Synthesis of ranking functions using extremal...

Synthesis of ranking functions using extremalcounterexamples

Laure Gonnord, David Monniaux, Gabriel Radanne(Lucas Seguinot)

Slides : credits Gabriel Radanne

Lyon1/LIP

2 dec 2014 - Compsys WG

Why ?

Our goal :Prove termination of some sequential programs.with a scalable algorithm

LG,DM,GR,LS (Lyon1/LIP) Synthesis of ranking functions using extremal counterexamples 2014 � 2 / 26 �

Notations

1 NotationsModel of programRanking functions

2 Algorithm to synthesize a ranking function

3 Implementation, results

4 Conclusion


Notations Model of program




4 Conclusion



Counter Automata

k0t1 :

x 6 10 ∧ 0 6 yx := x+ 1y := y − 1

t2 :0 6 x ∧ 0 6 yx := x− 1y := y − 1

The Initial positionx = 5 and y = 10

The Invariants (given byASPIC)

0 6 x+ 1 x 6 11

0 6 y + 1 y 6 x+ 5

x+ y 6 15O

x

y

Initial position



Counter Automata

k0t1 :

x 6 10 ∧ 0 6 yx := x+ 1y := y − 1

t2 :0 6 x ∧ 0 6 yx := x− 1y := y − 1



0 6 x+ 1 x 6 11

0 6 y + 1 y 6 x+ 5

x+ y 6 15

Ox

y

Initial position



Counter Automata

k0t1 :

x 6 10 ∧ 0 6 yx := x+ 1y := y − 1

t2 :0 6 x ∧ 0 6 yx := x− 1y := y − 1



0 6 x+ 1 x 6 11

0 6 y + 1 y 6 x+ 5

x+ y 6 15

Ox

y

Initial position

t1t2



Counter Automata

k0t1 :

x 6 10 ∧ 0 6 yx := x+ 1y := y − 1

t2 :0 6 x ∧ 0 6 yx := x− 1y := y − 1



0 6 x+ 1 x 6 11

0 6 y + 1 y 6 x+ 5

x+ y 6 15O

x

y

Initial position

t1t2



Invariant representation

Ox

y

Initial position

t1t2

HereI = {0 6 x+ 1, x 6 11, 0 6y + 1, y 6 x+ 5, x+ y 6 15},

i.e. I ={x∣∣ ai · x+ bi ≥ 0

}with

a =(10

) (−10

) (01

) (1−1) (

11

)b = 1 11 1 5 15


Notations Ranking functions




4 Conclusion



The Automaton

k0t1 :

x 6 10 ∧ 0 6 yx := x+ 1y := y − 1

t2 :0 6 x ∧ 0 6 yx := x− 1y := y − 1

A linear ranking functionρ(x, y) = y + 1

LinearDecreasingPositive

Ox

y

Initial position

t1t2



Proving termination

Linear ranking functionDecreasing by at least one along the transitionsPositiveLinear

Weak linear ranking functionDecreasing along the transitionsPositiveLinear

NoteThe null function is always a weak linear ranking function.


Algorithm to synthesize a ranking function

1 Notations

2 Algorithm to synthesize a ranking functionLimitations and workarounds


4 Conclusion




Two main ideasBig block encoding.Treat the loops globally.

First GoalFind a linear ranking function.In programs with one control point.A “maximally strict” one.



Some Maths

Inputτ a transition relationI an invariant I =

{x∣∣ ai · x+ bi ≥ 0

}Looking for ρ = λx+ `

Positive on I : ρ(x) = (∑m

i=1 λiai) · x+ ` (Farkas)Decreasing : ∀(x,x′) ∈ . . . , λ.(x− x′) > 0

The second condition is λ.u > 0, ∀u in a certain polyhedron :

PI,τ = {x− x′|x ∈ I and (x,x′) ∈ τ},

or for each of its generators uj .



Simple algorithm for one control point

An incremental algorithm1. Consider ρ a (weak) ranking function.2. Find a counterexample.

i.e. an element u ∈ PI,τ = {x− x′| x ∈ I, (x,x′) ∈ τ}which contradicts that ρ is a strict ranking function.→ If none is found, the current ranking function is strict.Stop.

3. Add u to a set C.4. Use C to compute a new “maximally strict” ranking function.5. Go back to step 2.



Simple algorithm for one control point, 4.

ρ(x) =

(m∑i=1

λiai

)· x+

m∑i=1

λibi with I ={x∣∣ ai · x+ bi ≥ 0

}

Definition : LP (C, I)C = (u1, . . .uN ) a set of generators of the polyhedron PI,τ ,

LP (C, I) =

Maximize

∑i δi s.t.

λ1, . . . , λm > 00 6 δj 6 1 for all 1 6 j 6 N∑m

i=1 λi(uj .ai) > δj for all 1 6 j 6 N

Propositionλ = 0 is always a solution.ρ is “maximally strict” on C.



k0t1 :

x 6 10 ∧ 0 6 yx := x+ 1y := y − 1

t2 :0 6 x ∧ 0 6 yx := x− 1y := y − 1

Current State

ρ(

(xy

)) =

(xy

)·(00

)+ 0, C = {}

Give the SMT-solver the constraint :

I ∧ τ ∧ ρ((xy

))− ρ(

(x′

y′

)) 6 0

x = −1 x′ = 0

y = 0 y′ = −1u =

(−11

)

Ox

y

Initial position

t1t2



k0t1 :

x 6 10 ∧ 0 6 yx := x+ 1y := y − 1

t2 :0 6 x ∧ 0 6 yx := x− 1y := y − 1

Current State

ρ(

(xy

)) =

(xy

)·(00

)+ 0, C = {}


I ∧ τ ∧(x− x′y − y′

)·(00

)6 0

x = −1 x′ = 0

y = 0 y′ = −1u =

(−11

)

Ox

y

Initial position

t1t2



k0t1 :

x 6 10 ∧ 0 6 yx := x+ 1y := y − 1

t2 :0 6 x ∧ 0 6 yx := x− 1y := y − 1

Current State

ρ(

(xy

)) =

(xy

)·(00

)+ 0, C = {}


I ∧ τ ∧(x− x′y − y′

)·(00

)6 0

x = −1 x′ = 0

y = 0 y′ = −1u =

(−11

) Ox

y

Initial position

t1t2

x

x′



k0t1 :

x 6 10 ∧ 0 6 yx := x+ 1y := y − 1

t2 :0 6 x ∧ 0 6 yx := x− 1y := y − 1

Current State

ρ(

(xy

)) =

(xy

)·(00

)+ 0, C =

{(−11

)}

Ox

y

Initial position

t1t2



k0t1 :

x 6 10 ∧ 0 6 yx := x+ 1y := y − 1

t2 :0 6 x ∧ 0 6 yx := x− 1y := y − 1

Current State

ρ(

(xy

)) =

(xy

)·(00

)+ 0, C =

{(−11

)}Give to the LP-solver the problem :

Maximize δ1 s.t.λ1, λ2, λ3, λ4, λ5 > 00 6 δ1 6 1−λ1 + λ2 + λ3 − 2λ4 > δ1

Ox

y

Initial position

t1t2



k0t1 :

x 6 10 ∧ 0 6 yx := x+ 1y := y − 1

t2 :0 6 x ∧ 0 6 yx := x− 1y := y − 1

Current State

ρ(

(xy

)) =

(xy

)·(00

)+ 0, C =

{(−11

)}→ Gives backλ2 = 1, λ1 = λ3 = λ4 = λ5 = 0.

Then l = a2 =(−10

)and ` = b2 = 11.

ρ(

(xy

)) =

(xy

)·(−10

)+ 11

Ox

y

Initial position

t1t2



k0t1 :

x 6 10 ∧ 0 6 yx := x+ 1y := y − 1

t2 :0 6 x ∧ 0 6 yx := x− 1y := y − 1

Current State

ρ(

(xy

)) =

(xy

)·(−10

)+11, C =

{(−11

)}

Ox

y

Initial position

t1t2



k0t1 :

x 6 10 ∧ 0 6 yx := x+ 1y := y − 1

t2 :0 6 x ∧ 0 6 yx := x− 1y := y − 1

Current State

ρ(

(xy

)) =

(xy

)·(−10

)+11, C =

{(−11

)}Give the SMT-solver the constraint :

I ∧ τ ∧(x− x′y − y′

)·(−10

)6 0

x = 11 x′ = 10

y = 0 y′ = −1u =

(11

) Ox

y

Initial position

t1t2

x

x′



k0t1 :

x 6 10 ∧ 0 6 yx := x+ 1y := y − 1

t2 :0 6 x ∧ 0 6 yx := x− 1y := y − 1

Current State

ρ(

(xy

)) =

(xy

)·(−10

)+ 11, C ={(

−11

),

(11

)}

Ox

y

Initial position

t1t2



k0t1 :

x 6 10 ∧ 0 6 yx := x+ 1y := y − 1

t2 :0 6 x ∧ 0 6 yx := x− 1y := y − 1

Current State

ρ(

(xy

)) =

(xy

)·(−10

)+ 11, C ={(

−11

),

(11

)}Give to the LP-solver the problem :

Maximize δ1 + δ2 s.t.λ1, λ2, λ3, λ4, λ5 > 00 6 δ1, δ2 6 1−λ1 + λ2 + λ3 − 2λ4 > δ1λ1 − λ2 + λ3 − 2λ5 > δ2

Ox

y

Initial position

t1t2



k0t1 :

x 6 10 ∧ 0 6 yx := x+ 1y := y − 1

t2 :0 6 x ∧ 0 6 yx := x− 1y := y − 1

Current State

ρ(

(xy

)) =

(xy

)·(−10

)+ 11, C ={(

−11

),

(11

)}→ Gives backλ3 = 1, λ1 = λ2 = λ4 = λ5 = 0.

Then l = a3 =(01

)and ` = b3 = 1.

ρ(

(xy

)) =

(xy

)·(01

)+ 1

Ox

y

Initial position

t1t2



k0t1 :

x 6 10 ∧ 0 6 yx := x+ 1y := y − 1

t2 :0 6 x ∧ 0 6 yx := x− 1y := y − 1

Current State

ρ(

(xy

)) =

(xy

)·(01

)+ 1, C ={(

−11

),

(11

)}

Ox

y

Initial position

t1t2



k0t1 :

x 6 10 ∧ 0 6 yx := x+ 1y := y − 1

t2 :0 6 x ∧ 0 6 yx := x− 1y := y − 1

Current State

ρ(

(xy

)) =

(xy

)·(01

)+ 1, C ={(

−11

),

(11

)}Give the SMT-solver the constraint :

I ∧ τ ∧(x− x′y − y′

)·(01

)6 0

which is unsat.

Ox

y

Initial position

t1t2



k0t1 :

x 6 10 ∧ 0 6 yx := x+ 1y := y − 1

t2 :0 6 x ∧ 0 6 yx := x− 1y := y − 1

Current State

ρ(

(xy

)) =

(xy

)·(01

)+ 1, C ={(

−11

),

(11

)}

Outputρ(x, y) = y + 1

ρ is a strict ranking function.

Ox

y

Initial position

t1t2


Algorithm to synthesize a ranking function Limitations and workarounds

1 Notations

2 Algorithm to synthesize a ranking functionLimitations and workarounds


4 Conclusion



Limitation 1

This algorithm doesn’t terminate in generalThe set of counter examples is infinite.If there is no strict ranking function.

Fix : limit the search area for uimpose counter examples to be in the boundary of PI,τ(max-smt).look for u 6∈ span(previous u)



Limitation 2

This algorithm only computes rankings of dim 1But all programs are not linear !Compute lexicographic linear ranking functions (in Qm).

We use the same greedy algorithm as in [Alias et al, SAS 2010]



Limitation 3

This algorithm is only for one control pointBut not all programs have only one control point !

We encode the control points in the invariant, the transition, andstore for u vectors of vectors.


Implementation, results

1 Notations



4 Conclusion



In a nutshell

C

C program

CLANG and LLVM

PAGAI I

Invariants

LLVM to SMT τ

Transition relation

Smt terminate

LP

Z3

ρ

Ranking function

Our code

External code

Legend



Control flow graph and LLVM representation

1 void simple_loop_constant () {

2 for(unsigned i=0; i<10; i++) {

3 // Do nothing

4 }

5 } block %0

1 br label %1

block %1

1 %i.0 = phi i32 [ 0, %0 ], [ %5, %4 ]

2 %2 = icmp ult i32 %i.0 , 10

3 br i1 %2, label %3, label %6

block %6

1 ret void

block %3

1 br label %4

block %4

1 %5 = add i32 %i.0 , 1

2 br label %1



SMT encoding for control-flow-graph

block %0

1 br label %1

block %1

1 %i.0 = phi i32 [ 0, %0 ], [ %5, %4 ]

2 %2 = icmp ult i32 %i.0 , 10


block %6

1 ret void

block %3

1 br label %4

block %4

1 %5 = add i32 %i.0 , 1

2 br label %1



SMT encoding for control-flow-graphblock %1 Down part

1 %2 = icmp ult i32 %i.0 , 10


block %6

1 ret void

block %3

1 br label %4

block %4

1 %5 = add i32 %i.0 , 1

2 br label %1

block %0

1 br label %1

block %1 Up part

1 %i.0 = phi i32 [ 0, %0 ], [ %5, %4 ]



SMT encoding for control-flow-graphblock %1 Down part

x2 = i0 < 10if x2 then b1 = e9 else

b1 = e10

block %6

e10 = b6

block %3

e9 = b3b3 = e7

block %4

e7 = b4x5 = i0 + 1b4 = e8

block %0

false = b1b1 = e6

block %1 Up part

e6 ∨ e8 = b5i′0 = ite e6 then 0 else if e8 then x5

e6

e10e9

e7

e8



Experiments

Example Ranking functionRank tool Termite

#LP Avg. #size #LP Avg. #size #SMT Avg. sizeThe example y + 1 1 84× 51 1 3× 7 3 20

easy1 41− x 1 334× 155 1 3× 6 3 21

easy2 z 2 86× 42 1 3× 5 3 16

wcet2 −11i− j + 65 2 225× 94 2 4× 6 4 20

exmini 102− i− j + k 2 140× 65 3 6× 8 5 16

cousot9

(ij

)3 180× 75 5 6× 8 6 25


Conclusion

1 Notations



4 Conclusion


Conclusion

Conclusion

SummaryWe saw a method to infer ranking functions in an iterativefashion using extremal counter-examples

which always terminate,which scales better than other approaches.

Future workconsolidate Termiteinvestiguate the complexitiesstill room for improvement.


Conclusion

Transition system

Transition systemWe consider programs over a state space S ⊂ W×Qn, where :

W is the finite set of control states, defined by an initialstate and a transition relation τ ;Qn is the value of the set of variable considered at thedifferent control points.

Set of reachable valuesWe note

Rk ={x∣∣ (k,x) ∈ S}

the set of all values of x when the flow is in the state k.


Conclusion

Invariants

InvariantAn invariant on a control point k ∈ W is a formula φk(x) that istrue for all reachable states (k,x).

Affine invariantAn invariant is affine if it is a conjunction of a finite number ofaffine conditions on program variables.Said in another way, for all k ∈ W, there exists a convexpolyhedron Pk such that Rk ⊆ Pk.


Conclusion

Linear ranking functionA (strict) linear ranking functionis a function ρ :W ×Qn → Q such that :

for any state k ∈ W, x 7→ ρ(k,x) is affine linear ;for any transition (k,x, k′,x′), ρ(k′,x′) 6 ρ(k,x)− 1 ;for any state (k,x) in the invariant I,ρ(k,x) > 0 ;

Weak linear ranking functionWe replaces the second condition by ρ(k′,x′) 6 ρ(k,x).


Conclusion

Lexicographic Linear ranking functionA Lexicographic (strict) linear ranking function of dimensionmis a function ρ :W ×Qn → Qm such that :

for any state k ∈ W, x 7→ ρ(k,x) is affine linear ;for any transition (k,x, k′,x′), ρ(k′,x′)≺ ρ(k,x) ;for any state (k,x) in the invariant I,all coordinates of ρ(k,x) are nonnegative .

Weak Lexicographic linear ranking functionWe replaces the second condition by ρ(k′,x′)� ρ(k,x).

Lexicographic order〈x1, . . . , xm〉 ≺ 〈y1, . . . , ym〉 if and only if there exists an i suchthat xj = yj for all j < i and xi 6 yi − 1


Conclusion

Maximal termination power

Objective functionGiven a (subset) C of generators of PI,τ , ρ = λx+ `, we defineπC(ρ) the set of all elements ui of C that satisfy λ.ui > 0.

PropositionπC(ρ) is max for cardinality iff max with respect to inclusion.


Conclusion

Final Algorithm for one control pointRequire: I and τC ← ∅, B ← ∅finished ← falseλ← 0, λ0 ← 0while ¬finished ∧Sat(I ∧ τ ∧AvoidSpace(u,B)) with minimization for λ ·u(6 0) do

(u, unbound)← a model for u in the above SMT testC ← C ∪ {u}if unbound then

Let r a ray generator of PH such that u = · · ·+ αrC ← C ∪ {r}

end if(γ, δ)← LP (C,ConsI)if γ = 0 then finished ← trueelseλ←

∑mi=1 γiai, λ0 ←

∑mi=1 γibi

if δu = 0 then B ← B ∪ {u}end if

end ifend whilereturn (λ, λ0, (

∧i δi = 1) ∧ ¬Sat(I ∧ τ ∧ u = 0))


Conclusion

Multidim

Require: I and τd← 1, failed ← falserepeat

(λ, λ0, strict)←

MONODIM

I, τ ∧ ∧d′<d

λd′ · u = 0

if ¬strict then

if λ is in the span of ρ thenfailed ← true

elseρd ← λ+ λ0d← d+ 1

end ifend if

until strict ∨ failedreturn if failed then “None” else ρ


Conclusion

Multipc - example

1 2t1 :

j > 0t2 :

i < 5j := 0

t3 :i > 2 ∧ j 6 9j := j + 1

t4 :i 6 2 ∨ j > 9i := i+ 1

1. Beginning with C = {} and ρ(x) = 0, that is : λ1 = 0 andλ2 = 0. We have x =

(ij

)and u = ek(x)− ek′(x′). In the

SMT-query, τ is now written as follows :(k = 1 ∧ k′ = 2 =⇒ i < 5 ∧ j′ = 0 ∧ u = (i, j, i′, j′)>

)∧ . . .


Conclusion

Multipc - example

1 2t1 :

j > 0t2 :

i < 5j := 0

t3 :i > 2 ∧ j 6 9j := j + 1

t4 :i 6 2 ∨ j > 9i := i+ 1

First iteration.2. Sat(I ∧ τ ∧AvoidSpace(u,B) ∧ 0 · u 6 0)?

Yes, with k = 2, k′ = 1, x =(110

)and x′ =

(−210

)(this

corresponds to transition t4)3. C ←

{(1 10 −2 −10

)>}4. Call LP (C,ConsI).

It gives us λ1 =(00

)and λ2 =

(1/20

).

. . . few iterationsReturn. We obtain ρ1(x) = 0, ρ2(i, j) = −11/2i− j + 32, a

strict ranking function for (τ, I).LG,DM,GR,LS (Lyon1/LIP) Synthesis of ranking functions using extremal counterexamples 2014 � 26 / 26 �

Synthesis of ranking functions using extremal...

Documents

Transcript of Synthesis of ranking functions using extremal...