1 / 39

Real-Time Systems, COSC-4301-01, Lecture 15

Real-Time Systems, COSC-4301-01, Lecture 15. Stefan Andrei. Reminder of the last lecture. Decomposition-based Verification of Linear Real-Time Systems Specifications. Overview of This Lecture. Termination analysis by function inversion. Introduction.

liv
Download Presentation

Real-Time Systems, COSC-4301-01, Lecture 15

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Real-Time Systems, COSC-4301-01, Lecture 15 Stefan Andrei COSC-4301-01, Lecture 15

  2. Reminder of the last lecture • Decomposition-based Verification of Linear Real-Time Systems Specifications COSC-4301-01, Lecture 15

  3. Overview of This Lecture • Termination analysis by function inversion COSC-4301-01, Lecture 15

  4. Introduction • Program’s correctness is one of the most important problem in computer science: • Partial correctness: a program P that terminates for any given input provides the expected output; • Total correctness: Partial correctness + Termination • A program P terminates if it executes a finite number of steps for any input until provides the output. • Total correctness is more important than partial correctness (M. Huth and M. Ryan: Logic in Computer Science. Modelling and Reasoning about Systems. Cambridge Press, 2004) COSC-4301-01, Lecture 15

  5. Introduction (cont) • The halting problem (a.k.a., the termination problem): • Given a program and a finite input, decide whether the program finishes running or will run forever? • In 1936, Alan Turing showed that the halting problem is undecidable. • Hence, there is no general algorithm to prove program termination or to determine the runtime of a program. • The halting problem is so famous because it was one if the first problems proved undecidable. COSC-4301-01, Lecture 15

  6. Related Work • It has been clear since the early days of computing that a program correctness argument can be clearly partitioned into partial (conditional) correctness, and termination: • C.A.R. Hoare. An Axiomatic Basis for Computer Programming. Communications of the ACM, 12:576–580, 1969. COSC-4301-01, Lecture 15

  7. Related Work (cont.) • Termination analysis has been developed for different programming frameworks over the years: • N. Dershowitz, N. Lindenstrauss, Y. Sagiv, and A. Serebrenik. A General Framework for Automatic Termination Analysis of Logic Programs. Applicable Algebra in Engineering, Communication and Computing, 12(1/2):117–156, 2001. • M. Colon and H. Sipma. Practical Methods for Proving Program Termination. In 14th International Conference on Computer Aided Verification (CAV), volume 2404 of Lecture Notes in Computer Science, pages 442–454. Springer, 2002. • Byron Cook, Andreas Podelski, and AndreyRybalchenko. Termination proofs for systems code. SIGPLAN Not., 41(6):415–426, 2006. COSC-4301-01, Lecture 15

  8. Related Work (cont.) • There are many applications in real-time systems for which the termination problem is motivated. • The termination problem was also considered in other papers: • C.S. Lee, N.D. Jones, and A.M. Ben-Amram. The Size-Change Principle for Program Termination. In Conference Record of the 28th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, volume 28, pages 81–92. ACM press, January 2001. • H. Anderson, S.C. Khoo, S. Andrei, and B. Luca. Calculating Polynomial Runtime Properties. In Kwangkeun Yi, editor, APLAS 05: Asian Symposium on Programming Languages and Systems, pages 230–246, Springer, 2005. COSC-4301-01, Lecture 15

  9. Conversion from while to recursion • To the best of our knowledge, all these related works considered termination methods where the parameters values are decreasing. • Our technique removes this restriction (Program P1 below): x = <some real value>; a = <some real value>; n = <some positive integer value>; while (n != 0 && n != 1) { if (n % 2 == 0) { x = x * x; n = n / 2; } else { n++; a = x * a; } } return a; COSC-4301-01, Lecture 15

  10. F1 corresponds to P1 • We limit the definition of the termination analysis to function calls only. COSC-4301-01, Lecture 15

  11. The Runtime • The runtime (a.k.a., as the running time) of a function execution is the number of function calls until it terminates. • Such calls are the only difficult part of a runtime calculation, as other program constructs (statements, parameters transmission) add constant time delays. COSC-4301-01, Lecture 15

  12. Essential Arguments • The programs subject to analysis may contain arguments that are not essential for our method. • Formally, given an initial program P, we denote by [P] the projection of P by considering only the parameters that occur in the test conditions of P: • An initial program P terminates if and only if [P]terminates, too. COSC-4301-01, Lecture 15

  13. Essential Arguments (example) • F1 is a function similar to that used in the calculation of xn. • The projection of F1 (denoted as PF1) is given by Figure 1, where x and a are not parameters involved in the program’s termination. • Note that PF1 is a single-parameter function, as it only has n as a parameter. COSC-4301-01, Lecture 15

  14. The Numerical Normal Form • Given a program P expressed as a single recursive function, we say that f() is the numerical normal form of [P] if and only if: • Arguments of f() are the same as arguments of [P]; • Branch conditions of f() correspond to test conditions of [P]; • The body of each branch of f() corresponds to the argument of the same branch of [P]. COSC-4301-01, Lecture 15

  15. An Equivalent Reformulation • The termination problem for [P] is equivalent to showing that for any n  N, there exists a k  N such that f(k)(n) = 0, where: • f(1) = f, • f(k+1) = f  f(k), • means the function’s composition, • and 0 is a constant corresponding to termination. COSC-4301-01, Lecture 15

  16. Equivalent Reformulation (example) • The numerical normal form of PF1 can be given by f1 : N  N. • The recursive calls of PF1 correspond to function’s composition operations of f1(): • PF1(n) has krecursive calls until STOP if and only if f1(k)(n) = 0. COSC-4301-01, Lecture 15

  17. Our Class of Functions • We consider the general numerical normal form for functions having one parameter is F : N  N such as: • where: • n’0, ..., n’m-1are constants; • x = n0, ..., x = nm-1are terminating conditions; • 0(x), ..., p-1(x) are called non-terminating conditions; • f0(x), ..., fp-1(x) are invertible functions. COSC-4301-01, Lecture 15

  18. The Execution Trace Tree • Given a function F(), the execution trace tree is denoted ETT(F). • This tree is a pair (V,E), where V is the set of nodes (vertices) and E is the set of arcs (edges). • ETT(F) has an unlabeled root that has a number of direct descendants equal to the number of values from the termination conditions (e.g., values n’0, ..., n’m-1). • Each arc from node y to node x every time F(x) = y has a solution. COSC-4301-01, Lecture 15

  19. ETT(F) for our class _ … n’m-1 n’0 nm-1 n0 … y F(x)=y has a solution. … … x … COSC-4301-01, Lecture 15

  20. Finite Fragments of ETT(F) • ETT(F) may contain infinite paths. • For any y  N+, k  N+a finite p-ary tree with root y, having k levels, denoted ETTk(y) = (Vk, Ek). • Each node, except the root, v  Vkis labeled with a natural number, denoted by label(v). • The node v may have 1, 2, ..., p descendants depending on its label y. • That is, i  {0, ..., p – 1} whenever βi(f -1i(y)) holds, then v has a descendant labeled by f -1i(y). COSC-4301-01, Lecture 15

  21. Connection to Termination Problem • If all paths from the root are finite, then the termination problem can be easily solved. • For the inputs that are labels of ETT(F), the termination problem holds. • For the inputs not labels of ETT(F), the program runs infinitely. • We denote labels(V) as being {label(v) | v V}. • One inclusion is obvious: labels(V )  N. • Hence, the termination problem for F is equivalent to: labels(V(ETT(F))) = N+. COSC-4301-01, Lecture 15

  22. An Example with Finite ETT • Function f2 is terminating only for inputs 0, 1, 2, and is non-terminating for the other naturals 3, 4, ... • So, the challenging case for tackling the termination problem and computing the runtime is when ETT has at least one potentially infinite path. COSC-4301-01, Lecture 15

  23. An Effective Non-Trivial Subclass • We consider the cases when fi() are affine functions and i() are conditions containing modulo operators (called modulo-case functions): • where F : N  N, andi{0, ..., p-1}, we have ai Q+, bi Q, ai × p  N and ai × i + bi N. COSC-4301-01, Lecture 15

  24. ETT(F) for a Modulo-Case Function • Considering a modulo-case function, an arbitrary node v of ETT(F) may have up to p descendants depending on its label y. • That is, i{0, ..., p-1} whenever (y-bi)/aii (mod p), then v has a descendant labeled by (y-bi )/ai. • Example: • ETT(f1) is an infinite binary tree. • f -11 = {(m, 2m) |  m  1}{(m, m - 1) | m is even}. COSC-4301-01, Lecture 15

  25. ETT5(f1) • The arc (2, 1) was not generated because 1 belongs to ETT5(f1). COSC-4301-01, Lecture 15

  26. Our Systematic Method • s = max i={0, …, p-1}{ 1/ai, 1} and • (k) = • sk if s > 1 • k if s = 1 • where x represents the integer ceiling of x. • The set {0, 1, 2, ..., (k)} will be used in our method. • The main idea is to generate ETT(f) until the algorithm finds a polynomial as an upper bound for the smallest level (sl) such that the set{0, 1, 2, ..., (k)} can be found as labels for the first sl levels of ETT(f). COSC-4301-01, Lecture 15

  27. Our Systematic Method (cont.) • If such a polynomial is found, then the designer can start doing the formal proof for the induction step. • If this fails, then the algorithm will search a polynomial of a higher degree. • The algorithm will look for polynomials of a predefined maximum degree, say dmax. COSC-4301-01, Lecture 15

  28. Algorithm A - Pseudocode • The Input: A modulo-case function f() and a positive integer dmax • The Output: • ‘Yes’ (if f() is terminating)and a domain constraint as well as an estimation of running time, otherwise • ‘Polynomial up to degree dmaxnot found’ (if the algorithm cannotfind a polynomial for the runtime). COSC-4301-01, Lecture 15

  29. Algorithm A - Pseudocode (cont.) COSC-4301-01, Lecture 15

  30. Algorithm A - Pseudocode (cont.) COSC-4301-01, Lecture 15

  31. Algorithm A’s Correctness • Theorem 4.1 Let f be a modulo-case function, and dmaxa positive integer. Algorithm A will provide: • ‘Yes’ and a domain constraint as well as an estimation of running time, if the algorithm proved that f is terminating; • ‘Polynomial up to degree dmax not found’, if the algorithm cannot find such a polynomial as an upper bound for the runtime. COSC-4301-01, Lecture 15

  32. Algorithm A applied to f1() • From the definition of f1(), we get s = 2, so (k) = 2k. • The sets {0, 1, 2}and{0, 1, 2, 3, 4} are generated by level 1 and 3, respectively. • The polynomial P of degree 1 such that P(1) = 1 and P(2) = 3 is P(x) = 2x – 1. • Algorithm tests whether {0, 1, 2, ..., 23} are labels of ETT(f1) by level P(3) = 5. • According to Figure from slide 23, this assertion holds. COSC-4301-01, Lecture 15

  33. Algorithm A applied to f1() • Checking inductive step: • suppose that {0, 1, 2, ..., 2k} are labels of ETT(f1) by the level P(k) = 2k - 1; • the method checks whether {0, 1, 2, ..., 2k, 2k + 1, ..., 2k+1} are labels of ETT(f1) by level P(k + 1) = 2k + 1. • The proof is based on the fact that f-11={(m, 2m) |  m  1}{(m, m - 1) | m is even}. • Our algorithm was able to systematically prove the termination problem. • The running time is 2 × log2(n)-1. COSC-4301-01, Lecture 15

  34. Conclusion • This paper presented a novel and systematic approach for calculating the maximum runtime of functions for a nontrivial class of programs, based on an induction over a tree of execution traces. COSC-4301-01, Lecture 15

  35. Future work • We are working towards a more complete characterization of the class of functions for which the runtime and termination analysis can be done using our approach. • Comparison with state-of-the-art termination tools (e.g., Terminator); • Applying our algorithm to challenging and famous problems, e.g., the Collatz problem (a.k.a., the ‘3x+1’ problem); • Changing the class of polynomials to exponentials (or other functions) as an upper bound for labels of the ETT(F). COSC-4301-01, Lecture 15

  36. Summary • Termination Analysis by Function Inversion COSC-4301-01, Lecture 15

  37. Reading suggestions • [And08] Andrei, S.: Termination Analysis by Program Inversion. SYNASC 2008 COSC-4301-01, Lecture 15

  38. Coming up next • Modechart COSC-4301-01, Lecture 15

  39. Thank you for your attention!Questions? COSC-4301-01, Lecture 15

More Related