using QP

• Use off-the-shelf assertion checkers to validate

• Future work: disjunctions, non-termination

### Disjunctions Example

a = i ; b = j ;

while(i<M || j<N)

i= i+1;

j = j+1;

• Partition using predicates

• Control flow refinement

• Sharma et al. ’11