Proving Termination of Programs with Bitvector Arithmetic by Symbolic Execution

Abstract

In earlier work, we developed an approach for automated termination analysis of C programs with explicit pointer arithmetic, which is based on symbolic execution. However, similar to many other termination techniques, this approach assumed the program variables to range over mathematical integers instead of bitvectors. This eases mathematical reasoning but is unsound in general. In this paper, we extend our approach in order to handle fixed-width bitvector integers. Thus, we present the first technique for termination analysis of C programs that covers both byte-accurate pointer arithmetic and bit-precise modeling of integers. We implemented our approach in the automated termination prover AProVE and evaluate its power by extensive experiments.

Supported by the DFG grant GI 274/6-1.

Appendices

A Separation Logic Semantics of Abstract States

To formalize the semantics of an abstract state \(a\), in [14] we introduced a separation logic formula \(\langle {a} \rangle _{ SL }\), which extends \(\langle {a} \rangle _{ FO }\) by information about the memory (i.e., about \( AL \) and \( PT \)). In \(\langle {a} \rangle _{ SL }\), we combine the elements of \( AL \) with the separating conjunction “\(*\)” to express that different allocated memory blocks are disjoint. As usual, \(\varphi _1 * \varphi _2\) means that \(\varphi _1\) and \(\varphi _2\) hold for disjoint parts of the memory. In contrast, the elements of \( PT \) are combined by the ordinary conjunction “\(\wedge \)”. So \((v_1 \hookrightarrow _{{\mathtt {ty}},i}v_2) \in PT \) does not imply that \(v_1\) is different from other addresses in \( PT \). Similarly, we also combine the two formulas resulting from \( AL \) and \( PT \) by “\(\wedge \)”, as both express different properties of the same addresses.

Definition 8

( \( SL \) Formulas for States). For \(v_1,v_2 \in \mathcal {V}_{ sym }\), let \(\langle {[\![v_1,\,v_2]\!]} \rangle _{SL} = (\forall x. \exists y. \; (v_1 \le x \le v_2) \Rightarrow (x \hookrightarrow y))\). For any LLVM type \({\mathtt {ty}}\), we define

$$ \langle v_1 \hookrightarrow _{\mathtt {ty},u} v_2\rangle _{SL} = \langle v_1 \hookrightarrow _{size\mathtt {(ty)}} v_2\rangle _{SL}. $$

To handle the two’s complement representation of signed integers, we define \(\langle {v_1 \hookrightarrow _{{\mathtt {ty}},s}v_2} \rangle _{SL} =\)

where \(v_3 \in \mathcal {V}_{ sym }\) is fresh. We assume a little-endian data layout (where least significant bytes are stored in the lowest address). Hence, we define \(\langle v_{1}\hookrightarrow _0 v_3\rangle _{SL} = true\) and \(\langle v_1 \hookrightarrow _{n+8} v_3\rangle _{SL} = (v_1 \hookrightarrow (v_3\ \mathrm{mod}\ 2^8)) \wedge \langle (v_1 + 1) \hookrightarrow _n (v_3\, { \mathrm div }\, 2^8)\rangle _{SL}\).

A state \(a= (p, LV , KB , AL , PT )\) is represented in separation logic by

We use interpretations \(( as , mem )\) for the semantics of separation logic (Sect. 2).

Definition 9

(Semantics of Separation Logic). Let \( as \!:\!\mathcal {V}_{\mathcal {P}}\!\rightarrow \!\mathbb {Z}\) be an assignment, \( mem : \mathbb {N}_{> 0}\rightharpoonup \{0,\ldots ,\mathsf {umax}_{8}\}\), and \(\varphi \) be a formula. Let \( as (\varphi )\) result from replacing all local variables \(\mathtt{x}\) in \(\varphi \) by the value \( as (\mathtt{x})\). By construction, local variables \(\mathtt{x}\) are never quantified in our formulas. Then we define \(( as , mem ) \models \varphi \) iff \( mem \models as (\varphi )\).

We now define \( mem \models \psi \) for formulas \(\psi \) that may contain symbolic variables from \(\mathcal {V}_{ sym }\). As usual, all free variables \(v_1,\ldots ,v_n\) in \(\psi \) are implicitly universally quantified, i.e., \( mem \models \psi \) iff \( mem \models \forall v_1,\ldots , v_n. \, \psi \). The semantics of arithmetic operations and predicates as well as of first-order connectives and quantifiers are as usual. In particular, we define \( mem \models \forall v. \, \psi \) iff \( mem \models \sigma (\psi )\) holds for all instantiations \(\sigma \) where \(\sigma (v) \in \mathbb {Z}\) and \(\sigma (w) = w\) for all \(w \in \mathcal {V}_{ sym }\setminus \{v\}\).

We still have to define the semantics of \(\hookrightarrow \) and \(*\) for variable-free formulas. For \(n_1,n_2 \in \mathbb {Z}\), let \( mem \models {n_1}\hookrightarrow {n_2}\) hold iff \( mem (n_1) = n_2\) ¹⁰. The semantics of \(*\) is defined as usual in separation logic: For two partial functions \( mem _1, mem _2 : \mathbb {N}_{> 0}\rightharpoonup \mathbb {Z}\), we write \( mem _1 \bot mem _2\) to indicate that the domains of \( mem _1\) and \( mem _2\) are disjoint. If \( mem _1 \bot mem _2\), then \( mem _1 \uplus mem _2\) denotes the union of \( mem _1\) and \( mem _2\). Now \( mem \models \varphi _1 * \varphi _2\) holds iff there exist \( mem _1 \bot mem _2\) such that \( mem = mem _1 \uplus mem _2\) where \( mem _1 \models \varphi _1\) and \( mem _2 \models \varphi _2\).

B Proofs

Proof of Theorem 5 . Since the result of “mod \(2^n\)” is always in the interval \([0,2^n-1]\), we immediately obtain \(\mathsf {sig}_n(t) = ((t + 2^{n-1}) \;\text {mod}\;2^n) - 2^{n-1} \in [0-2^{n-1},2^n-1 - 2^{n-1}] = [-2^{n-1},2^{n-1}-1] = [\mathsf {smin}_{n},\mathsf {smax}_{n}]\). Moreover, we have

$$\begin{aligned} \begin{array}{ll} &{} t \;\text {mod}\;2^n\\ =&{} (t + 2^{n-1} - 2^{n-1}) \;\text {mod}\;2^n\\ =&{} (((t + 2^{n-1}) \;\text {mod}\;2^n) - 2^{n-1}) \;\text {mod}\;2^n\\ = &{} \mathsf {sig}_n(t) \;\text {mod}\;2^n. \end{array} \end{aligned}$$

    \(\square \)

Proof of Theorem 6 . We consider three cases.

Clearly, \(u < \ell \) implies \(u- \ell < 0\). Moreover, we also have \(u - \ell \ge \mathsf {min}- \mathsf {max}= -2^n + 1\), which together implies

$$\begin{aligned} -2^n< u - \ell < 0. \end{aligned}$$

(2)

Thus, we have:

This entails \( u + 1 \le \ell - 1\), i.e., \(u - \ell + 1 < 0\). Moreover, we also have \(u - \ell + 1 \ge \mathsf {min}- \mathsf {max}+ 1 = -2^n + 2\), which together implies

$$\begin{aligned} -2^n< u - \ell + 1 < 0. \end{aligned}$$

(3)

Note that \(\mathsf {max}- \ell \ge 0\) and moreover, \(\mathsf {max}- \ell < \mathsf {max}- \mathsf {min}= 2^{n} - 1\), i.e.,

$$\begin{aligned} 0 \le \mathsf {max}- \ell < 2^n. \end{aligned}$$

(4)

In addition, we have

$$\begin{aligned} \mathsf {max}= \mathsf {min}+ 2^n - 1 \le u + 2^n -1. \end{aligned}$$

(5)

Here, we obtain:

   \(\square \)

Proof of Theorem 7 . The proof of Theorem 7 is identical to the proofs of Theorems 10 and 13 in [14]. It relies on the fact that our symbolic execution rules correspond to the actual execution of LLVM when they are applied to concrete states (this also holds for the new bitvector rules of the current paper). So if a concrete state \(c\) is represented in the symbolic execution graph, then every LLVM evaluation of \(c\) corresponds to a path in the graph. The generation of an ITS from the graph is done in such a way that termination of the ITS implies that there is no such infinite path in the graph. As all integers in the symbolic execution graphs and in the ITSs are still mathematical integers, the construction of ITSs has not changed in the current paper, i.e., the corresponding proof of [14] directly carries over to the present setting.