[PPT] - Fair Termination of Higher-Order Functional Programs Keiichi PowerPoint Presentation

SLIDE 1

Automatically Disproving Fair Termination of Higher-Order Functional Programs

Keiichi Watanabe, Ryosuke Sato Takeshi Tsukada, Naoki Kobayashi The University of Tokyo

September 20th, 2016

ICFP 2016 at Nara

1

SLIDE 2

Our Goal

Automated method for disproving fair-termination

f higher-order functional programs
cf. Prove Fair-termination [Murase+ POPL16]

2

Verification of 𝝏-regular properties can be reduced to that of fair-termination [Vardi APAL91]

includes LTL properties

SLIDE 3

Outline

Termination & Fair-Termination
Importance of Fair-Termination
Our Method
Implementation and Experiments
Related Work
Conclusion

3

SLIDE 4

Outline

Termination & Fair-Termination
Importance of Fair-Termination
Our Method
Implementation and Experiments
Related Work
Conclusion

4

SLIDE 5

Plain Termination

5

Program 𝑄 is terminating ⇔ Every execution eventually terminates

Terminating

main main

Not Terminating

SLIDE 6

Fair-Termination

6

Fair-Terminating

Not Fair-Terminating

An example of fairness in this talk:

If A occurs infinitely often, so does B Program 𝑄 is fair-terminating ⇔ Every fair execution eventually terminates

SLIDE 7

Outline

Termination & Fair-Termination
Importance of Fair-Termination
Our Method
Implementation and Experiments
Related Work
Conclusion

7

SLIDE 8

Terminating, assuming randomness of *int

8 let rand_int () = *int let rec rand_pos () = let x = rand_int () in if 0 < x then x else rand_pos () let main = rand_pos ()

Termination assuming Randomness

SLIDE 9

Terminating, assuming randomness of *int

9

Q.

How to incorporate randomness with termination verification?

let rand_int () = *int let rec rand_pos () = let x = rand_int () in if 0 < x then x else rand_pos () let main = rand_pos ()

Termination assuming Randomness

SLIDE 10

10 let rand_int () = let r = *int in if 0 < r then (event B; r) else (event A; r) let rec rand_pos () = let x = rand_int () in if 0 < x then x else rand_pos () let main = rand_pos ()

Insert event expressions

Termination assuming Randomness

SLIDE 11

11 let rand_int () = let r = *int in if 0 < r then (event B; r) else (event A; r) let rec rand_pos () = let x = rand_int () in if 0 < x then x else rand_pos () let main = rand_pos ()

If *int never returns a positive integer, execution is unfair

A → A → A → A →…

Termination assuming Randomness

Termination assuming randomness → Fair-termination

SLIDE 12

Our Goal (Again)

Automated method for disproving fair-termination

f higher-order functional programs
cf. Prove Fair-termination [Murase+ POPL16]

12

Verification of 𝝏-regular properties can be reduced to that of fair-termination [Vardi APAL91]

includes LTL properties

SLIDE 13

Our Goal (Again)

Automated method for disproving fair-termination

f higher-order functional programs

13

Verification of 𝝏-regular properties can be reduced to that of fair-termination [Vardi APAL91]

includes LTL properties

Proving the existence of fair infinite executions

SLIDE 14

Outline

Termination & Fair-Termination
Importance of Fair-Termination
Our Method
Overview of Method
Step 1, Step 2, Step 3
Properties of Our Method
Implementation and Experiments
Related Work
Conclusion

14

SLIDE 15

Overview of Method

Step 2： Higher-Order Model Checking

accept

Fairness Constraint Functional Program

Step 1: Reduction to Higher-Order Model Checking

15

Tree Generating Program Tree Automaton

reject

Predicates Step 3: Predicate Discovery Counterexample

Fair infinite executions exist!

An extension of a method for disproving plain termination [Kuwahara+ CAV15]

SLIDE 16

Overview of Method

Step 2： Higher-Order Model Checking

accept

Fairness Constraint Functional Program

Step 1: Reduction to Higher-Order Model Checking

16

Tree Generating Program Tree Automaton

reject

Predicates Step 3: Predicate Discovery Counterexample Fair infinite paths exist

Computation Tree

Fair infinite executions exist!

SLIDE 17

Fair infinite executions exist!

Overview of Method

Step 2： Higher-Order Model Checking

accept

Fairness Constraint Functional Program

Step 1: Reduction to Higher-Order Model Checking

17

Tree Generating Program Tree Automaton

reject

Predicates Step 3: Predicate Discovery Counterexample Abstracted Tree Accepted by the automaton Fair infinite paths exist

Computation Tree

SLIDE 18

Overview of Method

Step 2： Higher-Order Model Checking

accept

Fairness Constraint Functional Program

Step 1: Reduction to Higher-Order Model Checking

18

Tree Generating Program Tree Automaton

reject

Predicates Step 3: Predicate Discovery

Fair infinite executions exist!

Counterexample Abstracted Tree Accepted by the automaton Fair infinite paths exist Sufficient condition

Computation Tree

SLIDE 19

Overview of Method

Step 2： Higher-Order Model Checking

accept

Fairness Constraint Functional Program

Step 1: Reduction to Higher-Order Model Checking

19

Tree Generating Program Tree Automaton

reject

Predicates Step 3: Predicate Discovery Counterexample

Fair infinite executions exist!

Abstracted Tree Decide whether the automaton accepts the abstracted tree

SLIDE 20

Overview of Method

Step 2： Higher-Order Model Checking

accept

Fairness Constraint Functional Program

Step 1: Reduction to Higher-Order Model Checking

20

Tree Generating Program Tree Automaton

reject

Predicates Step 3: Predicate Discovery Counterexample

Fair infinite executions exist!

Refine abstraction by using counterexamples

SLIDE 21

Overview of Method

Step 2： Higher-Order Model Checking

accept

Fairness Constraint Functional Program

Step 1: Reduction to Higher-Order Model Checking

21

Tree Generating Program Tree Automaton

reject

Predicates Step 3: Predicate Discovery Counterexample

Fair infinite executions exist!

SLIDE 22

Overview of Method

Step 2： Higher-Order Model Checking

accept

Fairness Constraint Functional Program

Step 1: Reduction to Higher-Order Model Checking

22

Tree Generating Program Tree Automaton

reject

Predicates Step 3: Predicate Discovery

Fair infinite executions exist!

Counterexample Abstracted Tree Accepted by the automaton Fair infinite paths exist Sufficient condition

Computation Tree

SLIDE 23

23

Two Branching Nodes in Abstracted Trees

[Kuwahara+ CAV15]

Represents inherent non-determinism in programs
e.g. random integer, inputs
We should check if there exists a fair infinite branch
Represents non-determinism introduced by abstraction
We should check if every branch is fair and infinite

∃-node ∀-node

SLIDE 24

Tree(𝐸)

let f x = let y = x+1 in if 0 < y then event B; g y else event A; g y in f *int

𝑄

let f bx=0 = if bx=0 then ∀(B(g true)) else ∀(B(g true), A(g false)) in ∃(f true, f false)

𝐸

Computation tree of 𝑄

Abstract by 𝒚 = 𝟏, 𝟏 < 𝒛 24

*

if A if A if B if B ・・・・・・ 0<y x=0 ∀ ∀ ∃ B A B ¬(x=0) 0<y ¬(0<y)

[Kuwahara+ CAV15]

Two Branching Nodes in Abstracted Trees

SLIDE 25

Tree(𝐸)

let f x = let y = x+1 in if 0 < y then event B; g y else event A; g y in f *int

𝑄

let f bx=0 = if bx=0 then ∀(B(g true)) else ∀(B(g true), A(g false)) in ∃(f true, f false)

𝐸

Computation tree of 𝑄

Abstract by 𝒚 = 𝟏, 𝟏 < 𝒛 25

*

if A if A if B if B ・・・・・・

x=0

merged

∃ ¬(x=0)

0<y

x=0

∀ ∀ B A B 0<y ¬(0<y)

Inherent Non-Determinism

∃-node:

x=1 x=-1 x=-2

SLIDE 26

Tree(𝐸)

let f x = let y = x+1 in if 0 < y then event B; g y else event A; g y in f *int

𝑄

let f bx=0 = if bx=0 then ∀(B(g true)) else ∀(B(g true), A(g false)) in ∃(f true, f false)

𝐸

Computation tree of 𝑄

Abstract by 𝒚 = 𝟏, 𝟏 < 𝒛 26

*

if A if A if B if B ・・・・・・

x=0 ∃ ¬(x=0)

0<y

x=0

∀ ∀ B A B 0<y ¬(0<y)

Inherent Non-Determinism

∃-node:

x=1 x=-1 x=-2

Check if either branch is fair and infinite

SLIDE 27

Tree(𝐸)

let f x = let y = x+1 in if 0 < y then event B; g y else event A; g y in f *int

𝑄

let f bx=0 = if bx=0 then ∀(B(g true)) else ∀(B(g true), A(g false)) in ∃(f true, f false)

𝐸

Computation tree of 𝑄

Abstract by 𝒚 = 𝟏, 𝟏 < 𝒛 27

*

if

A

if A if B

if

B

・・・ ¬(x=0) 0<y ¬(0<y) 0<y x=0 ∀ ∃ B

∀

・・・

Non-Determinism introduced by Abstraction

∀-node:

then else then else

A B

SLIDE 28

Tree(𝐸)

let f x = let y = x+1 in if 0 < y then event B; g y else event A; g y in f *int

𝑄

let f bx=0 = if bx=0 then ∀(B(g true)) else ∀(B(g true), A(g false)) in ∃(f true, f false)

𝐸

Computation tree of 𝑄

Abstract by 𝒚 = 𝟏, 𝟏 < 𝒛 28

*

if

A

if A if B

if

B

・・・ ¬(x=0) 0<y ¬(0<y) 0<y x=0 ∀ ∃ B

∀

・・・

then else then else

A B

Non-Determinism introduced by Abstraction

∀-node:

Check if both branches are fair and infinite

SLIDE 29

Parity Tree Automaton 𝐵𝐷

Tree(𝐸) is accepted by 𝐵𝐷 if

∃-node

Some branches have fair infinite paths

∀-node

All branches have fair infinite paths

¬(x=0) 0<y ¬(0<y) 0<y x=0 ∀ ∀ ∃ B A B

29

If Tree(𝐸) is accepted by 𝐵𝐷, 𝑄 is NOT fair-terminating

SLIDE 30

Parity Tree Automaton 𝐵𝐷

Tree(𝐸) is accepted by 𝐵𝐷 if

∃-node

Some branches have fair infinite paths

∀-node

All branches have fair infinite paths

¬(x=0) 0<y ¬(0<y) 0<y x=0 ∀ ∀ ∃ B A B

30

If Tree(𝐸) is accepted by 𝐵𝐷, 𝑄 is NOT fair-terminating Needed to express fairness

SLIDE 31

Overview of Method

Step 2： Higher-Order Model Checking

accept

Fairness Constraint Functional Program

Step 1: Reduction to Higher-Order Model Checking

31

Tree Generating Program Tree Automaton

reject

Predicates Step 3: Predicate Discovery Counterexample

Fair infinite executions exist!

Abstracted Tree Decide whether the automaton accepts the abstracted tree

SLIDE 32

Input:

Tree generating Boolean Program 𝐸
Parity tree automaton 𝐵𝐷

Output of Step 1 32

Step 2

Output: Whether 𝐵𝐷 accepts 𝐔𝐬𝐟𝐟 𝐸 If 𝐵𝑑 rejects the tree,

counterexample will be returned

SLIDE 33

Input:

Tree generating Boolean Program 𝐸
Parity tree automaton 𝐵𝐷

Output of Step 1 33

Step 2

Output: Whether 𝐵𝐷 accepts 𝐔𝐬𝐟𝐟 𝐸 If 𝐵𝑑 rejects the tree,

counterexample will be returned

Higher-order model checking

[Ong LICS06]

SLIDE 34

Counterexample Tree

Subtree that is NOT accepted by 𝐵𝐷

Abstracted computation tree Counterexample tree

34

∀ End ∃ A A A ∃ ∀ End ∃ A A A

SLIDE 35

Counterexample Representation

35

Challenge: How to represent an infinite counterexample tree?

SLIDE 36

Counterexample Representation

cf. Type based effective selection

[Carayol&Serre LICS12] [Tsukada&Ong LICS14]

main = ∃ (End, ∀ f) f = ∀(𝐵 f)

36

Solution: Use a finite program that generates a counterexample tree

generates

Challenge: How to represent an infinite counterexample tree?

SLIDE 37

Overview of Method

Step 2： Higher-Order Model Checking

accept

Fairness Constraint Functional Program

Step 1: Reduction to Higher-Order Model Checking

37

Tree Generating Program Tree Automaton

reject

Predicates Step 3: Predicate Discovery Counterexample

Fair infinite executions exist!

Refine abstraction by using counterexamples

SLIDE 38

38

Discover predicates from counterexample paths

Abstraction Refinement

Example:

if flag then fair_loop() else ()

[Kobayashi+ PLDI11] [Kuwahara+ CAV15]

if

( )

(AB)𝜕 Computation tree

always true

SLIDE 39

39

Discover predicates from counterexample paths

Abstraction Refinement

Example:

if flag then fair_loop() else ()

[Kobayashi+ PLDI11] [Kuwahara+ CAV15]

if

( )

(AB)𝜕 Coarse abstraction Abstracted tree ∀

End

(AB)𝜕 Computation tree

Spurious

SLIDE 40

40

Discover predicates from counterexample paths

Abstraction Refinement

Example:

if flag then fair_loop() else ()

[Kobayashi+ PLDI11] [Kuwahara+ CAV15]

if

( )

(AB)𝜕 Coarse abstraction Abstracted tree ∀

End

(AB)𝜕 Computation tree

Discover new predicates by analyzing counterexample paths

SLIDE 41

41

Discover predicates from counterexample paths

Abstraction Refinement

Example:

if flag then fair_loop() else ()

[Kobayashi+ PLDI11] [Kuwahara+ CAV15]

if

( )

(AB)𝜕 Coarse abstraction Abstracted tree ∀

End

(AB)𝜕

Abstraction with discovered predicates

Computation tree (AB)𝜕 ∀

SLIDE 42

42

Challenge: Previous techniques are limited to finite counterexample paths

Predicates Discovery from Infinite Paths

Infinite counterexample path

∀

A𝝏

(AB)𝜕

SLIDE 43

Solution:

Use finite prefixes of counterexample paths

43

Finite length

Challenge: Previous techniques are limited to finite counterexample paths

∀

A𝜕

(AB)𝜕

Predicates Discovery from Infinite Paths

SLIDE 44

Overview of Method

Step 2： Higher-Order Model Checking

accept

Fairness Constraint Functional Program

Step 1: Reduction to Higher-Order Model Checking

44

Tree Generating Program Tree Automaton

reject

Predicates Step 3: Predicate Discovery Counterexample

Fair infinite executions exist!

SLIDE 45

Our Method is …

Sound
Incomplete
Not terminating, when 𝑄 is fair-terminating

→ Run a fair-termination verifier at the same time

45 [Murase+ POPL16]

SLIDE 46

Outline

Termination & Fair-Termination
Importance of Fair-Termination
Our Method
Implementation and Experiments
Related Work
Conclusion

46

SLIDE 47

Implementation

An extension of MoCHi [Kobayashi+ PLDI11]
Backend
Higher-order model checker:

HorSatP [Fujima 15] ＋ Counterexample generation

SMT solver:

Z3 [de Moura & Bjørner TACAS08]

47

SLIDE 48

Experiments

Two Benchmarks

1. Small, original benchmark programs
2. Variants of the benchmark programs in

[Koskinen&Terauchi LICS14] and [Murase+ POPL16]

All programs are NOT fair-terminating

48

SLIDE 49

49

Spec: Xeon E5-2680 v3 (2.50GHz, 16GB of memory)
Time Limit: 300 seconds

Program Order Cycles Time[sec] murase-repeat 2 2 0.98 murase-closure 2 2 0.8 koskinen-1 2 3 2.96 koskinen-2 1 5 9.5 koskinen-3-1 1 4 4.94 koskinen-3-2 1 ≧2 timeout koskinen-3-2

(predicates given by hand)

1 1 0.87 koskinen-3-3 1 4 5.63 (Excerpt)

Experiment Results

SLIDE 50

Outline

Termination & Fair-Termination
Importance of Fair-Termination
Our Method
Implementation and Experiments
Related Work
Conclusion

50

SLIDE 51

Related Work

Proving fair CTL and CTL* properties

[Cook+ TACAS15] [Cook+ CAV15]

Disproving fair-termination of

multi-threaded programs [Atig+ CAV12]

51

Automated verification for higher-order programs

Proving fair-termination [Murase+ POPL16]
Disproving plain termination [Kuwahara+ CAV15]

Temporal verification for first-order programs

SLIDE 52

Conclusion

Future work

Tighter integration with fair-termination verification
Scalability
General temporal property verification
Reduction to parity tree automata HO model checking
Finite representations of infinite counterexample trees
Predicate discovery from finite counterexample prefixes

52

Automated method for disproving fair-termination

f higher-order functional programs

SLIDE 53

Program that Our Method Cannot Verify

53

let rec repeat n = if n = 0 then () else (event A; repeat (n-1)) let rec f x = repeat x; event B; f (x+1) let main = f 0 Extra: In order to prove the existence

f fair infinite path,

we must prove that event B occurs infinitely often For this, we must prove that repeat eventually terminates for arbitrary input x Our method cannot prove the termination automatically

SLIDE 54

Program that Our Method Cannot Verify

54

let rec repeat n = if n = 0 then () else (event A; repeat (n-1)) let rec f x = repeat x; event B; f (x+1) let main = f 0 Extra: In order to prove the existence

f fair infinite path,

we must prove that event B occurs infinitely often For this, we must prove that repeat eventually terminates for arbitrary input x Our method cannot prove the termination automatically

cf. Termination verification