Proving thread termination

Concurrent programs are often designed such that certain functions executing within critical threads must terminate. Examples of such cases can be found in operating systems, web servers, e-mail clients, etc. Unfortunately, no known automatic program termination prover supports a practical method of proving the termination of threads. In this paper we describe such a procedure. The procedure's scalability is achieved through the use of environment models that abstract away the surrounding threads. The procedure's accuracy is due to a novel method of incrementally constructing environment abstractions. Our method finds the conditions that a thread requires of its environment in order to establish termination by looking at the conditions necessary to prove that certain paths through the thread represent well-founded relations if executed in isolation of the other threads. The paper gives a description of experimental results using an implementation of our procedureon Windows device drivers and adescription of a previously unknown bug found withthe tool.

[1]  Sriram K. Rajamani,et al.  Thorough static analysis of device drivers , 2006, EuroSys.

[2]  Andreas Podelski,et al.  Termination proofs for systems code , 2006, PLDI '06.

[3]  Helmut Veith,et al.  Environment Abstraction for Parameterized Verification , 2006, VMCAI.

[4]  Andreas Podelski,et al.  Proving that programs eventually do something good , 2007, POPL '07.

[5]  Zohar Manna,et al.  Axiomatic approach to total correctness of programs , 1973, Acta Informatica.

[6]  Frank Piessens,et al.  Safe Concurrency for Aggregate Objects with Invariants: Soundness Proof , 2005 .

[7]  Antoine Miné,et al.  The octagon abstract domain , 2001, High. Order Symb. Comput..

[8]  Thomas A. Henzinger,et al.  Permissive interfaces , 2005, ESEC/FSE-13.

[9]  Henny B. Sipma,et al.  Termination of Polynomial Programs , 2005, VMCAI.

[10]  John C. Reynolds,et al.  The craft of programming , 1981, Prentice Hall International series in computer science.

[11]  Henny B. Sipma,et al.  Practical Methods for Proving Program Termination , 2002, CAV.

[12]  Amir Pnueli,et al.  Ranking Abstraction of Recursive Programs , 2006, VMCAI.

[13]  Thomas A. Henzinger,et al.  Thread-Modular Abstraction Refinement , 2003, CAV.

[14]  Sanjit A. Seshia,et al.  Modular verification of multithreaded programs , 2005, Theor. Comput. Sci..

[15]  Klaus Havelund,et al.  Model checking JAVA programs using JAVA PathFinder , 2000, International Journal on Software Tools for Technology Transfer.

[16]  Cliff B. Jones,et al.  Specification and Design of (Parallel) Programs , 1983, IFIP Congress.

[17]  Patrice Godefroid,et al.  Dynamic partial-order reduction for model checking software , 2005, POPL '05.

[18]  Nicolas Halbwachs,et al.  Automatic discovery of linear restraints among variables of a program , 1978, POPL.

[19]  Corina S. Pasareanu,et al.  Learning Assumptions for Compositional Verification , 2003, TACAS.

[20]  Michael Codish,et al.  A Semantic Basis for the Termination Analysis of Logic Programs , 1999, J. Log. Program..

[21]  Edmund M. Clarke,et al.  Model Checking , 1999, Handbook of Automated Reasoning.

[22]  Patrick Cousot,et al.  A static analyzer for large safety-critical software , 2003, PLDI.

[23]  Patrice Godefroid,et al.  Partial-Order Methods for the Verification of Concurrent Systems , 1996, Lecture Notes in Computer Science.

[24]  Peter W. O'Hearn,et al.  Automatic Termination Proofs for Programs with Shape-Shifting Heaps , 2006, CAV.

[25]  Viktor Schuppan,et al.  Liveness Checking as Safety Checking , 2002, FMICS.

[26]  Bowen Alpern,et al.  Defining Liveness , 1984, Inf. Process. Lett..

[27]  Alex Groce,et al.  Efficient Verification of Sequential and Concurrent C Programs , 2004, Formal Methods Syst. Des..

[28]  Patrick Cousot,et al.  Proving Program Invariance and Termination by Parametric Abstraction, Lagrangian Relaxation and Semidefinite Programming , 2005, VMCAI.

[29]  Henny B. Sipma,et al.  The Polyranking Principle , 2005, ICALP.

[30]  Vineet Kahlon,et al.  Symbolic Model Checking of Concurrent Programs Using Partial Orders and On-the-Fly Transactions , 2006, CAV.

[31]  Claude Marché,et al.  Proving Termination of Rewriting with C i ME , 2003 .

[32]  Ashish Tiwari,et al.  Termination of Linear Programs , 2004, CAV.

[33]  Peter W. O'Hearn,et al.  Variance analyses from invariance analyses , 2007, POPL '07.

[34]  Henny B. Sipma,et al.  Termination Analysis of Integer Linear Loops , 2005, CONCUR.

[35]  Cormac Flanagan,et al.  Thread-Modular Model Checking , 2003, SPIN.

[36]  Andreas Podelski,et al.  A Complete Method for the Synthesis of Linear Ranking Functions , 2004, VMCAI.

[37]  Henny B. Sipma,et al.  Linear Ranking with Reachability , 2005, CAV.

[38]  Richard J. Lipton,et al.  Reduction: a method of proving properties of parallel programs , 1975, CACM.

[39]  Gerard J. Holzmann,et al.  The Model Checker SPIN , 1997, IEEE Trans. Software Eng..