Bit-precise procedure-modular termination analysis Article (Accepted Version) Chen, Hong-Yi, David, Cristina, Kroening, Daniel, Schrammel, Peter and Wachter, Björn (2017) Bit-precise procedure-modular termination analysis. ACM Transactions on Programming Languages and Systems, 40 (1). pp. 1-38. ISSN 0164-0925 This version is available from Sussex Research Online: http://sro.sussex.ac.uk/id/eprint/69530/ This document is made available in accordance with publisher policies and may differ from the published version or from the version of record. If you wish to cite this item you are advised to consult the publisher’s version. Please see the URL above for details on accessing the published version. Copyright and reuse: Sussex Research Online is a digital repository of the research output of the University. Copyright and all moral rights to the version of the paper presented here belong to the individual author(s) and/or other copyright owners. To the extent reasonable and practicable, the material made available in SRO has been checked for eligibility before being made available. Copies of full text items generally can be reproduced, displayed or performed and given to third parties in any format or medium for personal research or study, educational, or not-for-profit purposes without prior permission or charge, provided that the authors, title and full bibliographic details are credited, a hyperlink and/or URL is given for the original metadata page and the content is not changed in any way. http://sro.sussex.ac.uk 0 Bit-Precise Procedure-Modular Termination Analysis Hong-Yi Chen, Department of Computer Science, University of Oxford, United Kingdom Cristina David, Department of Computer Science, University of Oxford, United Kingdom Daniel Kroening, Department of Computer Science, University of Oxford, United Kingdom Peter Schrammel, School of Engineering and Informatics, University of Sussex, United Kingdom Bjorn¨ Wachter, SSW-Trading GmbH, Oststeinbek, Germany Non-termination is the root cause of a variety of program bugs, such as hanging programs and denial-of- service vulnerabilities. This makes an automated analysis that can prove the absence of such bugs highly desirable. To scale termination checks to large systems, an interprocedural termination analysis seems essential. This is a largely unexplored area of research in termination analysis, where most effort has focussed on small but difficult single-procedure problems. We present a modular termination analysis for C programs using template-based interprocedural summari- sation. Our analysis combines a context-sensitive, over-approximating forward analysis with the inference of under-approximating preconditions for termination. Bit-precise termination arguments are synthesised over lexicographic linear ranking function templates. Our experimental results show the advantage of interproce- dural reasoning over monolithic analysis in terms of efficiency, while retaining comparable precision. 1. INTRODUCTION Termination bugs compromise safety-critical software systems by making them un- responsive. In particular, termination bugs can be exploited in denial-of-service at- tacks [Apache CVE-2009-1890 2009]. Termination guarantees are therefore instrumen- tal for ensuring software reliability. Termination provers are static analysis tools that aim to construct a proof of termination for a given input program and the implementa- tions of these tools have made tremendous progress in the past few years. They compute proofs for complex loops that may require linear lexicographic (e.g., [Ben-Amram and Genaim 2013; Ben-Amram and Genaim 2014; Leike and Heizmann 2014]) or non-linear termination arguments (e.g., Bradley et al. [2005b]) in a completely automatic way. However, there remain major practical challenges in analysing the termination of real-world code. First of all, as observed by Falke et al. [2012], most approaches in the literature are specialised to linear arithmetic over unbounded mathematical integers. Even though unbounded arithmetic may reflect the intuitively-expected program behaviour, the program actually executes over bounded machine integers. The semantics of C allows unsigned integers to wrap around when they over/underflow. Hence, arithmetic on k- bit-wide unsigned integers must be performed modulo 2k. According to the C standards, over/underflows of signed integers are undefined behaviour, but practically also wrap around on most architectures. Thus, accurate termination analysis requires a bit-precise analysis of the program semantics (i.e., an analysis that captures the semantics of programs down to each individual bit by using machine arithmetic). Tools must be This work is supported by EPSRC EP/H017585/1, by VeTeSS: Verification and Testing to Support Functional Safety Standards, Artemis Joint Undertaking 295311, H2020 FET OPEN 712689 SC2 and ERC project 280053 “CPROVER”. Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]. c 0 ACM. 0164-0925/0/-ART0 $15.00 DOI: 0000001.0000001 ACM Transactions on Programming Languages and Systems, Vol. 0, No. 0, Article 0, Publication date: 0. 0:2 Chen, David, Kroening, Schrammel, Wachter configurable with architectural specifications such as the width of data types and endianness. The following examples illustrate that termination behaviour on machine integers can be completely different than on mathematical integers. For example, the program fragment void foo1 ( unsigned n) f for ( unsigned x=0; x<=n ; x ++); g does terminate with mathematical integers, but does not terminate with machine integers if n equals the largest unsigned integer. On the other hand, the program fragment void foo2 ( unsigned x ) f while ( x>=10) x++; g does not terminate with mathematical integers, but terminates with machine integers because unsigned machine integers wrap around. A second challenge is to make termination analysis scale to larger programs. The annual Software Verification Competition (SV-COMP) [Beyer 2016] includes a division in termination analysis, which reflects a representative picture of the state of the art. The SV-COMP 2016 termination benchmarks contain challenging termination problems on smaller programs with at most 453 instructions (average 53), feature at most seven functions (average three) and four loops (average one). In this paper, we present a technique that we have successfully run on programs that are one order of magnitude larger, containing up to 5000 instructions. Larger instances require different algorithmic techniques to scale, and we conjecture that the key technique is a modular, interprocedural analysis which decomposes a problem into sub-problems rather than a monolithic analysis which would put all its resources into solving the problem all at once. Modular termination analysis raises several conceptual and practical challenges that do not arise in monolithic termination analysers. For example, when proving termination of a program, a possible approach is to prove that all procedures in the program terminate universally, i.e., in any possible calling context. However, this criterion is too optimistic, as termination of individual procedures often depends on the calling context, i.e., procedures terminate conditionally only in specific calling contexts. The approach that we take is verifying universal program termination in a top-down manner by proving termination of each procedure relative to its calling contexts, and propagating upwards which calling contexts guarantee termination of the procedure. It is too difficult to determine these contexts precisely; analysers thus compute pre- conditions for termination. A sufficient precondition identifies pre-states in which the procedure will definitely terminate, and is thus suitable for proving termination. By contrast, a necessary precondition identifies pre-states in which the procedure may terminate. Its negation are states in which the procedure will not terminate, which is useful for proving non-termination. In this paper we focus on the computation of sufficient preconditions for termination. Preconditions enable information reuse, and thus scalability, as it is frequently possible to avoid repeated analysis of parts of the code base, e.g., libraries whose procedures are called multiple times or parts of the code that did not undergo modifications between successive analysis runs. Contributions: ACM Transactions on Programming Languages and Systems, Vol. 0, No. 0, Article 0, Publication date: 0. Bit-Precise Procedure-Modular Termination Analysis 0:3 (1) We propose an algorithm for interprocedural termination analysis. The approach is based on a template-based static analysis using SAT solving. It combines context- sensitive, summary-based interprocedural analysis with the inference of precondi- tions for termination based on template abstractions. Note that, while each of the components in isolation is not novel, it is non-trivial to combine them in a way that achieves both scalability and precision. We focus on non-recursive programs, which cover a