Termination Analysis Without the Tears
TTermination Analysis Without the Tears
Shaowei Zhu [email protected]
Princeton UniversityPrinceton, NJ, USA
Zachary Kincaid [email protected]
Princeton UniversityPrinceton, NJ, USA
Abstract
Determining whether a given program terminates is the quin-tessential undecidable problem. Algorithms for terminationanalysis are divided into two groups: (1) algorithms withstrong behavioral guarantees that work in limited circum-stances (e.g., complete synthesis of linear ranking functionsfor polyhedral loops [38]), and (2) algorithms that are widelyapplicable, but have weak behavioral guarantees (e.g., Ter-minator [20]). This paper investigates the space in between: how can we design practical termination analyzers with usefulbehavioral guarantees?
This paper presents a termination analysis that is both compositional (the result of analyzing a composite programis a function of the analysis results of its components) and monotone (“more information into the analysis yields moreinformation out”). The paper has two key contributions. Thefirst is an extension of Tarjan’s method for solving pathproblems in graphs to solve infinite path problems. Thisprovides a foundation upon which to build compositionaltermination analyses. The second is a collection of monotoneconditional termination analyses based on this framework.We demonstrate that our tool ComPACT (Compositionaland Predictable Analysis for Conditional Termination) iscompetitive with state-of-the-art termination tools whileproviding stronger behavioral guarantees.
Termination is an important correctness property in itself,and is a sub-problem of proving total correctness, livenessproperties [12, 15, 17–19], and bounds on resource usage[1, 13, 31, 32, 43]. Determining whether a program termi-nates is undecidable, and so progress on automated tools fortermination analysis is driven by heuristic reasoning tech-niques. While these heuristics are often effective in practice,they can be brittle and unpredictable. For example, termi-nation analyzers may themselves fail to terminate on someinput programs, or report false alarms, or return differentresults for the same input, or suffer from “butterfly effects”,in which a small changes to the program’s source code dras-tically changes the analysis.This paper is motivated by the principle that changes toa program should have a predictable impact on its analysis .We develop a style of termination analysis that achieves twoparticular desiderata: • Compositionality : composite programs are analyzed byanalyzing its sub-components and then combining theresults. Compositionality implies that changing partof a program only changes the analysis of that part.It enables prompt user interaction, since an analysisneed not reanalyze the whole program to respond to aprogram change. • Monotonicity : more information into the analysis yieldsmore information out. Monotonicity implies that cer-tain actions, e.g., a user annotating a procedure withadditional pre-conditions, or an abstract interpreterinstrumenting loop invariants into a program, cannot degrade analysis results.Our approach is based on the paradigm of algebraic pro-gram analysis [26, 45, 46]. An algebraic program analysis isdescribed by an algebraic structure in which the elementsrepresent properties of finite program executions and theoperations compose those properties via sequencing, choice,and iteration (mirroring the structure of regular expressions).To verify a safety property, an algebraic program analyzercomputes a regular expression recognizing all paths througha program to a point of interest, interprets the regular ex-pression within the given structure, and checks whether theresulting property entails a property of interest.In this paper, we extend the algebraic approach to reasonabout infinite program paths, and thereby provide a con-ceptual and algorithmic basis for compositional analysis ofliveness properties such as termination. Conceptually, ourmethod proves that a program terminates by computing foreach loop a transition formula that over-approximates the be-havior of its body, and then proving that the correspondingrelation admits no infinite sequences. (Our approach is notunique in this regard (see Section 8); we provide a unifyingfoundation for such analyses).A drawback of using summaries to prove termination isthat the loop body summary over-approximates its behavior,and so the summary may not terminate even if the origi-nal loop does. The advantage is that we can reason aboutthe summary effectively, whereas any non-trivial questionabout behavior of the original loop is undecidable; this is thekey idea that enables the design of monotone terminationanalyses.A particular challenge of compositional termination anal-ysis is that termination arguments must be synthesized in-dependently of the surrounding context of the loop (that is,without supporting invariants). We meet this challenge with a r X i v : . [ c s . P L ] J a n onference’17, July 2017, Washington, DC, USA Shaowei Zhu and Zachary Kincaid a set of methods that exploit loop summarization to generatemonotone conditional termination arguments. These meth-ods synthesize both a termination argument and an initialcondition under which that argument holds, with the latteracting as a surrogate for a supporting invariant. Contributions.
The contributions of this paper are: • A framework for designing compositional analysesof infinite program paths. This framework extendsTarjan’s method for solving path problems [45, 46]from finite to infinite paths. • An efficient algorithm for computing an 𝜔 -regularexpression that recognizes the infinite paths througha control flow graph, which forms the algorithmicfoundation of our program analysis framework. • The first termination analysis that is compositional,monotone, and applies to a general program model.We present a set of combinators for constructing a fam-ily of such (conditional) termination analyses basedon our framework. In particular, we introduce phaseanalysis , which improves the precision of a given con-ditional termination analysis by partitioning the spaceof transitions in a loop into phases.
In Section 5, we define an algebraic framework for analyzingliveness properties of programs. An analysis proceeds in twosteps: (1) compute an 𝜔 -regular expression that recognizesthe paths through a program, and (2) interpret that 𝜔 -regularexpression with an algebraic structure corresponding to aprogram analysis of interest.We illustrate this process in Figure 1. Consider the exampleprogram given by its control flow graph (CFG) in Figure 1b(concrete syntax for the CFG is given in Figure 1a). Note thatconditional control flow is encoded as assumptions , which donot change the program variables but can only be executed ifthe assumed condition holds (e.g., if the program is in a statewhere m is less than step then it may execute the assumption [ m < step ] , otherwise it is blocked). Step 1: Compute an 𝜔 -path expression. Recall the syn-tax of regular (
RegExp ( Σ ) ) and 𝜔 -regular ( 𝜔 -RegExp ( Σ ) ) ex-pressions over an alphabet Σ (see e.g. [5], Ch. 4): 𝑎 ∈ Σ 𝑒 ∈ RegExp ( Σ ) :: = 𝑎 | | | 𝑒 + 𝑒 | 𝑒 𝑒 | 𝑒 ∗ 𝑓 ∈ 𝜔 -RegExp ( Σ ) :: = 𝑒 𝜔 | 𝑒 𝑓 | 𝑓 + 𝑓 (0 recognizes the empty language, 1 recognizes the emptyword, + corresponds to union, juxtaposition (or · ) to con-catenation, ∗ to unbounded repetition, and 𝜔 to infinite rep-etition). Taking the alphabet Σ to be the set of edges in agiven control flow graph, a regular set of finite paths canbe represented by a regular expression, and a regular set of infinite paths can be recognized by an 𝜔 -regular expression;we call such regular expressions ( 𝜔 -) path expressions .Using the algorithm described in Section 4, we can com-pute an 𝜔 -path expression that represents all infinite pathsin the graph that begin at the entry vertex 𝑟 (Figure 1d). The 𝜔 -path expression can be represented efficiently as a directedacyclic graph (DAG), where each leaf is labeled by a controlflow edge, each internal node with an operator, and edgesare drawn from operators to operands (Figure 1c). Observethat each node in the DAG corresponds to either a regularexpression (white nodes) or an 𝜔 -regular expression (graynodes). Step 2: Interpretation.
The result of a particular anal-ysis is computed by interpreting a path expression for aprogram within some abstract domain. The domain con-sists of (1) a regular algebra , which is equipped with choice,concatenation, and iteration operators and which can beused to interpret regular expressions, and (2) an 𝜔 -regularalgebra , which is equipped with choice, concatenation, and 𝜔 -iteration operators, and which can be used to interpret 𝜔 -regular expressions.Our main interest in this paper is in a family of termina-tion analyses. In this family, the regular algebra is the algebraof transition formulas , which we denote by TF . A transitionformula is a logical formula over the variables of the program(in Figure 1: 𝑚, 𝑛, step ) along with primed copies ( 𝑚 ′ , 𝑛 ′ , step ′ )representing the program variables before and after execut-ing a computation, respectively. The choice operation for TF is disjunction, concatenation is relational composition, anditeration over-approximates reflexive transitive closure (wedefine a particular iteration operator in Section 3). The 𝜔 -regular algebra is an algebra of mortal preconditions , whichwe denote by MP (in fact, we will define several such algebrasin this paper, but they share a common structure). A mortalprecondition is a state formula (over the program variables( 𝑚, 𝑛, step )) that is satisfied only by mortal states , from whichthe program must terminate. The choice operation for MP is conjunction (a mortal state must be mortal on all paths),concatenation is weakest precondition (a state is mortal onlyif it can reach only mortal states), and 𝜔 -iteration computesa mortal precondition for a transition formula (we will de-fine several mortal precondition operators in Section 6). Wecompute a mortal precondition for a program by traversingits 𝜔 -path expression DAG from the bottom-up, using TF tointerpret regular expression operators and MP to interpret 𝜔 -regular expression operators.We illustrate a selection of the interpretation steps. We use T (cid:74) − (cid:75) and T 𝜔 (cid:74) − (cid:75) to denote the interpretation of a regularand 𝜔 -regular expressions, respectively. For the leaves ofthe path expression DAG, we may simply encode the mean-ing of the corresponding program command into logic; e.g.,the transition formulas for the edges ⟨ 𝑐, 𝑑 ⟩ and ⟨ 𝑑, 𝑒 ⟩ (cor-responding to the commands [ n ≥ and m := m + 1 , ermination Analysis Without the Tears Conference’17, July 2017, Washington, DC, USA step = 8 while ( true ) do m := 0 while ( m < step ) do if ( n < 0) then halt else m := m + 1 n := n - 1 (a) An example program 𝑟𝑎𝑏𝑐𝑑 𝑒𝑓 step := 8 m := 0[ m ≥ step ] [ m < step ][ n < 0] [ n ≥ m := m + 1 n := n - 1 (b) Control flow graph 𝜔 · ∗ ·+·⟨ 𝑟, 𝑎 ⟩ ⟨ 𝑏, 𝑎 ⟩·⟨ 𝑎, 𝑏 ⟩ ∗ 𝜔 · ⟨ 𝑒, 𝑏 ⟩·⟨ 𝑏, 𝑐 ⟩ ·⟨ 𝑐, 𝑑 ⟩ ⟨ 𝑑, 𝑒 ⟩ (c) 𝜔 -path expression DAG ⟨ 𝑟, 𝑎 ⟩ (cid:169)(cid:173)(cid:173)(cid:173)(cid:173)(cid:173)(cid:171) outer loop (cid:122) (cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32) (cid:125)(cid:124) (cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32) (cid:123)(cid:0) ⟨ 𝑎, 𝑏 ⟩ (⟨ 𝑏, 𝑐 ⟩ ⟨ 𝑐, 𝑑 ⟩ ⟨ 𝑑, 𝑒 ⟩ ⟨ 𝑒, 𝑏 ⟩) ∗ ⟨ 𝑏, 𝑎 ⟩ (cid:1) 𝜔 + (cid:0) ⟨ 𝑎, 𝑏 ⟩ (⟨ 𝑏, 𝑐 ⟩ ⟨ 𝑐, 𝑑 ⟩ ⟨ 𝑑, 𝑒 ⟩ ⟨ 𝑒, 𝑏 ⟩) ∗ ⟨ 𝑏, 𝑎 ⟩ (cid:1) ∗ (⟨ 𝑏, 𝑐 ⟩ ⟨ 𝑐, 𝑑 ⟩ ⟨ 𝑑, 𝑒 ⟩ ⟨ 𝑒, 𝑏 ⟩) 𝜔 (cid:124) (cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32) (cid:123)(cid:122) (cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32)(cid:32) (cid:125) inner loop (cid:170)(cid:174)(cid:174)(cid:174)(cid:174)(cid:174)(cid:172) (d) 𝜔 -path expression Figure 1.
An example program, its control flow graph, and a corresponding 𝜔 -path expressionresp.) are: T (cid:74) ⟨ 𝑐, 𝑑 ⟩ (cid:75) = 𝑛 ≥ ∧ 𝑚 ′ = 𝑚 ∧ 𝑛 ′ = 𝑛 ∧ step ′ = step T (cid:74) ⟨ 𝑑, 𝑒 ⟩ (cid:75) = 𝑚 ′ = 𝑚 + ∧ 𝑛 ′ = 𝑛 ∧ step ′ = step Proceeding up the DAG, we compute a transition formulafor the regular expression ⟨ 𝑐, 𝑑 ⟩ ⟨ 𝑑, 𝑒 ⟩ by taking the relationalcomposition of T (cid:74) ⟨ 𝑐, 𝑑 ⟩ (cid:75) and T (cid:74) ⟨ 𝑑, 𝑒 ⟩ (cid:75) T (cid:74) ⟨ 𝑐, 𝑑 ⟩ ⟨ 𝑑, 𝑒 ⟩ (cid:75) = T (cid:74) ⟨ 𝑐, 𝑑 ⟩ (cid:75) ◦ T (cid:74) ⟨ 𝑑, 𝑒 ⟩ (cid:75) ≡ 𝑛 ≥ ∧ 𝑚 ′ = 𝑚 + ∧ 𝑛 ′ = 𝑛 ∧ step ′ = step Similarly, we sequence T (cid:74) ⟨ 𝑐, 𝑑 ⟩ ⟨ 𝑑, 𝑒 ⟩ (cid:75) with T (cid:74) ⟨ 𝑏, 𝑐 ⟩ (cid:75) on theleft and T (cid:74) ⟨ 𝑒, 𝑏 ⟩ (cid:75) on the right to get a summary for the bodyof the inner loop inner ≜ ⟨ 𝑏, 𝑐 ⟩ ⟨ 𝑐, 𝑑 ⟩ ⟨ 𝑑, 𝑒 ⟩ ⟨ 𝑒, 𝑏 ⟩ : T (cid:74) inner (cid:75) ≡ 𝑚 < step ∧ 𝑛 ≥ ∧ 𝑚 ′ = 𝑚 + ∧ 𝑛 ′ = 𝑛 − ∧ step ′ = step The inner node has two parents, corresponding to inner ∗ and inner 𝜔 . For the first, we over-approximate of the transitiveclosure of the formula T (cid:74) inner (cid:75) : T (cid:74) inner ∗ (cid:75) ≡ ∃ 𝑘. (cid:169)(cid:173)(cid:173)(cid:173)(cid:171) (cid:169)(cid:173)(cid:171) 𝑘 = ∨ (cid:18) 𝑘 ≥ ∧ 𝑚 < step ∧ 𝑛 ≥ ∧ 𝑚 ′ ≤ step ∧ 𝑛 ′ ≥ (cid:19) (cid:170)(cid:174)(cid:172) ∧ 𝑚 ′ = 𝑚 + 𝑘 ∧ 𝑛 ′ = 𝑛 − 𝑘 ∧ step ′ = step (cid:170)(cid:174)(cid:174)(cid:174)(cid:172) For the second, we compute a mortal precondition for theformula T (cid:74) inner (cid:75) . Observing that ( step − 𝑚 ) is a rankingfunction for this loop (i.e., the difference between step and m is non-negative and decreasing), we may simply take T 𝜔 (cid:74) inner 𝜔 (cid:75) = true (the inner loop terminates starting fromany state).Now consider the 𝜔 -node corresponding to the outer loop, outer = ⟨ 𝑎, 𝑏 ⟩ inner ∗ ⟨ 𝑏, 𝑎 ⟩ . This loop illustrates a trade-offof compositionality. On one hand, compositionality makesproving termination easier: by the time that we reach the 𝜔 -node, we have already built a transition formula that sum-marizes the body of the outer loop. Despite the fact that thebody contains an inner loop, we can use a theorem prover toanswer questions about its behavior (conservatively, sincethe summary is an over-approximation). On the other hand,compositionality makes termination proving more difficult: acompositional analysis cannot prove that 𝑛 decreases at eachiteration, since it does not have access to the surroundingcontext of the loop that initializes step to . In Section 6.2 we onference’17, July 2017, Washington, DC, USA Shaowei Zhu and Zachary Kincaid provide a method that (for this particular loop) effectivelyperforms a case split on whether 𝑛 increases, decreases, orremains constant, and generates a mortal precondition thatis sufficient for all three cases: T 𝜔 (cid:74) outer 𝜔 (cid:75) = step > conditional termination argument: the outer loop ter-minates as long as it begins in a state where step is positive).Continuing up the DAG, we combine the mortal precon-ditions of the inner and outer loops to get T 𝜔 (cid:74) outer 𝜔 + outer ∗ inner 𝜔 (cid:75) ≡ step > . Finally, we compute a mortal precondition for the root ofthe DAG (and thus the whole program) by taking the weak-est precondition of step > T (cid:74) ⟨ 𝑟, 𝑎 ⟩ (cid:75) = step ′ = ∧ 𝑚 ′ = 𝑚 ∧ 𝑛 ′ = 𝑛 , yielding the for-mula true . Thus, by propagating the conditional terminationargument for the outer loop backwards through its context,the analysis discharges the assumption of the conditionaltermination argument, and verified that the program alwaysterminates. A control flow graph 𝐺 = ⟨ 𝑉 , 𝐸, 𝑟 ⟩ consists of a set ofvertices 𝑉 , a set of directed edges 𝐸 ⊆ 𝑉 × 𝑉 , and a rootvertex 𝑟 ∈ 𝑉 with no incoming edges. A path in 𝐺 is a finitesequence 𝑒 𝑒 . . . 𝑒 𝑛 ∈ 𝐸 ∗ such that for each 𝑖 , the destinationof 𝑒 𝑖 matches the source of 𝑒 𝑖 + ; an 𝜔 -path is an infinitesequence 𝑒 𝑒 · · · ∈ 𝐸 𝜔 such that any finite prefix is a path.For any vertices 𝑢, 𝑣 ∈ 𝑉 , we use Paths 𝐺 ( 𝑢, 𝑣 ) to denote the(regular) set of paths in 𝐺 from 𝑢 to 𝑣 , and we use Paths 𝜔𝐺 ( 𝑢 ) to denote the (regular) set of 𝜔 -paths in 𝐺 starting from 𝑢 .We say that a vertex 𝑢 dominates a vertex 𝑣 if every pathfrom 𝑟 to 𝑣 includes 𝑢 . Every vertex dominates itself; we say 𝑢 strictly dominates 𝑣 if 𝑢 dominates 𝑣 but 𝑢 ≠ 𝑣 . We saythat 𝑢 is the immediate dominator of 𝑣 if it is the uniquevertex that strictly dominates 𝑣 and is dominated by everyvertex that strictly dominates 𝑣 . The immediate dominancerelation forms a tree structure with 𝑟 as the root; we use children ( 𝑣 ) to denote the set of vertices whose immediatedominator is 𝑣 . We say that 𝐺 is reducible if every cyclecontains an edge ⟨ 𝑢, 𝑣 ⟩ such that 𝑣 dominates 𝑢 . The syntax of linear integer arithmetic (LIA) is given asfollows: 𝑥 ∈ Variable 𝑛 ∈ Z 𝑡 ∈ Term :: = 𝑥 | 𝑛 | 𝑛 · 𝑡 | 𝑡 + 𝑡 𝐹 ∈ Formula :: = 𝑡 ≤ 𝑡 | 𝑡 = 𝑡 | 𝐹 ∧ 𝐹 | 𝐹 ∨ 𝐹 | ¬ 𝐹 | ∃ 𝑥 .𝐹 | ∀ 𝑥 .𝐹 Let 𝑋 ⊆ Variable be a set of variables. A valuation over 𝑋 is a map 𝑣 : 𝑋 → Z . If 𝐹 is a formula whose free variables range over 𝑋 and 𝑣 is a valuation over 𝑋 , then we say that 𝑣 satisfies 𝐹 (written 𝑣 | = 𝐹 ) if the formula 𝐹 is true wheninterpreted over the standard model of the integers, using 𝑣 to interpret the free variables. We write 𝐹 | = 𝐺 if everyvaluation that satisfies 𝐹 also satisfies 𝐺 .For a formula 𝐹 , we use 𝐹 [ 𝑥 ↦→ 𝑡 ] to denote the formulaobtained by substituting each free occurrence of the variable 𝑥 with the term 𝑡 . We use the same notation to representparallel substitution of multiple variables by multiple terms;e.g., if 𝑋 is a set of variables and 𝑋 ′ = { 𝑥 ′ : 𝑥 ∈ 𝑋 } is aset of “primed” versions of those variables, then 𝐹 [ 𝑋 ↦→ 𝑋 ′ ] denotes the result of replacing each variable in 𝑥 withits corresponding 𝑥 ′ . Substitution binds more tightly thanlogical connectives, so e.g., in the formula 𝐹 ∧ 𝐺 [ 𝑥 ↦→ 𝑦 ] , 𝑥 is replaced with 𝑦 within 𝐺 , but not within 𝐹 .Let 𝐹 be an LIA formula with free variables x = 𝑥 , ...𝑥 𝑛 .The convex hull of 𝐹 , denoted conv ( 𝐹 ) , is the strongest(unique up to equivalence) formula of the form 𝐴 x ≥ b thatis entailed by 𝐹 , where 𝐴 is an integer matrix and b is aninteger vector. Farzan and Kincaid [26] give an algorithm forcomputing conv ( 𝐹 ) . Fix a finite set
Var of variables, and let
Var ′ = { 𝑥 ′ : 𝑥 ∈ Var } denote a set of “primed copies”, presumed to be disjoint from Var . A state formula is an LIA formula whose free variablesrange over
Var . A transition formula is an LIA formulawhose free variables range over
Var ∪ Var ′ . We use SF and TF to denote sets of state and transition formulas, respectively.Define a state to be a valuation over Var (the set of whichwe denote
State ) and a transition to be a valuation over
Var ∪ Var ′ . Any pair of states 𝑠, 𝑠 ′ defines a transition [ 𝑠, 𝑠 ′ ] which interprets each 𝑥 ∈ Var as 𝑠 ( 𝑥 ) and each 𝑥 ′ ∈ Var ′ as 𝑠 ′ ( 𝑥 ) . A transition formula 𝐹 defines a relation → 𝐹 on states,with 𝑠 → 𝐹 𝑠 ′ ⇐⇒ [ 𝑠, 𝑠 ′ ] | = 𝐹 .Define the relational composition of two transition formu-las to be the formula 𝐹 ◦ 𝐹 ≜ ∃ Var ′′ .𝐹 [ Var ′ ↦→ Var ′′ ] ∧ 𝐹 [ Var ↦→ Var ′′ ] . For any 𝑘 ∈ N , we use 𝐹 𝑘 to denote the 𝑘 -fold relationalcomposition of 𝐹 with itself. For a transition formula 𝐹 and astate formula 𝑆 , define the weakest precondition of 𝑆 under 𝐹 to be the formula wp ( 𝐹, 𝑆 ) ≜ ∀ Var ′ .𝐹 ⇒ 𝑆 [ Var ↦→ Var ′ ] . We use (−) ★ to denote an operation that over-approximatesthe reflexive transitive closure of a transition formula (i.e.,for any transition formula 𝐹 , we have → ∗ 𝐹 ⊆→ 𝐹 ★ ). Severalsuch operators exist [23, 26, 33, 34, 42]; here we will describeone such method, based on techniques from [4, 26].Let x ′ and x be vectors containing the variables Var ′ and Var , respectively; let 𝑛 = | Var | be the dimension of these vec-tors. In general, the transitive closure of a transition formula ermination Analysis Without the Tears Conference’17, July 2017, Washington, DC, USA cannot be expressed in first-order logic. Two special caseswhere the transitive closure can be expressed are:1. If 𝐹 takes the form pre ∧ post , where the free variablesof pre range over Var and the free variables of post range over
Var ′ , then 𝐹 is already transitively closed,so we need only to take its reflexive closure: ( pre ∧ post ) ∨ ( (cid:211) 𝑥 ∈ Var 𝑥 ′ = 𝑥 )
2. If 𝐹 takes the form 𝐴 x ′ ≥ 𝐴 x + b , then for any 𝑘 ∈ N ,we have that 𝐹 𝑘 is equivalent to 𝐴 x ′ ≥ 𝐴 x + 𝑘 b , andso the formula ∃ 𝑘.𝑘 ≥ ∧ 𝐴 x ′ ≥ 𝐴 x + 𝑘 b representsthe reflexive transitive closure of 𝐹 .Let 𝐹 be a transition formula. We cannot expect 𝐹 to takeone of the above forms, but we can always over-approximate 𝐹 by a formula that does:1. Let Pre ( 𝐹 ) ≜ ∃ Var ′ .𝐹 and let Post ( 𝐹 ) ≜ ∃ Var .𝐹 . Wehave that 𝐹 | = Pre ( 𝐹 ) ∧ Post ( 𝐹 ) , and Pre ( 𝐹 ) ∧ Post ( 𝐹 ) takes form (1) above.2. For each variable 𝑥 , let 𝛿 𝑥 denote a fresh variable whichwe use to represent the difference between 𝑥 ′ and 𝑥 ;we use 𝛿 to denote a vector containing the 𝛿 𝑥 variables.The convex hull conv (cid:32) ∃ Var , Var ′ .𝐹 ∧ (cid:219) 𝑥 ∈ Var 𝛿 𝑥 = 𝑥 ′ − 𝑥 (cid:33) takes the form 𝐴𝛿 ≥ b . Then we have 𝐹 | = 𝐴 x ′ ≥ 𝐴 x + b , and 𝐴 x ′ ≥ 𝐴 x + b takes form (2) above.Combining (1) and (2), we define an operation exp byexp ( 𝐹, 𝑘 ) ≜ (cid:32)(cid:32) (cid:219) 𝑥 ∈ Var 𝑥 ′ = 𝑥 (cid:33) ∨ ( Pre ( 𝐹 ) ∧ Post ( 𝐹 )) (cid:33) ∧ 𝐴 x ′ ≥ 𝐴 x + 𝑘 b and observe that for any 𝑘 ∈ N , we have that 𝐹 𝑘 | = exp ( 𝐹, 𝑘 ) .Finally, we over-approximate transitive closure by existen-tially quantifying over the number of loop iterations: 𝐹 ★ ≜ ∃ 𝑘.𝑘 ≥ ∧ exp ( 𝐹, 𝑘 ) . Lemma 3.1.
The (−) ★ and exp operators are monotone in thesense that if 𝐹 | = 𝐺 , then 𝐹 ★ | = 𝐺 ★ and exp ( 𝐹, 𝑘 ) | = exp ( 𝐺, 𝑘 ) (where 𝑘 is a variable symbol). A transition system 𝑇 is a pair 𝑇 = ⟨ 𝑆 𝑇 , 𝑅 𝑇 ⟩ where 𝑆 𝑇 isa set of states and 𝑅 𝑇 ⊆ 𝑆 𝑇 × 𝑆 𝑇 is a transition relation.We write 𝑠 → 𝑇 𝑠 ′ to denote that the pair ⟨ 𝑠, 𝑠 ′ ⟩ belongsto 𝑅 𝑇 . We say that a state 𝑠 ∈ 𝑆 𝑇 is mortal if there existsno infinite sequence 𝑠 → 𝑇 𝑠 → 𝑇 𝑠 → 𝑇 𝑠 . . . . A mortalprecondition for 𝑇 is a state formula such that any statethat satisfies the formula is mortal.Each transition formula 𝐹 defines a transition system,where the state space is State , and where the transition rela-tion is → 𝐹 . Define a mortal precondition operator to be a function mp : TF → SF , which given a transition formula 𝐹 , computes a state formula mp ( 𝐹 ) that is a mortal precondi-tion for 𝐹 . We say that mp is monotone if for any transitionformulas 𝐹 , 𝐹 with 𝐹 | = 𝐹 , we have mp ( 𝐹 ) | = mp ( 𝐹 ) (Note that this definition is antitone with respect to the en-tailment ordering, but since weaker mortal preconditions aremore desirable it is natural to order mortal preconditions byreverse entailment.) Example 3.2
Gonnord et al. [29] give a complete methodfor synthesizing linear lexicographic ranking functions (LL-RFs) for transition formulas. We may define a monotonemortal precondition operator mp LLRF as follows: mp LLRF ( 𝐹 ) ≜ (cid:40) true if there is an LLRF for 𝐹 ¬ Pre ( 𝐹 ) otherwiseThe fact that mp LLRF is monotone follows from the fact thatif 𝐹 | = 𝐹 then Pre ( 𝐹 ) | = Pre ( 𝐹 ) and any LLRF for 𝐹 isalso an LLRF for 𝐹 , and the completeness of Gonnord et al.[29]’s LLRF synthesis procedure. ⌟ Within this paper, a program is represented as a labeledcontrol flow graph 𝑃 = ⟨ 𝐺, 𝐿 ⟩ , where 𝐺 = ⟨ 𝑉 , 𝐸, 𝑟 ⟩ is acontrol flow graph, and 𝐿 : 𝐸 → TF be a function that labelseach edge with a transition formula. 𝑃 defines a transitionsystem TS ( 𝑃 ) where the state space is 𝑉 × State , and where ⟨ 𝑣 , 𝑠 ⟩ → 𝑃 ⟨ 𝑣 , 𝑠 ⟩ iff ⟨ 𝑣 , 𝑣 ⟩ ∈ 𝐸 and [ 𝑠 , 𝑠 ] | = 𝐿 ( 𝑣 , 𝑣 ) . 𝜔 -path expression algorithm This section describes an algorithm for computing an 𝜔 -regular expression that recognizes all infinite paths in a graphthat start at a designated vertex. The algorithm is based onTarjan’s path expression algorithm, which computes pathexpressions that recognize finite paths that start at a desig-nated vertex [45]. Our algorithm operates in 𝑂 (| 𝐸 | 𝛼 (| 𝐸 |) + 𝑡 ) time, where 𝛼 is the inverse Ackermann function and 𝑡 istechnical parameter that is 𝑂 (| 𝑉 |) for reducible flow graphsand is at most 𝑂 (| 𝑉 | ) (matching the complexity of Tarjan’salgorithm).It is technically convenient to formulate our algorithms on path graphs rather than control flow graphs. A path graph for a flow graph 𝐺 = ⟨ 𝑉 , 𝐸, 𝑟 ⟩ is a graph 𝐻 = ⟨ 𝑈 ,𝑊 ⟩ where 𝑈 ⊆ 𝑉 and 𝑊 ⊆ 𝑈 × RegExp ( 𝐸 ) × 𝑈 is a set of directededges labeled by regular expressions over 𝐸 , and such thatfor every ⟨ 𝑢, 𝑒, 𝑣 ⟩ ∈ 𝑊 , 𝑒 recognizes a subset of Paths 𝐺 ( 𝑢, 𝑣 ) .We say that 𝐻 represents a path 𝑝 from 𝑢 to 𝑣 (in 𝐺 , with 𝑢, 𝑣 ∈ 𝑈 ) if there is a path ( 𝑤 , 𝑒 , 𝑤 )( 𝑤 , 𝑒 , 𝑤 ) . . . ( 𝑤 𝑛 , 𝑒 𝑛 , 𝑤 𝑛 + ) in 𝐻 with 𝑤 = 𝑢 and 𝑤 𝑛 + = 𝑣 and 𝑝 is recognized bythe regular expression 𝑒 𝑒 . . . 𝑒 𝑛 . Similarly, 𝐻 represents an 𝜔 -path 𝑝 if there is a decomposition 𝑝 = 𝑝 𝑝 𝑝 . . . and an 𝜔 -path ( 𝑤 , 𝑒 , 𝑤 )( 𝑤 , 𝑒 , 𝑤 ) . . . in 𝐻 with 𝑝 𝑖 recognized by 𝑒 𝑖 for all 𝑖 . We use PathRep 𝐻 ( 𝑢, 𝑣 ) to denote the set of pathsfrom 𝑢 to 𝑣 that are represented by 𝐻 , and PathRep 𝜔𝐻 ( 𝑣 ) to onference’17, July 2017, Washington, DC, USA Shaowei Zhu and Zachary Kincaid denote the set of 𝜔 -paths starting at 𝑣 that are representedby 𝐻 . We say that 𝐻 is complete for a set of edges 𝐸 ′ ⊆ 𝐸 if1. For each 𝑢, 𝑣 ∈ 𝑈 , PathRep 𝐻 ( 𝑢, 𝑣 ) is the set of pathsfrom 𝑢 to 𝑣 in 𝐺 consisting only of edges from 𝐸 ′ .2. For each 𝑣 ∈ 𝑈 , PathRep 𝜔𝐻 ( 𝑣 ) is the set of 𝜔 -paths from 𝑣 in 𝐺 consisting only of edges from 𝐸 ′ , and which visitsome vertex of 𝑈 infinitely often. Algorithm 1 is a naïve algorithm for computing path expres-sions, which is used as a sub-procedure in the main algorithm.It is a variation of the classic state elimination algorithm forconverting finite automata to regular expressions. The inputto Algorithm 1 is a path graph 𝐻 = ⟨ 𝑈 ,𝑊 ⟩ (for some flowgraph 𝐺 ) and a root vertex 𝑟 (not necessarily the root of 𝐺 );its output is a pair consisting of an 𝜔 -path expression thatrecognizes PathRep 𝜔𝐻 ( 𝑟 ) and a function that maps each vertex 𝑣 ∈ 𝑈 to a path expression that recognizes PathRep 𝐻 ( 𝑟, 𝑣 ) .The idea is to successively eliminate the outgoing edges ofevery vertex in the graph except the root, while preservingthe set of paths (and 𝜔 -paths) emanating from vertices whoseoutgoing edges have not yet been removed. The algorithmoperates in 𝑂 (| 𝑈 | ) time. Subroutine solve-dense ( 𝐻, 𝑟 ) beginInput : Path graph 𝐻 = ⟨ 𝑈 ,𝑊 ⟩ , vertex 𝑟 ∈ 𝑈 with no incoming edges Output :
Pair ⟨ pe 𝜔 , pe ⟩ where pe 𝜔 ∈ 𝜔 -RegExp ( 𝐸 ) recognizes PathRep 𝜔𝐻 ( 𝑟 ) and pe : 𝑈 → RegExp ( 𝐸 ) maps each 𝑣 ∈ 𝑈 to a path expressionthat recognizes PathRep 𝐻 ( 𝑟, 𝑣 ) . /* pe ( 𝑢, 𝑣 ) recognizes paths from 𝑢 to 𝑣 represented by 𝐻 */ pe ← 𝜆 ⟨ 𝑢, 𝑣 ⟩ . foreach ⟨ 𝑢, 𝑒, 𝑣 ⟩ ∈ 𝑊 do pe ( 𝑢, 𝑣 ) ← pe ( 𝑢, 𝑣 ) + 𝑒 ; /* Suppose 𝑉 is ordered as 𝑉 = { 𝑟 = 𝑣 , 𝑣 , . . . , 𝑣 𝑛 } */ for 𝑖 = 𝑛 downto 1 do for 𝑗 = 𝑖 − downto do 𝑒 𝑗𝑖 ← pe ( 𝑣 𝑗 , 𝑣 𝑖 ) · pe ( 𝑣 𝑖 , 𝑣 𝑖 ) ∗ ; for 𝑘 = 𝑛 downto , 𝑘 ≠ 𝑖 do pe ( 𝑣 𝑗 , 𝑣 𝑘 ) ← pe ( 𝑣 𝑗 , 𝑣 𝑘 ) + 𝑒 𝑗𝑖 · pe ( 𝑣 𝑖 , 𝑣 𝑘 ) return (cid:28) (cid:205) 𝑛𝑖 = pe ( 𝑟, 𝑣 𝑖 ) · pe ( 𝑣 𝑖 , 𝑣 𝑖 ) 𝜔 ,𝜆𝑣. pe ( 𝑟, 𝑣 ) · pe ( 𝑣, 𝑣 ) ∗ (cid:29) Algorithm 1:
Naïve path expression algorithm 𝜔 -path expressions in nearly linear time Algorithm 2 is an efficient 𝜔 -path expression algorithm thatexploits sparsity of control flow graphs. The algorithm usesthe dominator tree of the graph to break it into single-entrycomponents, and uses a compressed weighted forest datastructure to efficiently combine paths from different compo-nents. A compressed weighted forest is a data structure thatrepresents a forest of vertices with edges weighted by regu-lar expressions. The data structure supports the followingoperations: • link ( 𝑢, 𝑒, 𝑣 ) : set 𝑣 to be the parent of 𝑢 by adding anedge from 𝑣 to 𝑢 labeled 𝑒 ( 𝑢 must be a root) • find ( 𝑣 ) : return the (unique) vertex 𝑢 such that 𝑢 → ∗ 𝑣 and 𝑢 is a root • eval ( 𝑣 ) : return the regular expression 𝑒 · · · 𝑒 𝑛 , where 𝑢 𝑒 −→ 𝑢 𝑒 −→ · · · 𝑒 𝑛 −−→ 𝑣 is the path from a root to 𝑣 .This data structure can be implemented so that each opera-tion takes 𝑂 ( 𝛼 ( 𝑛 )) amortized time, where 𝑛 is the numberof vertices in the forest [44].The subroutine solve-sparse ( 𝑣 ) returns an 𝜔 -path expres-sion that recognizes the set of 𝜔 -paths Paths 𝜔𝐺 ( 𝑣 )∩ 𝐸 | 𝜔𝑣 , where 𝐸 | 𝑣 ≜ {⟨ 𝑢 , 𝑢 ⟩ ∈ 𝐸 : 𝑢 is strictly dominated by 𝑣 } . Moreover, it maintains the invariant that after completing acall to solve-sparse ( 𝑣 ) , we have that for every vertex 𝑢 that isdominated by 𝑣 , find ( 𝑢 ) = 𝑣 and eval ( 𝑢 ) is a path expressionthat recognizes Paths 𝐺 ( 𝑣, 𝑢 ) ∩ 𝐸 | ∗ 𝑣 .The solve-sparse ( 𝑣 ) subroutine is structured as a recursivetraversal of the dominator tree (see Example 4.1). First, it calls solve-sparse ( 𝑐 ) for each child 𝑐 of 𝑣 in the dominator tree.Next, it computes a directed graph 𝐺 𝑣 = SiblingGraph ( 𝑣 ) whose vertices are children ( 𝑣 ) , and such that there is anedge ⟨ 𝑐 , 𝑐 ⟩ iff there is a path from 𝑐 to 𝑐 in 𝐺 such thateach edge (except the last) belongs to 𝐸 | 𝑐 . The edges of SiblingGraph ( 𝑣 ) can be computed efficiently as {⟨ find ( 𝑢 ) , 𝑐 ⟩ : 𝑐, find ( 𝑢 ) ∈ children ( 𝑣 ) , ⟨ 𝑢, 𝑐 ⟩ ∈ 𝐸 } . The correctness argument for the edge computation is asfollows. If there is a path from 𝑐 to 𝑐 consisting of 𝐸 | 𝑐 edges,it takes the form 𝜋 ⟨ 𝑢, 𝑐 ⟩ for some ⟨ 𝑢, 𝑐 ⟩ in 𝐸 , with 𝜋 ⊆ 𝐸 | ∗ 𝑐 a path from 𝑐 to 𝑢 . Since 𝜋 ends at 𝑢 and consists only of 𝐸 | 𝑐 -edges, 𝑢 is dominated by 𝑐 . Since solve-sparse ( 𝑣 ) calls solve-sparse ( 𝑐 ) before constructing SiblingGraph , we musthave find ( 𝑢 ) = 𝑐 by the invariants of solve-sparse .Next, solve-sparse computes the strongly connected com-ponents of 𝐺 𝑣 and processes them in topological order. Theloop (lines 9-16) maintains the invariant that when process-ing a component 𝐶 , for every sibling node 𝑢 that is topolog-ically ordered before 𝐶 , we have that find ( 𝑢 ) = 𝑣 and that eval ( 𝑢 ) recognizes Paths 𝐺 ( 𝑣, 𝑢 ) ∩ 𝐸 | ∗ 𝑣 . To process a compo-nent 𝐶 , we form a path graph 𝐺 𝐶 = ComponentGraph ( 𝐶 ) whose vertices are 𝐶 ∪ { 𝑣 } and that is complete for 𝐸 | 𝑣 ,computing a path expression C-pe ( 𝑢 ) for each 𝑢 ∈ 𝐶 thatrecognizes Paths 𝐺 ( 𝑣, 𝑢 ) ∩ 𝐸 | ∗ 𝑣 using solve-dense , and thenlinking 𝑢 to 𝑣 with the path expression C-pe ( 𝑢 ) in the com-pressed weighted forest. The edges of ComponentGraph ( 𝐶 ) are obtained by collecting all weighted edges of the form ⟨ find ( 𝑤 ) , eval ( 𝑤 ) , 𝑢 ⟩ such that 𝑢 ∈ 𝐶 and ⟨ 𝑤, 𝑢 ⟩ ∈ 𝐸 ; the factthat 𝐺 𝐶 is complete for 𝐸 | 𝑣 follows from the loop invariant,using an argument analogous to the correctness argument ermination Analysis Without the Tears Conference’17, July 2017, Washington, DC, USA
12 3 45 𝑎 𝑏𝑑 𝑓 𝑒 𝑔𝑐 (a)
A control flow graph
12 3 45 (b)
Dominator tree
12 3 45 𝐸 ≜ 𝑎𝑐 ∗ 𝑑 + 𝑏𝑒𝐸 ≜ 𝐸 · ( 𝑓 𝑔𝑒 ) ∗ 𝐸 ≜ 𝑏 + 𝐸 · 𝑓 𝑔 𝑎𝑐 ∗ 𝐸 𝐸 𝑓 (c) Weighted forest (d)
SiblingGraph ( ) 𝑎 𝑐 (e) ComponentGraph ({ })
13 4 𝑎𝑐 ∗ 𝑑 𝑏𝑒𝑓 𝑔 (f) ComponentGraph ({ , }) Figure 2.
Operation of solve-sparse on an example control flow graphfor the
SiblingGraph construction above. Finally, we returnan 𝜔 -path expression which is the sum of (line 13) the 𝜔 -path expressions for each component and (line 16) an 𝜔 -pathexpression for each child 𝑐 , pre-concatenated with a pathexpression recognizing Paths 𝐺 ( 𝑣, 𝑐 ) ∩ 𝐸 | ∗ 𝑣 . Example 4.1
Figure 2 illustrates the operation of solve-sparse .Figure 2a depicts a control flow graph, whose dominator treeappears in Figure 2b (for legibility, we refer to edges by labelrather than by their endpoints). Consider the operation of solve-sparse ( ) . The compressed weighted forest after call-ing solve-sparse on 1’s children 2 , , 𝑓 ; the other linksare added later). The sibling graph for 1 is given in Figure 2d– observe that it has two strongly connected components: { } and { , } , with { } ordered topologically before { , } .The loop (lines 9-16) processes { } first, producing thecomponent graph in Figure 2e. Then 2 is linked to 1 in thecompressed weighted forest (dashed edge of Figure 2c) withthe regular expression 𝑎𝑐 ∗ (the paths from 1 to 2 representedby ComponentGraph ({ }) ).Next, the loop processes the { , } component, producingthe component graph in Figure 2f; note that the edge from 2to 3 in 𝐺 produces the edge from 1 to 3 (since find ( ) = find ( ) = solve-sparse returns the sum of solve-dense ( 𝐺 { } , ) and solve-dense ( 𝐺 { , } , ) , which is the 𝜔 -path expression ( 𝑎𝑐 ∗ 𝑑 + 𝑏𝑒 )( 𝑓 𝑔𝑒 ) 𝜔 + 𝑎𝑐 𝜔 ⌟ Algorithm 2 operates in 𝑂 (| 𝐸 | 𝛼 (| 𝐸 |) + 𝑡 ) time, where 𝑡 isthe time taken by the calls to solve-dense . For reducible flowgraphs, each sibling graph is a singleton (see [45]), so thecomplexity simplifies to 𝑂 (| 𝐸 | 𝛼 (| 𝐸 |)) . Algorithm
PathExp 𝜔𝐺 ( 𝑟 ) beginInput : Graph 𝐺 = ⟨ 𝑉 , 𝐸 ⟩ and root vertex 𝑟 Output : An 𝜔 -path expression recognizing Paths 𝜔𝐺 ( 𝑟 ) children ← dominator tree for 𝐺 ; Init compressed weighted forest with vertices 𝑉 ; return solve-sparse ( 𝑟 ) Subroutine solve-sparse ( 𝑣 ) beginInput : Vertex 𝑣 ∈ 𝑉 Output : An 𝜔 -path expression recognizing Paths 𝜔𝐺 ( 𝑣 ) ∩ 𝐸 | 𝜔𝑣 foreach child 𝑐 ∈ children(v) do child-pe 𝜔 ( 𝑐 ) ← solve-sparse ( 𝑐 ) ; 𝐺 𝑣 ← SiblingGraph ( 𝑣 ) ; pe 𝜔 ← /* accumulating 𝜔 -path expression */ foreach s.c.c. 𝐶 of 𝐺 𝑣 in topological order do 𝐺 𝐶 ← ComponentGraph ( 𝐶 ) ; (cid:10) C-pe 𝜔 , C-pe (cid:11) ← solve-dense ( 𝐺 𝐶 , 𝑣 ) ; pe 𝜔 ← pe 𝜔 + C-pe 𝜔 ; foreach 𝑢 ∈ 𝐶 do link ( 𝑢, C-pe ( 𝑢 ) , 𝑣 ) ; pe 𝜔 ← pe 𝜔 + C-pe ( 𝑢 ) · child-pe 𝜔 ( 𝑢 ) ; return pe 𝜔 Algorithm 2: An 𝜔 -path expression algorithm This section describes the process of interpreting an ( 𝜔 -)regularexpression within a suitable algebraic structure. As a par-ticular case of interest, we show how to apply the algebraicframework to termination analysis.An abstract interpretation over an alphabet Σ consists ofa triple I = ⟨ A , B , 𝐿 ⟩ , where A is a regular algebra , B is a 𝜔 -regular algebra over A , and 𝐿 : Σ → A is a semantic function .A regular algebra A = (cid:68) 𝐴, 𝐴 , 𝐴 , + 𝐴 , · 𝐴 , ∗ 𝐴 (cid:69) is an algebraicstructure equipped with two distinguished elements 0 𝐴 , 𝐴 ∈ 𝐴 , two binary operations + 𝐴 and · 𝐴 , and a unary operation onference’17, July 2017, Washington, DC, USA Shaowei Zhu and Zachary Kincaid (−) ∗ 𝐴 . An 𝜔 -algebra over A is 4-tuple B = (cid:68) 𝐵, . 𝐵 , + 𝐵 , 𝜔 𝐵 (cid:69) consisting of a universe 𝐵 , an operation . 𝐵 : 𝐴 × 𝐵 → 𝐵 , anoperation + 𝐵 : 𝐵 × 𝐵 → 𝐵 , and an operation (−) 𝜔 𝐵 : 𝐴 → 𝐵 .A semantic function 𝐿 : Σ → 𝐴 maps the letters of Σ intothe regular algebra A .Given an abstract interpretation I = ⟨ A , B , 𝐿 ⟩ over analphabet Σ , we can evaluate any regular expression 𝑒 over Σ to an element I (cid:74) 𝑒 (cid:75) of A and any 𝜔 -regular expression 𝑓 over Σ to an element I 𝜔 (cid:74) 𝑓 (cid:75) of B by interpreting each letteraccording to the semantic function and each ( 𝜔 -)regularoperator using its corresponding operator in A or B : I (cid:74) 𝑎 (cid:75) ≜ 𝐿 ( 𝑎 ) for 𝑎 ∈ Σ I (cid:74) (cid:75) ≜ 𝐴 I (cid:74) (cid:75) ≜ 𝐴 I (cid:74) 𝑒 𝑒 (cid:75) ≜ I (cid:74) 𝑒 (cid:75) · 𝐴 I (cid:74) 𝑒 (cid:75) I (cid:74) 𝑒 + 𝑒 (cid:75) ≜ I (cid:74) 𝑒 (cid:75) + 𝐴 I (cid:74) 𝑒 (cid:75) I (cid:74) 𝑒 ∗ (cid:75) ≜ I (cid:74) 𝑒 (cid:75) ∗ 𝐴 I 𝜔 (cid:74) 𝑒 𝜔 (cid:75) ≜ I (cid:74) 𝑒 (cid:75) 𝜔 𝐵 I 𝜔 (cid:74) 𝑒.𝑓 (cid:75) ≜ I (cid:74) 𝑒 (cid:75) . 𝐵 I 𝜔 (cid:74) 𝑓 (cid:75) I 𝜔 (cid:74) 𝑓 + 𝑓 (cid:75) ≜ I 𝜔 (cid:74) 𝑓 (cid:75) + 𝐵 I 𝜔 (cid:74) 𝑓 (cid:75) If an 𝜔 -path expression 𝑓 is represented by a DAG with 𝑛 nodes, we can process the DAG bottom-up (as in Section 2)to compute I 𝜔 (cid:74) 𝑓 (cid:75) in 𝑂 ( 𝑛 ) operations of A and B . In this paper, we are primarily interested in applying theabove algebraic framework to termination analysis. The fun-damental operation of interest is the 𝜔 -iteration operator.Fix a mortal precondition operator mp : TF → SF . Wedefine a regular algebra of transition formulas, TF , and an 𝜔 -regular algebra of mortal preconditions, MP . The universeof TF is the set of transition formulas, and the universe of MP is the set of state formulas. The operations are givenbelow: 0 TF ≜ false TF ≜ (cid:219) 𝑥 ∈ Var 𝑥 ′ = 𝑥𝐹 + TF 𝐹 ≜ 𝐹 ∨ 𝐹 𝐹 · TF 𝐹 ≜ 𝐹 ◦ 𝐹 𝐹 ∗ TF ≜ 𝐹 ★ 𝐹 𝜔 MP ≜ mp ( 𝐹 ) 𝐹 . MP 𝑆 ≜ wp ( 𝐹, 𝑆 ) 𝑆 + MP 𝑆 ≜ 𝑆 ∧ 𝑆 Let 𝑃 = ⟨ 𝐺, 𝐿 ⟩ be a labeled control flow graph, whichdefines a transition system TS ( 𝑃 ) . Let 𝑟 be the root of 𝐺 .Using the algorithm in Section 4, we can compute an 𝜔 -regular expression that recognizes all 𝜔 -paths in 𝐺 begin-ning at 𝑟 . By interpreting this regular expression (as above)under the abstract interpretation T ≜ ⟨ TF , MP , 𝐿 ⟩ , we canunder-approximate the mortal initial states of TS ( 𝑃 ) . Thecorrectness of this strategy is formalized below. Proposition 5.1 (Soundness) . Let 𝑃 = ⟨ 𝐺, 𝐿 ⟩ be a labeledCFG, let 𝑟 be the root of 𝐺 , and let PathExp 𝜔𝐺 ( 𝑟 ) be an 𝜔 -pathexpression recognizing Paths 𝜔𝐺 ( 𝑟 ) . Then T 𝜔 (cid:113) PathExp 𝜔𝐺 ( 𝑟 ) (cid:121) is a mortal precondition for TS ( 𝑃 ) , in the sense that for any 𝑠 | = T 𝜔 (cid:113) PathExp 𝜔𝐺 ( 𝑟 ) (cid:121) , we have that ⟨ 𝑟, 𝑠 ⟩ is a mortal stateof TS ( 𝑃 ) . In particular, if T 𝜔 (cid:113) PathExp 𝜔𝐺 ( 𝑟 ) (cid:121) is valid, then theprogram 𝑃 has no infinite executions. Proposition 5.2 (Monotonicity) . Suppose that mp is a mono-tone mortal precondition operator, and MP and TF are definedas above. Let 𝑓 ∈ 𝜔 -RegExp ( 𝐸 ) , and let 𝐿 , 𝐿 : 𝐸 → TF be se-mantic functions such that for all 𝑒 ∈ 𝐸 , 𝐿 ( 𝑒 ) | = 𝐿 ( 𝑒 ) . Define T ≜ ⟨ TF , MP , 𝐿 ⟩ and T ≜ ⟨ TF , MP , 𝐿 ⟩ . Then T 𝜔 (cid:74) 𝑓 (cid:75) | = T 𝜔 (cid:74) 𝑓 (cid:75) . Our algebraic framework extends to the inter-proceduralcase using the method of Cook et al. [21]. The essential ideais that infinite paths through a multi-procedure program(including paths that are infinite due to the presence of re-cursion) can be captured by an 𝜔 -regular expression, byinterpreting call edges using procedure summaries, and byencoding transfer of control between procedures using addi-tional edges. No additional work is required on the part of theanalysis designer to extend an algebraic termination analysisto the inter-procedural case: the same analysis that is used toprove conditional termination for loops also can be appliedto recursive functions. Monotonicity results extend to theinter-procedural case as well. The inter-procedural case isdiscussed in more detail in the appendix (see supplementarymaterial). This section describes combinators that construct monotonemortal precondition operators. A common theme to all is totake advantage of the properties of our algebraic framework(compositionality and monotonicity, in particular).
Summarizing loops using an over-approximate transitiveclosure operator is an integral component of our algebraicframework. This section demonstrates that loop summariza-tion can be also be exploited to construct a mortal precon-dition operator; i.e., an algebraic analyses for safety can beextended to prove termination analysis without any burdenon the analysis designer.Let 𝐹 be a transition formula. A sufficient (but not neces-sary) condition for a state 𝑠 of 𝐹 to be mortal is that there isa bound on the length of any execution starting from 𝑠 ; thatis there is some 𝑘 such that for all 𝑠 ′ with [ 𝑠, 𝑠 ′ ] | = 𝐹 𝑘 , 𝑠 ′ hasno 𝐹 -successors. This condition is not decidable, but it canbe under-approximated using the procedure exp describedin Section 3.3 (or any other method for over-approximatingthe iterated behavior of a transition formula); this yields thefollowing mortal precondition operator: mp exp ( 𝐹 ) ≜ ∃ 𝑘. ∀ Var ′ , Var ′′ .𝑘 ≥ ∧ ( exp ( 𝐹, 𝑘 ) ⇒ ¬ 𝐺 ) ermination Analysis Without the Tears Conference’17, July 2017, Washington, DC, USA where 𝐺 ≜ 𝐹 [ Var ↦→ Var ′ , Var ′ ↦→ Var ′′ ] .The fact that mp exp is monotone follows from the mono-tonicity of quantification, conjunction, and the exp operator,and the fact that 𝐹 and exp ( 𝐹, 𝑘 ) appear in negative positionsin the formula. Example 6.1
Consider the loop while ( x ≠ x := x - 2 ,with corresponding transition formula 𝐹 ≜ 𝑥 ≠ ∧ 𝑥 ′ = 𝑥 − ( 𝐹, 𝑘 ) ≡ 𝑥 ′ = 𝑥 − 𝑘 , and mp exp computes the exact precondition for termination of the loop: mp exp ( 𝐹 ) = ∃ 𝑘. ∀ 𝑥 ′ , 𝑥 ′′ .𝑘 ≥ ∧ ( 𝑥 ′ = 𝑥 − 𝑘 ⇒ ¬( 𝑥 ′ ≠ ∧ 𝑥 ′′ = 𝑥 ′ − ))≡ ∃ 𝑘.𝑘 ≥ ∧ 𝑥 − 𝑘 = 𝑥 is a non-negative even number. ⌟ This section describes a phase analysis combinator that im-proves the precision of a given mortal precondition operator.The idea is to extract a phase transition graph from a transi-tion formula, in which each vertex represents a phase of aloop, and each edge represents a phase transition. Using thealgebraic framework from Section 5 and a given mortal pre-condition operator mp , we compute a mortal preconditionfor the phase transition graph, which (under mild assump-tions) is guaranteed to be weaker than applying mp to theoriginal transition formula. An important feature of phaseanalysis is that it can address the challenge of generatingconditional termination arguments: even if some phases donot terminate, we can still use phase analysis to synthesizenon-trivial mortal preconditions.Let 𝐹 be a transition formula. We say that a transitionformula 𝑝 is 𝐹 - invariant if, should some transition of 𝐹 satisfy 𝑝 , then so too must any subsequent transition; that is, thefollowing entailment holds: ( 𝐹 ∧ 𝑝 )∧ 𝐹 [ Var , Var ′ ↦→ Var ′ , Var ′′ ]| = 𝑝 [ Var , Var ′ ↦→ Var ′ , Var ′′ ] . Let 𝑃 be a fixed set of transition formulas (e.g., in our imple-mentation, we take 𝑃 to be the set of all direction predicates, 𝑃 = { 𝑥 ⊲⊳ 𝑥 ′ : 𝑥 ∈ Var , ⊲⊳ ∈ { < , = , > }} ). Let 𝐼 ( 𝐹, 𝑃 ) denote the 𝐹 -invariant subset of 𝑃 ; 𝐼 ( 𝐹, 𝑃 ) can be computed by check-ing the invariance condition for each formula in 𝑃 usingan SMT solver. The set of predicates 𝐼 ( 𝐹, 𝑃 ) defines a parti-tion P (
𝐹, 𝑃 ) of the set of transitions of 𝐹 , where each cellcorresponds to a valuation of the predicates in 𝑃 (i.e., eachcell has the form 𝐹 ∧ (cid:16)(cid:211) 𝑝 ∈ 𝑋 𝑝 (cid:17) ∧ (cid:16)(cid:211) 𝑝 ∈ 𝐼 ( 𝐹,𝑃 )\ 𝑋 ¬ 𝑝 (cid:17) , where 𝑋 is a subset of 𝐼 ( 𝐹, 𝑃 ) ). Since the predicates in 𝐼 ( 𝐹, 𝑃 ) are 𝐹 -invariant, this partition has the property that any infinite computation of 𝐹 must eventually lie within a single cell ofthe partition.Define the phase transition graph Phase ( 𝐹, 𝑃 ) to be a la-beled control flow graph where the vertices are the cells ofthe partition P (
𝐹, 𝑃 ) plus a root vertex 𝑠 , and which has thefollowing properties: (1) each cell has a self-loop, labeled bythe cell (2) if cell 𝐹 𝑗 can immediately follow 𝐹 𝑖 (i.e., 𝐹 𝑖 ◦ 𝐹 𝑗 is satisfiable), there is an edge from 𝐹 𝑖 to 𝐹 𝑗 with each edgelabeled 1 TF (3) there is an edge from 𝑠 to every cell, labeled by1 TF . The idea is that any infinite sequence 𝑠 → 𝐹 𝑠 → 𝐹 · · · corresponds to an 𝜔 -path starting from 𝑠 in 𝐺 . Observe thatthis is property is maintained if we relax conditions (2) and(3) so that we require only 1 TF -labeled paths rather thanedges; call a phase transition graph reduced if it satisfies therelaxed conditions, and the number of edges is minimal. Analgorithm that constructs a reduced phase transition graphis given in Algorithm 3. Subroutine phase-transition-graph ( 𝐹, 𝑃 ) beginInput : Formula 𝐹 , set of transition predicates 𝑃 Output :
Reduced phase transition graph for 𝐹 and 𝑃 /* 𝑆 is the set of literals for 𝐹 -invariant predicates in 𝑃 */ 𝑆 ← 𝐼 ( 𝐹, 𝑃 ) ∪ {¬ 𝑝 : 𝑝 ∈ 𝐼 ( 𝐹, 𝑃 )} ; /* Compute the cells of P (
𝐹, 𝑃 ) */ 𝑛 ← while 𝐹 ∧ (cid:211) 𝑛𝑖 = ¬ 𝐹 𝑖 is SAT do Select a model 𝑡 with 𝑡 | = 𝐹 ∧ (cid:211) 𝑛𝑖 = ¬ 𝐹 𝑖 ; 𝑛 ← 𝑛 + 𝐹 𝑛 ← 𝐹 ∧ (cid:211) { 𝑝 ∈ 𝑆 : 𝑡 | = 𝑝 } ; /* Compute phase transitions */ Sort 𝐹 , ...., 𝐹 𝑛 by 𝐸 ← {} ; for 𝑖 = to n do for 𝑗 = 𝑖 − downto do if (cid:10) 𝐹 𝑗 , 𝐹 𝑖 (cid:11) ∉ 𝐸 ∗ and 𝐹 𝑗 ◦ 𝐹 𝑖 is SAT then 𝐸 ← 𝐸 ∪ (cid:8)(cid:10) 𝐹 𝑗 , 𝐹 𝑖 (cid:11)(cid:9) ; /* Connect virtual start node 𝑠 to unreachable vertices */ 𝐸 ← 𝐸 ∪ (cid:8) ⟨ 𝑠, 𝐹 𝑖 ⟩ : (cid:154) 𝑗 . (cid:10) 𝐹 𝑗 , 𝐹 𝑖 (cid:11) ∈ 𝐸 (cid:9) ; 𝐸 ← 𝐸 ∪ {⟨ 𝐹 𝑖 , 𝐹 𝑖 ⟩ : 1 ≤ 𝑖 ≤ 𝑛 } ; /* Add self-loops */ 𝐿 ← 𝜆 ( 𝐹 𝑖 , 𝐹 𝑗 ) . if 𝑖 = 𝑗 then 𝐹 𝑖 else TF ; return ⟨⟨{ 𝑠, 𝐹 , ..., 𝐹 𝑛 } , 𝐸, 𝑠 ⟩ , 𝐿 ⟩ Algorithm 3:
Phase transition graph constructionWe now define the phase analysis combinator. Supposethat mp is a mortal precondition operator; define the mortalprecondition operator mp Phase ( 𝑃, mp ) as follows. Let 𝐹 be atransition formula. Construct the (reduced) phase transitiongraph ⟨ 𝐺 = ⟨ 𝑉 , 𝐸, 𝑠 ⟩ , 𝐿 ⟩ using Algorithm 3. Compute an 𝜔 -path expression PathExp 𝜔𝐺 ( 𝑠 ) for 𝐺 as in Section 4. Define anabstract interpretation T ≜ ⟨ TF , MP , 𝐿 ⟩ , where the (−) 𝜔 MP operator is taken to be mp . Finally, define mp Phase ( 𝑃, mp ) ( 𝐹 ) ≜ T 𝜔 (cid:113) PathExp 𝜔𝐺 ( 𝑠 ) (cid:121) . onference’17, July 2017, Washington, DC, USA Shaowei Zhu and Zachary Kincaid Theorem 6.2 (Soundness) . Let mp be a mortal precondi-tion operator and let 𝑃 be a set of transition predicates. Thenmp Phase ( 𝑃, mp ) is a mortal precondition operator. Theorem 6.3 (Monotonicity) . Let mp be a monotone mortalprecondition operator and let 𝑃 be a set of transition pred-icates. Suppose that for any transition formula 𝐹 , we havewp ( 𝐹 ★ , mp ( 𝐹 )) = mp ( 𝐹 ) . Then the mortal precondition oper-ator mp Phase ( 𝑃, mp ) is monotone. Example 6.4
Consider the loop in Figure 3. The loop doesnot always terminate, so mp 𝐿𝐿𝑅𝐹 (Example 3.2) computes atrivial mortal precondition ( 𝑥 ≤ then branch, we cannot ever execute the else branch; theopposite is also true. Within the then branch, the variable 𝑥 may increase (or remain constant) for some transient period,but then must ultimately decrease. This structure is depictedin the phase transition graph in Figure 3c.Although the original loop has no linear lexicographicranking function, the two phases in the then branch do: − 𝑦 is a ranking function for phase 𝑎 and 𝑥 is ranking function forphase 𝑏 . The else branch does not, and so mp 𝐿𝐿𝑅𝐹 generatesa mortal precondition 𝑥 ≤ ∨ 𝑓 ≥ 𝑚 , but is a precise descriptionof the mortal states of the original loop). Thus, by computingthe mortal precondition of the loop using its phase graphrather than applying the mortal precondition operator to theloop itself, we get a weaker mortal precondition. ⌟ State-of-the-art termination analyzers often use a portfolioof techniques to prove termination. Heuristics for selectingamong appropriate techniques in a portfolio can be anothersource of unpredictable (non-monotone) behavior. A featureof our framework is that it makes it easy to combine thestrengths of different termination analyses without suchheuristics.Suppose that mp and mp are mortal precondition opera-tors. Then we can combine mp and mp into a single mortalprecondition operator mp ⊗ mp by defining ( mp ⊗ mp )( 𝐹 ) ≜ mp ( 𝐹 ) ∨ mp ( 𝐹 ) ;if mp , mp are monotone, then so too is mp ⊗ 𝑚𝑝 .In fact, monotonicity allows us to do better. Define a sec-ond combinator by ( mp ⋉ mp )( 𝐹 ) ≜ mp ( 𝐹 ∧ ¬ mp ( 𝐹 )) . The intuition is that mp ⋉ mp is an ordered product, whichask mp only to find a mortal precondition for the regionof the state space that mp cannot prove to be mortal. Ifsuppose that for all 𝐹 we have pre ( 𝐹 ) | = mp ( 𝐹 ) , then wehave ( mp ⊗ mp )( 𝐹 ) | = ( mp ⋉ mp )( 𝐹 ) . while ( x > 0): if ( f ≥ x := x - y y := y + 1 f := f + 1 else x := x + 1 f := f - 1 (a) A loop with phase structure 𝑥 > ∧ (cid:169)(cid:173)(cid:173)(cid:173)(cid:173)(cid:173)(cid:173)(cid:173)(cid:173)(cid:173)(cid:173)(cid:173)(cid:171) (cid:169)(cid:173)(cid:173)(cid:173)(cid:171) 𝑓 ≥ ∧ 𝑥 ′ = 𝑥 − 𝑦 ∧ 𝑦 ′ = 𝑦 + ∧ 𝑓 ′ = 𝑓 + (cid:170)(cid:174)(cid:174)(cid:174)(cid:172) ∨ (cid:169)(cid:173)(cid:173)(cid:173)(cid:171) 𝑓 < ∧ 𝑥 ′ = 𝑥 + ∧ 𝑓 ′ = 𝑓 − ∧ 𝑦 ′ = 𝑦 (cid:170)(cid:174)(cid:174)(cid:174)(cid:172) (cid:170)(cid:174)(cid:174)(cid:174)(cid:174)(cid:174)(cid:174)(cid:174)(cid:174)(cid:174)(cid:174)(cid:174)(cid:172) (b) Loop transition formula,
𝐹𝑠𝑎 𝑚𝑏 𝐹 ∧ (cid:169)(cid:173)(cid:171) ¬( 𝑥 ′ < 𝑥 )∧ 𝑦 ′ > 𝑦 ∧ 𝑓 ′ > 𝑓 (cid:170)(cid:174)(cid:172) 𝐹 ∧ (cid:169)(cid:173)(cid:171) 𝑥 ′ < 𝑥 ∧ 𝑦 ′ > 𝑦 ∧ 𝑓 ′ > 𝑓 (cid:170)(cid:174)(cid:172) 𝐹 ∧ (cid:169)(cid:173)(cid:171) ¬( 𝑥 ′ < 𝑥 )∧ 𝑦 ′ = 𝑦 ∧ 𝑓 ′ < 𝑓 (cid:170)(cid:174)(cid:172) (c) Phase transition graph for 𝐹 . Solid edges form a reduced phasetransition graph. Figure 3.
Analysis of a loop with a phase structure.
In our tool ComPACT (
Com positional and P redictable A nalysisfor C onditional T ermination), we have implemented thealgebraic program analysis framework (Sections 4 and 5),two mortal precondition operators mp LLRF (Example 3.2)and mp exp (Section 6.1), and the combinator mp phase (Sec-tion 6.2). ComPACT’s default mortal precondition operatoris mp phase ( 𝑃, mp LLRF ⋉ mp exp ) (where 𝑃 is a set of direction pred-icates, 𝑃 ≜ { 𝑥 ⊲⊳ 𝑥 ′ : 𝑥 ∈ Var , ⊲⊳ ∈ { < , = , > }} ). We compareComPACT against Ultimate Automizer[24], 2LS[14], andCPAchecker[37], the top three placing competitors in thetermination category of SV-COMP 2020. We also comparewith Termite [29], which implements a complete procedurefor linear lexicographic ranking function (LLRF) synthesis, toevaluate the effectiveness of our algebraic framework. Withthe exception of 2LS, all tools treat variables as unboundedintegers. Environment.
We ran all experiments in a virtual ma-chine with Ubuntu 18.04 and kernel version 5 . . −
62, witha single-core Intel Core i5-7267U @ 3.10GHz CPU and 3 GBof RAM. All tools were run with a time limit of 10 minutes.CPAChecker is run with a heap memory limit of 2500 MB.
Benchmark design.
We tested on a suite of 413 programsdivided into 4 categories. The termination , bitprecise , ermination Analysis Without the Tears Conference’17, July 2017, Washington, DC, USA ComPACT 2LS UAutomizer Termite CPACheckerbenchmark
115 1937.1
89 30064.2recursive 42
31 116.6 - - 29 1580.2 - - 23 596.2polybench 30
317 795.7
227 11488.5 311 49408.5 110 1193.9 238 47015.6 (a)
Termination verification benchmarks; time in seconds. U A u t o m i z e r t i m e ( s ) Proved by bothProved only by ComPACTProved only by UAutomizerNot proved by either (b)
ComPACT vs. UAutomizer
Figure 4.
Evaluation of ComPACT vs. state of the art benchmark mp LLRF as base operator Using mp exp as base operatorLLRF only LLRF + phase exp only exp + phase
138 82.1 109 75.3 129 98.9bitprecise 170
22 46.2 24 40.3 31 86.7polybench 30
30 96.6 30
305 504.0 265 601.8 303 1212.8
Table 1.
Contributions of different components implemented in ComPACT; time in seconds.and recursive suites contain small programs with chal-lenging termination arguments, while the polybench suitecontains larger real-world programs that have relatively sim-ple termination arguments. The termination category con-sists of the non-recursive, terminating benchmarks in the
Termination-MainControlFlow suite from the Competi-tion on Software Verification (SV-COMP) 2020. The recursive category consists of the recursive, terminating benchmarksfrom
Termination-MainControlFlow plus the recursive directory. The bitprecise category consists of the samebenchmarks as the termination category, except that boundedinteger semantics are encoded into unbounded integer se-mantics for a more accurate comparison with 2LS (minusone task, which Ultimate Automizer was able to prove tobe non-terminating). Since signed overflow is undefinedin C, proving termination necessitates proving absence ofsigned overflow. The encoding was performed by using goto-instrument [2, 3] to instrument the code with checksfor signed overflow that enter an infinite loop on failure.The polybench suite contains moderately sized kernels fornumerical algorithms.
How does ComPACT compare with the state-of-the-art?
The comparison of all tools across all test suites isshown in Figure 4a. For the termination and bitprecise suites, Ultimate Automizer proves the most tasks, but uses significantly more time than ComPACT (Figure 4b). For theother two benchmark suites ComPACT proves the termi-nation of most tasks among all the tools compared. Notethat 2LS and Termite do not handle recursive programs, sowe exclude them from the recursive suite. None of 2LS,Ultimate Automizer, or CPAChecker can solve any of the polybench benchmarks–they run out of time or memory.Demonstrating the value of compositionality, ComPACT hasa relatively stable running time across all benchmarks, andcan scale to handle the polybench suite.
How does each component contribute to ComPACT’scapability?
ComPACT implements two mortal precondi-tion operators: LLRF-based mortal precondition operator mp LLRF (LLRF), transitive closure based mp exp (exp), and thephase analysis (phase) combinator. We next evaluate howeach component contributes to ComPACT’s ability to provetermination. Table 1 shows the result of measuring howmany benchmarks can each component handle when it isrun in isolation.For the polybench benchmark, all components solve alltasks, demonstrating that each is capable of producing easytermination arguments for moderately-sized benchmarks.Observe that phase analysis improves the precision of both mp LLRF and mp exp . It is also interesting to compare the LLRFcolumn with the Termite results in Figure 4a, since both onference’17, July 2017, Washington, DC, USA Shaowei Zhu and Zachary Kincaid implement the same base procedure but “lift” it to programswith complex control flow differently. This comparison demon-strates the advantage of compositional summarization ofnested loops, and also suggests that precision loss due tocompositionality, i.e., synthesizing LLRFs without support-ing invariants, is not substantial. Summarization for termination.
At a high level, ourprocedure proves that a loop terminates by first computing atransition formula that summarizes the behavior of its body,and then performing termination analysis on the transitionformula. There are several approaches to termination analy-sis that similarly apply summarization to handle nested loopsand procedure calls [8, 14, 47, 51]. There are various waysof formulating such an analysis. Berdine et al. [8] generatesloop body summaries using a program transformation and aconventional state-based invariant generator (e.g., polyhedraanalysis). Tsitovich et al. [47] takes an approach more similarto ours: summarization is an operation that replaces a sub-graph of a control flow graph by edges that summarize thatsubgraph, and it is applied recursively to summarize nestedloops. We take an algebraic view, inspired by Tarjan [45, 46],in which we generate an 𝜔 -regular expression representingthe paths through a program and then define the analysis byrecursion on that expression.The contribution of Section 5 is to provide a unified frame-work in which these analyses can be understood. In view ofthe algebraic framework, prior work can be understood interms of (1) the method used to summarize loops (i.e, the (−) ∗ operator), and (2) the method used to prove termination(i.e, the (−) 𝜔 operator). A concrete benefit of our frameworkin light of this prior work is that our approach handles re-cursive procedures and irreducible control flow, which arenot supported by some of the prior approaches (including2LS) [14, 47, 51]. Complete ranking function synthesis.
A ranking func-tion synthesis algorithm is complete if it is guaranteed to finda ranking function for a loop if one exists. Such techniquesare related to our work in that we sought a terminationanalysis for which we can make guarantees about its behav-ior. Complete ranking function synthesis algorithms existfor a variety of classes of ranking functions, such as linear[38], linear-lexicographic [11], nested [36], multi-phase [7],. . . ). These algorithms apply only to very restricted classesof loops, and in particular there are no complete rankingfunction synthesis algorithms that operate on nested loopsor recursive procedures. The seminal work on Termina-tor gives a general method for applying complete rankingfunction synthesis algorithms to general programs by usingthem in a counter-example guided refinement loop [20]. Ourframework of algebraic termination analysis provides anothergeneral method, which allows the theoretical guarantee of completeness to carry over to a monotonicity guarantee forthe whole analysis.
Conditional termination.
In a compositional setting,and in particular the algebraic framework of Section 5, it isnatural to formulate the termination problem as the problemof finding a sufficient condition under which a fragment ofcode is guaranteed to terminate (i.e., a mortal precondition ),rather than the decision problem of universal termination.Section 6.2 gives a monotone approach to this problem thatis based on exposing the phase structure of loop.Bozga et al. [10] is closest to our work in that they give analgorithm for which there are guarantees about its behaviorbeyond soundness, albeit for a limited class of loops. Theygive a technique for synthesizing the set of mortal statesof a loop, provided a logical formula representing the exacttransitive closure of that loop in a logical theory that admitsquantifier elimination. In Section 6.1, we use a related ideato under-approximate the mortal states of a loop using an over-approximation of the transitive closure of the loop.Other approaches to conditional termination include quan-tifier elimination [16], abstract interpretation [22, 48–50],abductive inference [35], conflict-driven learning [25], in-cremental backwards reasoning [28], and constraint-basedmethods [9]. Our approach is unique in that we provide aconditional termination analysis that is both monotone andcan be applied to a general program model.
Control flow refinement.
Section 6.2 defines a mortalprecondition combinator that improves the precision of agiven mortal precondition operator by exposing phase struc-ture in loops. There are several related approaches for im-proving analysis results by program transformation [6, 23,27, 30, 40, 41]. In particular, the transition invariant predi-cates from Section 6.2 are essentially a transition-predicateanalogue of the (state-based) splitter predicates from [41]; ourmethod for checking whether a candidate transition pred-icate is invariant and partitioning the transition space arenew. Cyphert et al.’s work [23] on refinement of path ex-pressions is closest to ours in that it is based on an algebraicprogram analysis and provides a guarantee of improvement.The refinement strategy is based on altering the path expres-sion algorithm, whereas phase analysis alters the algebraof the analysis. Operating at the algebra level enables us toformulate and prove a monotonicity theorem.
This paper presents a termination analysis that is both com-positional and monotone . We extended Tarjan [45, 46]’s pathexpression method from safety analysis to termination analy-sis, by using 𝜔 -regular expressions to represent languages ofinfinite paths and 𝜔 -algebras to interpret those expressions.One direction for future work is to apply this frameworkto other analyses that require reasoning about infinite and ermination Analysis Without the Tears Conference’17, July 2017, Washington, DC, USA potentially infinite paths, such as nontermination analysis,resource bound analysis, and verification of general temporalproperties. References [1] Elvira Albert, Puri Arenas, Samir Genaim, and Germán Puebla. 2008.Automatic Inference of Upper Bounds for Recurrence Relations in CostAnalysis. In
SAS . 221–237.[2] Jade Alglave, Daniel Kroening, Vincent Nimal, and Michael Tautschnig.2013. Software verification for weak memory via program transfor-mation. In
European Symposium on Programming . Springer, 512–532.[3] Jade Alglave, Daniel Kroening, and Michael Tautschnig. 2013. Partialorders for efficient bounded model checking of concurrent software.In
International Conference on Computer Aided Verification . Springer,141–157.[4] Corinne Ancourt, Fabien Coelho, and François Irigoin. 2010. A ModularStatic Analysis Approach to Affine Loop Invariants Detection.
Electr.Notes Theor. Comp. Sci.
Principles of Model Check-ing . The MIT Press.[6] G. Balakrishnan, S. Sankaranarayanan, F. Ivančić, and A. Gupta. 2009.Refining the Control Structure of Loops using Static Analysis. In
EM-SOFT .[7] A. M. Ben-Amram and S. Genaim. 2017. On Multiphase-Linear RankingFunctions. In
CAV . 601–620.[8] Josh Berdine, Aziem Chawdhary, Byron Cook, Dino Distefano, andPeter O’Hearn. 2007. Variance analyses from invariance analyses. In
Proceedings of the 34th annual ACM SIGPLAN-SIGACT symposium onPrinciples of programming languages . 211–224.[9] Cristina Borralleras, Marc Brockschmidt, Daniel Larraz, Albert Oliv-eras, Enric Rodríguez-Carbonell, and Albert Rubio. 2017. ProvingTermination Through Conditional Termination. In
TACAS , Axel Legayand Tiziana Margaria (Eds.). Springer Berlin Heidelberg, Berlin, Hei-delberg, 99–117.[10] Marius Bozga, Radu Iosif, and Filip Konečný. 2012. Deciding Condi-tional Termination. In
TACAS , Cormac Flanagan and Barbara König(Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 252–266.[11] A. R. Bradley, Z. Manna, and H. B. Sipma. 2005. Linear ranking withreachability. In
CAV . 491–504.[12] Marc Brockschmidt, Byron Cook, Samin Ishtiaq, Heidy Khlaaf, andNir Piterman. 2016. T2: Temporal Property Verification. In
TACAS .387–393.[13] Q. Carbonneaux, J. Hoffmann, and Z. Shao. 2015. CompositionalCertified Resource Bounds. In
PLDI .[14] Hong-Yi Chen, Cristina David, Daniel Kroening, Peter Schrammel,and Björn Wachter. 2018. Bit-Precise Procedure-Modular TerminationAnalysis.
ACM Trans. Program. Lang. Syst.
40, 1 (2018), 1:1–1:38. https://doi.org/10.1145/3121136 [15] Byron Cook, Alexey Gotsman, Andreas Podelski, Andrey Rybalchenko,and Moshe Y. Vardi. 2007. Proving That Programs Eventually DoSomething Good. In
POPL . 265–276.[16] Byron Cook, Sumit Gulwani, Tal Lev-Ami, Andrey Rybalchenko, andMooly Sagiv. 2008. Proving Conditional Termination. In
CAV , AartiGupta and Sharad Malik (Eds.). Springer Berlin Heidelberg, Berlin,Heidelberg, 328–340.[17] Byron Cook, Heidy Khlaaf, and Nir Piterman. 2015. On Automationof CTL* Verification for Infinite-State Systems. In
CAV . 13–29.[18] Byron Cook and Eric Koskinen. 2011. Making Prophecies with DecisionPredicates. In
POPL . 399–410.[19] Byron Cook and Eric Koskinen. 2013. Reasoning About Nondetermin-ism in Programs. In
PLDI . 219–230.[20] Byron Cook, Andreas Podelski, and Andrey Rybalchenko. 2006. Ter-mination Proofs for Systems Code. In
PLDI . 415–426. [21] Byron Cook, Andreas Podelski, and Andrey Rybalchenko. 2009. Sum-marization for termination: no return!
Formal Methods in System Design
35, 3 (2009), 369–387. https://doi.org/10.1007/s10703-009-0087-8 [22] Patrick Cousot and Radhia Cousot. 2012. An Abstract InterpretationFramework for Termination. In
Proceedings of the 39th Annual ACMSIGPLAN-SIGACT Symposium on Principles of Programming Languages (Philadelphia, PA, USA) (POPL ’12) . Association for Computing Machin-ery, New York, NY, USA, 245–258. https://doi.org/10.1145/2103656.2103687 [23] John Cyphert, Jason Breck, Zachary Kincaid, and Thomas Reps. 2019.Refinement of Path Expressions for Static Analysis.
Proc. ACM Program.Lang.
3, POPL, Article 45 (Jan. 2019), 29 pages. https://doi.org/10.1145/3290358 [24] Daniel Dietsch, Matthias Heizmann, Alexander Nutz, Claus Schätzle,and Frank Schüssele. 2020. Ultimate Taipan with Symbolic Interpre-tation and Fluid Abstractions - (Competition Contribution). In
Toolsand Algorithms for the Construction and Analysis of Systems - 26th In-ternational Conference, TACAS 2020, Held as Part of the European JointConferences on Theory and Practice of Software, ETAPS 2020, Dublin,Ireland, April 25-30, 2020, Proceedings, Part II (Lecture Notes in ComputerScience, Vol. 12079) , Armin Biere and David Parker (Eds.). Springer,418–422. https://doi.org/10.1007/978-3-030-45237-7_32 [25] Vijay D’Silva and Caterina Urban. 2015. Conflict-Driven ConditionalTermination. In
CAV , Daniel Kroening and Corina S. Păsăreanu (Eds.).Springer International Publishing, Cham, 271–286.[26] A. Farzan and Z. Kincaid. 2015. Compositional Recurrence Analysis.In
FMCAD . IEEE, 57–64.[27] A. Flores-Montoya and R. Hähnle. 2014. Resource analysis of complexprograms with cost equations. In
APLAS .[28] Pierre Ganty and Samir Genaim. 2013. Proving Termination Startingfrom the End. In
CAV . 397–412.[29] Laure Gonnord, David Monniaux, and Gabriel Radanne. 2015. Syn-thesis of Ranking Functions Using Extremal Counterexamples.
SIG-PLAN Not.
50, 6 (June 2015), 608–618. https://doi.org/10.1145/2813885.2737976 [30] S. Gulwani, S. Jain, and E. Koskinen. 2009. Control-flow Refinementand Progress Invariants for Bound Analysis. In
PLDI .[31] S. Gulwani, K.K. Mehra, and T.M. Chilimbi. 2009. SPEED: Precise andEfficient Static Estimation of Program Computational Complexity. In
POPL .[32] S. Gulwani and F. Zuleger. 2010. The Reachability-bound Problem. In
PLDI .[33] Zachary Kincaid, Jason Breck, John Cyphert, and Thomas Reps. 2019.Closed Forms for Numerical Loops.
Proc. ACM Program. Lang.
3, POPL,Article 55 (Jan. 2019), 29 pages. https://doi.org/10.1145/3290368 [34] Z. Kincaid, J. Cyphert, J. Breck, and T.W. Reps. 2018. Non-LinearReasoning for Invariant Synthesis.
PACMPL
PLDI (Portland, OR,USA) (PLDI ’15) . Association for Computing Machinery, New York,NY, USA, 489–498. https://doi.org/10.1145/2737924.2737993 [36] J. Leike and M. Heizmann. 2014. Ranking Templates for Linear Loops.In
TACAS . 172–186.[37] Sebastian Ott. 2016.
Implementing a Termination Analysis using Con-figurable Program Analysis . Master’s thesis. University of Passau.[38] A. Podelski and A. Rybalchenko. 2004. A Complete Method for theSynthesis of Linear Ranking Functions. In
VMCAI . 239–251.[39] Thomas Reps, Mooly Sagiv, and Greta Yorsh. 2004. Symbolic Imple-mentation of the Best Transformer. In
Verification, Model Checking,and Abstract Interpretation , Bernhard Steffen and Giorgio Levi (Eds.).Springer Berlin Heidelberg, Berlin, Heidelberg, 252–266.[40] X. Rival and L. Mauborgne. 2007. The Trace Partitioning AbstractDomain.
TOPLAS.
29, 5 (2007). onference’17, July 2017, Washington, DC, USA Shaowei Zhu and Zachary Kincaid [41] R. Sharma, I. Dillig, T. Dillig, and A. Aiken. 2011. Simplifying LoopInvariant Generation Using Splitter Predicates. In
CAV .[42] Jake Silverman and Zachary Kincaid. 2019. Loop Summarization withRational Vector Addition Systems. In
CAV , Isil Dillig and Serdar Tasiran(Eds.). Springer International Publishing, Cham, 97–115.[43] Moritz Sinn, Florian Zuleger, and Helmut Veith. 2015. DifferenceConstraints: An Adequate Abstraction for Complexity Analysis ofImperative Programs. In
FMCAD . 144–151.[44] Robert Endre Tarjan. 1979. Applications of Path Compression onBalanced Trees.
J. ACM
26, 4 (Oct. 1979), 690–715. https://doi.org/10.1145/322154.322161 [45] R. E. Tarjan. 1981. Fast Algorithms for Solving Path Problems.
J. ACM
28, 3 (July 1981), 594–614.[46] R. E. Tarjan. 1981. A Unified Approach to Path Problems.
J. ACM
Tools and Algorithms for the Construction and Analysisof Systems - 17th International Conference, TACAS 2011, Held as Partof the Joint European Conferences on Theory and Practice of Software,ETAPS 2011, Saarbrücken, Germany, March 26-April 3, 2011. Proceedings(Lecture Notes in Computer Science, Vol. 6605) , Parosh Aziz Abdulla andK. Rustan M. Leino (Eds.). Springer, 81–95. https://doi.org/10.1007/978-3-642-19835-9_9 [48] Caterina Urban. 2013. The Abstract Domain of Segmented RankingFunctions. In
SAS , Francesco Logozzo and Manuel Fähndrich (Eds.).43–62.[49] Caterina Urban and Antoine Miné. 2014. An Abstract Domain to InferOrdinal-Valued Ranking Functions. In
European Symp. on Program-ming , Zhong Shao (Ed.). Springer Berlin Heidelberg, Berlin, Heidelberg,412–431.[50] Caterina Urban and Antoine Miné. 2014. A Decision Tree AbstractDomain for Proving Conditional Termination. In
SAS , Markus Müller-Olm and Helmut Seidl (Eds.). Springer International Publishing, Cham,302–318.[51] Florian Zuleger, Sumit Gulwani, Moritz Sinn, and Helmut Veith.2011. Bound Analysis of Imperative Programs with the Size-ChangeAbstraction. In
Static Analysis - 18th International Symposium, SAS2011, Venice, Italy, September 14-16, 2011. Proceedings (Lecture Notesin Computer Science, Vol. 6887) , Eran Yahav (Ed.). Springer, 280–297. https://doi.org/10.1007/978-3-642-23702-7_22
A Proofs
First, we observe that MP and TF satisfy the following al-gebraic laws (where formulas are considered to be equal ifthey are logically equivalent): Lemma A.1. (cid:10) TF , + TF , · TF , TF , TF (cid:11) is an idempotent semir-ing: • · TF is associative and has TF as its identity • + TF is associative, commutative, idempotent, and has TF as its identity • · TF distributes over + TF (on the left and right) • 𝐹 · TF TF = TF · TF 𝐹 = TF for any 𝐹 Lemma A.2. MP is a module over TF : • + MP is associative, commutative, and idempotent • 𝐹 · MP ( 𝑆 + MP 𝑆 ) = ( 𝐹 · MP 𝑆 ) + MP ( 𝐹 · MP 𝑆 )• ( 𝐹 + TF 𝐹 ) · MP 𝑆 = ( 𝐹 · MP 𝑆 ) + MP ( 𝐹 · MP 𝑆 )• ( 𝐹 · TF 𝐹 ) · MP 𝑆 = 𝐹 · MP ( 𝐹 · MP 𝑆 )• TF · MP 𝑆 = 𝑆 Since + TF is associative, commutative, and idempotent, itdefines a partial order relation ≤ TF , where 𝐹 ≤ TF 𝐺 iff 𝐹 + TF 𝐺 = 𝐺 . Observe that since + TF is disjunction, ≤ TF coincideswith logical entailment. Similarly, + MP defines a partial order ≤ MP , which coincides with reverse logical entailment. FromLemmas A.1 and Lemma A.2, we see that the operations + TF , · TF , + MP , and · MP are monotone with respect to these orders.We will show monotonicity of · MP ; the other operators aresimilar. Suppose that 𝐹 ≤ TF 𝐹 and 𝑆 ≤ MP 𝑆 –we wish toshow that 𝐹 · MP 𝑆 ≤ MP 𝐹 · MP 𝑆 : 𝐹 · MP 𝑆 = ( 𝐹 + TF 𝐹 ) · MP 𝑆 Since 𝐹 ≤ TF 𝐹 = ( 𝐹 · MP 𝑆 ) + MP ( 𝐹 · MP 𝑆 ) 𝐿𝑒𝑚𝑚𝑎 𝐴. ≥ MP 𝐹 · MP 𝑆 = 𝐹 · MP ( 𝑆 + MP 𝑆 ) Since 𝑆 ≤ MP 𝑆 = ( 𝐹 · MP 𝑆 ) + MP ( 𝐹 · MP 𝑆 ) 𝐿𝑒𝑚𝑚𝑎 𝐴. ≥ MP 𝐹 · MP 𝑆 Let 𝑃 = ⟨ 𝐺, 𝐿 ⟩ be a labeled control flow graph, with 𝐺 = ⟨ 𝑉 , 𝐸, 𝑟 ⟩ . Define a computation to be a sequence 𝜏 = ⟨ 𝑣 , 𝑠 ⟩ ⟨ 𝑣 , 𝑠 ⟩ ... ⟨ 𝑣 𝑛 , 𝑠 𝑛 ⟩ ∈ ( 𝑉 × State ) ∗ such that for all 𝑖 wehave ⟨ 𝑣 𝑖 , 𝑣 𝑖 + ⟩ ∈ 𝐸 and [ 𝑠 𝑖 , 𝑠 𝑖 + ] | = 𝐿 ( 𝑣 𝑖 , 𝑣 𝑖 + ) . Define an 𝜔 -computation to be an infinite sequence in ( 𝑉 × State ) 𝜔 suchthat every finite prefix is a computation. For a computation 𝜏 = ⟨ 𝑣 , 𝑠 ⟩ ⟨ 𝑣 , 𝑠 ⟩ ... ⟨ 𝑣 𝑛 , 𝑠 𝑛 ⟩ , define its underlying path tobe path ( 𝜏 ) ≜ ⟨ 𝑣 , 𝑣 ⟩ ⟨ 𝑣 , 𝑣 ⟩ ... ⟨ 𝑣 𝑛 − , 𝑣 𝑛 ⟩ ; define path 𝜔 anal-ogously for 𝜔 -computations. Lemma A.3.
Let 𝑃 be a labeled control flow graph, let 𝜏 = ⟨ 𝑣 , 𝑠 ⟩ ⟨ 𝑣 , 𝑠 ⟩ . . . ⟨ 𝑣 𝑛 , 𝑠 𝑛 ⟩ be a computation of 𝑃 , and let 𝑒 ∈ RegExp ( 𝐸 ) . If 𝑒 recognizes path ( 𝜏 ) , then [ 𝑠 , 𝑠 𝑛 ] | = T (cid:74) 𝑒 (cid:75) .Proof. By induction on 𝑒 . • Case 𝑒 is ⟨ 𝑢, 𝑣 ⟩ : Since 𝑒 recognizes path ( 𝜏 ) , 𝜏 must takethe form ⟨ 𝑢, 𝑠 ⟩ ⟨ 𝑣, 𝑠 ′ ⟩ with [ 𝑠, 𝑠 ′ ] | = 𝐿𝑢, 𝑣 = T (cid:74) ⟨ 𝑢, 𝑣 ⟩ (cid:75) . • Case 𝑒 is 0: trivial–0 does not recognize any paths. • Case 𝑒 is 1: 1 recognizes only the empty path, so 𝜏 musthave the form ⟨ 𝑣 , 𝑠 ⟩ , and [ 𝑠 , 𝑠 ] | = TF = T (cid:74) (cid:75) . • Case 𝑒 is 𝑒 𝑒 : Since 𝑒 recognizes path ( 𝜏 ) , there is some 𝑚 such that 𝑒 recognizes path (⟨ 𝑣 , 𝑠 ⟩ . . . ⟨ 𝑣 𝑚 , 𝑠 𝑚 ⟩)) and 𝑒 recognizes path (⟨ 𝑣 𝑚 , 𝑠 𝑚 ⟩ . . . ⟨ 𝑣 𝑛 , 𝑠 𝑛 ⟩)) . By theinduction hypothesis, [ 𝑠 , 𝑠 𝑚 ] | = T (cid:74) 𝑒 (cid:75) and [ 𝑠 𝑚 , 𝑠 𝑛 ] | = T (cid:74) 𝑒 (cid:75) . It follows that [ 𝑠 , 𝑠 𝑛 ] | = T (cid:74) 𝑒 (cid:75) ◦ T (cid:74) 𝑒 (cid:75) = T (cid:74) 𝑒 𝑒 (cid:75) . • Case 𝑒 is 𝑒 ∗ : Since 𝑒 recognizes path ( 𝜏 ) , there is some 𝑖 = , 𝑖 , ..., 𝑖 𝑚 = 𝑛 such that 𝑒 recognizes the path path ( (cid:10) 𝑣 𝑖 𝑗 , 𝑠 𝑖 𝑗 (cid:11) . . . (cid:10) 𝑣 𝑖 𝑗 + , 𝑠 𝑖 𝑗 + (cid:11) ) for each 𝑗 . By the induc-tion hypothesis, we have 𝑠 𝑖 → T (cid:74) 𝑒 (cid:75) 𝑠 𝑖 → T (cid:74) 𝑒 (cid:75) · · · → T (cid:74) 𝑒 (cid:75) 𝑠 𝑖 𝑛 , and so 𝑠 → ∗T (cid:74) 𝑒 (cid:75) 𝑠 𝑛 . Since → ∗T (cid:74) 𝑒 (cid:75) ⊆→ T (cid:74) 𝑒 (cid:75) ∗ , we have [ 𝑠 , 𝑠 ] | = T (cid:74) 𝑒 (cid:75) ★ = T (cid:113) 𝑒 ∗ (cid:121) . □ ermination Analysis Without the Tears Conference’17, July 2017, Washington, DC, USA Lemma A.4.
Let 𝑃 be a labeled control flow graph, let 𝜏 = ⟨ 𝑣 , 𝑠 ⟩ ⟨ 𝑣 , 𝑠 ⟩ . . . be an 𝜔 -computation of 𝑃 , and let 𝑓 ∈ 𝜔 -RegExp ( 𝐸 ) . If 𝑓 recognizes path 𝜔 ( 𝜏 ) , then 𝑠 ̸| = T 𝜔 (cid:74) 𝑓 (cid:75) .Proof. By induction on 𝑓 . • Case 𝑓 is 𝑒 𝜔 : Since 𝑓 recognizes path 𝜔 ( 𝜏 ) , there is asequence 0 = 𝑖 , 𝑖 , 𝑖 , ... such that 𝑒 recognizes the path (cid:10) 𝑣 𝑖 𝑗 , 𝑣 𝑖 𝑗 + (cid:11) . . . (cid:10) 𝑣 𝑖 𝑗 + − , 𝑣 𝑖 𝑗 + (cid:11) for all 𝑗 . By Lemma A.3, wehave [ 𝑠 𝑖 𝑗 , 𝑠 𝑖 𝑗 + ] | = T (cid:74) 𝑒 (cid:75) for all 𝑗 . It follows that 𝑠 𝑖 → T (cid:74) 𝑒 (cid:75) 𝑠 𝑖 → T (cid:74) 𝑒 (cid:75) 𝑠 𝑖 · · · is an infinite computation in T (cid:74) 𝑒 (cid:75) , and so 𝑠 = 𝑠 𝑖 isnot a mortal state of T (cid:74) 𝑒 (cid:75) . Since (−) 𝜔 MP is a mortalprecondition operator, have 𝑠 ̸| = T 𝜔 (cid:74) 𝑒 𝜔 (cid:75) = T (cid:74) 𝑒 (cid:75) 𝜔 MP • Case 𝑓 is 𝑓 + 𝑓 : Since 𝑓 recognizes path 𝜔 ( 𝜏 ) , wemust have 𝑓 or 𝑓 recognize path 𝜔 ( 𝜏 ) . Without lossof generality, suppose 𝑓 recognizes path 𝜔 ( 𝜏 ) . By theinduction hypothesis, 𝑠 ̸| = T 𝜔 (cid:74) 𝑓 (cid:75) , and therefore 𝑠 ̸| = T 𝜔 (cid:74) 𝑓 (cid:75) = T 𝜔 (cid:74) 𝑓 (cid:75) ∧ T 𝜔 (cid:74) 𝑓 (cid:75) . • Case 𝑓 is 𝑒 · 𝑓 ′ : Since 𝑓 recognizes path 𝜔 ( 𝜏 ) , there issome 𝑚 such that 𝑒 recognizes ⟨ 𝑣 , 𝑣 ⟩ . . . (cid:10) 𝑣 𝑚 , 𝑣 𝑚 (cid:11) and 𝑓 recognizes ⟨ 𝑣 𝑚 , 𝑣 𝑚 + ⟩ ⟨ 𝑣 𝑚 + , 𝑣 𝑚 + ⟩ . . . .By Lemma A.3, we have [ 𝑠 , 𝑠 𝑚 ] | = T (cid:74) 𝑒 (cid:75) and by theinduction hypothesis we have 𝑠 𝑚 ̸| = T 𝜔 (cid:74) 𝑓 ′ (cid:75) . It followsthat 𝑠 ̸| = T 𝜔 (cid:74) 𝑒 · 𝑓 ′ (cid:75) = wp (T (cid:74) 𝑒 (cid:75) , T 𝜔 (cid:74) 𝑓 (cid:75) ) . □ Proposition 5.1 (Soundness) . Let 𝑃 = ⟨ 𝐺, 𝐿 ⟩ be a labeledCFG, let 𝑟 be the root of 𝐺 , and let PathExp 𝜔𝐺 ( 𝑟 ) be an 𝜔 -pathexpression recognizing Paths 𝜔𝐺 ( 𝑟 ) . Then T 𝜔 (cid:113) PathExp 𝜔𝐺 ( 𝑟 ) (cid:121) is a mortal precondition for TS ( 𝑃 ) , in the sense that for any 𝑠 | = T 𝜔 (cid:113) PathExp 𝜔𝐺 ( 𝑟 ) (cid:121) , we have that ⟨ 𝑟, 𝑠 ⟩ is a mortal stateof TS ( 𝑃 ) . In particular, if T 𝜔 (cid:113) PathExp 𝜔𝐺 ( 𝑟 ) (cid:121) is valid, then theprogram 𝑃 has no infinite executions.Proof. We show the contrapositive. If ⟨ 𝑟, 𝑠 ⟩ is not mortal,then there is an 𝜔 -computation 𝜏 of 𝑃 beginning with ⟨ 𝑟, 𝑠 ⟩ .Since PathExp 𝜔𝐺 ( 𝑟 ) recognizes all 𝜔 -paths beginning at 𝑟 ,it must recognize paths 𝜔 ( 𝜏 ) . By Lemma A.4 we have 𝑠 ̸| = T 𝜔 (cid:113) PathExp 𝜔𝐺 ( 𝑟 ) (cid:121) . □ Proposition 5.2 (Monotonicity) . Suppose that mp is a mono-tone mortal precondition operator, and MP and TF are definedas above. Let 𝑓 ∈ 𝜔 -RegExp ( 𝐸 ) , and let 𝐿 , 𝐿 : 𝐸 → TF be se-mantic functions such that for all 𝑒 ∈ 𝐸 , 𝐿 ( 𝑒 ) | = 𝐿 ( 𝑒 ) . Define T ≜ ⟨ TF , MP , 𝐿 ⟩ and T ≜ ⟨ TF , MP , 𝐿 ⟩ . Then T 𝜔 (cid:74) 𝑓 (cid:75) | = T 𝜔 (cid:74) 𝑓 (cid:75) .Proof. By induction on 𝑓 . The base case is immediate fromthe assumption that 𝐿 (⟨ 𝑢, 𝑣 ⟩) | = 𝐿 (⟨ 𝑢, 𝑣 ⟩) for all ⟨ 𝑢, 𝑣 ⟩ ∈ 𝐸 .The inductive steps follow from monotonicity of all the oper-ations of TF (Lemma A.1, Lemma 3.1) and MP (Lemma A.2and the assumption that mp is monotone). □ A.1 Phase analysis
We first prove some properties of our over-approximatingtransitive closure operator ★ . Lemma A.5.
For any transition formula 𝐹 ∈ TF , state for-mula 𝑆 ∈ MP , we have TF | = 𝐹 ★ (1) 𝐹 ★ = 𝐹 ★ ◦ 𝐹 ★ (2) 𝐹 ★ . MP 𝑆 | = 𝑆 (3)In the following, let PTG ( 𝐹, 𝑃 ) denote the phase transitiongraph for the formula 𝐹 and set of predicates 𝑃 . Theorem 6.2 (Soundness) . Let mp be a mortal precondi-tion operator and let 𝑃 be a set of transition predicates. Thenmp Phase ( 𝑃, mp ) is a mortal precondition operator.Proof. Let 𝐹 be a transition formula, and let 𝐺 = PTG ( 𝐹, 𝑃 ) .Let 𝑟 be the root of 𝐺 . Towards the contrapositive, supposethat there is an infinite 𝐹 computation 𝑠 → 𝐹 𝑠 → 𝐹 𝑠 · · · .For each pair of states [ 𝑠 𝑖 , 𝑠 𝑖 + ] , there is a unique cell 𝑐 𝑖 ∈P ( 𝐹, 𝑃 ) such that [ 𝑠 𝑖 , 𝑠 𝑖 + ] (since P (
𝐹, 𝑃 ) is a partition of thetransitions of 𝐹 ). Since for each 𝑖 , we have 𝑠 𝑖 → 𝐹 𝑠 𝑖 + → 𝐹 𝑠 𝑖 + , [ 𝑠 𝑖 , 𝑠 𝑖 + ] | = 𝑐 𝑖 and [ 𝑠 𝑖 + , 𝑠 𝑖 + ] | = 𝑐 𝑖 + , we have that 𝑐 𝑖 ◦ 𝑐 𝑖 + is satisfiable, and so there is a 1 TF -labelled path from 𝑐 𝑖 to 𝑐 𝑖 + in 𝐺 . Finally, there is a 1 TF -labelled path from 𝑟 to 𝑐 . It follows that there is an infinite execution of TS ( 𝐺 ) starting from ⟨ 𝑠 , 𝑟 ⟩ , and so by Proposition 5.1 we have 𝑠 ̸| = T 𝜔 (cid:113) PathExp 𝜔𝐺 ( 𝑟 ) (cid:121) . □ Now we move on to prove the monotonicity of phaseanalysis. First we define canonical form of path expressionsand prove some related results.
Definition A.6. An 𝜔 -path expression 𝑃 is in canonicalform if it has form ( 𝑃 ∗ 𝑃 ∗ . . . 𝑃 ∗ 𝑛 ) 𝐿 𝜔 where 𝑃 𝑖 ’s and 𝐿 are letters. The transition formula part 𝑃 ∗ 𝑃 ∗ . . . 𝑃 ∗ 𝑛 is called the stem and the expression 𝐿 𝜔 is calledthe body .Let L 𝜔 ( 𝑓 ) denote the language recognized by the 𝜔 -pathexpression 𝑓 . For an 𝜔 -path expression 𝑓 for a phase tran-sition graph PTG ( 𝐹, 𝑃 ) , define ℎ ( 𝑓 ) to be the 𝜔 -regular ex-pression obtained by deleting phase transition edges (recall:phase transition edges are labelled with 1 𝑇 𝐹 –the loops of thephase transition graph contain all of its significant content).Clearly, we have T 𝜔 (cid:74) 𝑓 (cid:75) = T 𝜔 (cid:74) ℎ ( 𝑓 ) (cid:75) . Lemma A.7 (Canonical form of path expression) . Let 𝐹 be atransition formula, 𝑃 be a set of predicates, 𝐺 = PTG ( 𝐹, 𝑃 ) , and 𝑟 be the root of 𝐺 . There exists canonical form path expressions 𝑃 , . . . , 𝑃 𝑁 such that L 𝜔 ( ℎ ( PathExp 𝜔𝐺 ( 𝑟 ))) = L 𝜔 ( 𝑃 + 𝑃 + . . . + 𝑃 𝑁 ) Furthermore, we have T 𝜔 (cid:113) PathExp 𝜔𝐺 ( 𝑟 ) (cid:121) = T 𝜔 (cid:74) 𝑃 + 𝑃 + . . . + 𝑃 𝑁 (cid:75) ] . onference’17, July 2017, Washington, DC, USA Shaowei Zhu and Zachary Kincaid Proof.
By structural induction on
PathExp 𝜔𝐺 ( 𝑟 ) and Lemma A.1and A.2. □ Lemma A.8.
Suppose that 𝑃 = 𝑐 ∗ · · · 𝑐 ∗ 𝑘 𝑐 𝜔𝑘 + is a canonicalpath expression and L 𝜔 ( 𝑃 ) ⊆ L 𝜔 ( 𝑄 + 𝑄 + . . . + 𝑄 𝑛 ) whereeach 𝑄 𝑖 is also a canonical path. Then there exists some 𝑄 𝑖 such that L 𝜔 ( 𝑃 ) ⊆ L 𝜔 ( 𝑄 𝑖 ) . Lemma A.9.
Suppose that 𝑃 = 𝑐 ∗ · · · 𝑐 ∗ 𝑘 𝑐 𝜔𝑘 + and 𝑄 = 𝑑 ∗ · · · 𝑑 ∗ ℓ 𝑑 𝜔ℓ + are canonical path expressions such that L 𝜔 ( 𝑃 ) ⊆ L 𝜔 ( 𝑄 ) .Then there is a monotone map 𝑓 : { , ..., 𝑘 + } → { , ..., ℓ + } such that 𝑓 ( 𝑘 + ) = ℓ + and 𝑐 𝑖 = 𝑑 𝑓 ( 𝑖 ) for all 𝑖 . Lemma A.10.
Let 𝐹 be a transition formula, 𝑃 be a set ofpredicates, let 𝐺 = PTG ( 𝐹 ) , and let 𝑟 be the root of 𝐺 . Let 𝑐 , 𝑐 , . . . , 𝑐 𝑘 , 𝑐 𝑘 + be a sequence of cells such that for every 𝑖 ∈ [ 𝑘 ] , 𝑐 𝑖 ◦ 𝑐 𝑖 + is satisfiable. Suppose that for any transitionformula 𝐹 , wp ( 𝐹 ★ , mp ( 𝐹 )) = mp ( 𝐹 ) . Then we have T 𝜔 (cid:113) PathExp 𝜔𝐺 ( 𝑟 ) (cid:121) | = T 𝜔 (cid:113) ( 𝑐 ∗ . . . 𝑐 ∗ 𝑘 ) 𝑐 𝜔𝑘 + (cid:121) Proof.
We first show that L 𝜔 (( 𝑐 ∗ . . . 𝑐 ∗ 𝑘 ) 𝑐 𝜔𝑘 + ) ⊆ L 𝜔 ( ℎ ( PathExp 𝜔𝐺 ( 𝑟 ))) Since all 𝑐 𝑖 ◦ 𝑐 𝑖 + are satisfiable, we know that in the phasetransition graph there exists paths all with label 1 TF from 𝑐 𝑖 to 𝑐 𝑖 + for all 𝑖 , and also from the root of the phase transitiongraph to 𝑐 . It follows that every string in L 𝜔 (( 𝑐 ∗ . . . 𝑐 ∗ 𝑘 ) 𝑐 𝜔𝑘 + ) is recognized by ℎ ( PathExp 𝜔𝐺 ( 𝑟 )) .According to Lemma A.7, there exist canonical path ex-pressions 𝑄 , . . . , 𝑄 𝑁 such that L 𝜔 ( ℎ ( PathExp 𝜔𝐺 ( 𝑟 ))) = L 𝜔 ( 𝑄 + . . . 𝑄 𝑁 ) . By Lemma A.8, there exists 𝑄 𝑖 such that L 𝜔 (( 𝑐 ∗ . . . 𝑐 ∗ 𝑘 ) 𝑐 𝜔𝑘 + ) ⊆ L 𝜔 ( 𝑄 𝑖 ) Let 𝑄 𝑖 = 𝑑 ∗ . . . 𝑑 ∗ ℓ 𝑑 𝜔ℓ + . By Lemma A.9, there is a monotonemap 𝑓 : { , ..., 𝑘 + } → { , ..., ℓ + } such that 𝑓 ( 𝑘 + ) = ℓ + 𝑐 𝑖 = 𝑑 𝑓 ( 𝑖 ) for all 𝑖 . Let 𝑃 = ( 𝑐 ∗ . . . 𝑐 ∗ 𝑘 ) 𝑐 𝜔𝑘 + .We now prove that T 𝜔 (cid:74) 𝑄 𝑖 (cid:75) | = T 𝜔 (cid:74) 𝑃 (cid:75) by induction. Specif-ically we prove that for all 1 ≤ 𝑖 ≤ 𝑘 + T 𝜔 (cid:114) 𝑑 ∗ 𝑓 ( 𝑖 ) . . . 𝑑 ∗ ℓ 𝑑 𝜔ℓ + (cid:122) | = T 𝜔 (cid:113) 𝑐 ∗ 𝑖 . . . 𝑐 ∗ 𝑘 𝑐 𝜔𝑘 + (cid:121) The base case, 𝑖 = 𝑘 +
1, is trivial. Since 𝑐 𝑘 + = 𝑑 ℓ + , we have T 𝜔 (cid:113) 𝑑 𝜔ℓ + (cid:121) | = T 𝜔 (cid:113) 𝑐 𝜔𝑘 + (cid:121) .Now we need to prove the induction step. Assuming thestatement is true for 𝑖 : T 𝜔 (cid:114) 𝑑 ∗ 𝑓 ( 𝑖 ) · · · 𝑑 𝜔ℓ + (cid:122) | = T 𝜔 (cid:113) 𝑐 ∗ 𝑖 · · · 𝑐 ∗ 𝑘 𝑐 𝜔𝑘 + (cid:121) We need to prove it for 𝑖 − T 𝜔 (cid:114) 𝑑 ∗ 𝑓 ( 𝑖 − ) · · · 𝑑 𝜔ℓ + (cid:122) | = T 𝜔 (cid:113) 𝑐 ∗ 𝑖 − 𝑐 ∗ 𝑖 · · · 𝑐 ∗ 𝑘 𝑐 𝜔𝑘 + (cid:121) There are 3 separate cases to consider. 1. 𝑓 ( 𝑖 − ) = 𝑓 ( 𝑖 ) = 𝑓 ( 𝑘 + ) = ℓ +
1: In this scenario, theinductive hypothesis is T 𝜔 (cid:74) 𝑑 𝜔ℓ + (cid:75) | = T 𝜔 (cid:113) 𝑐 ∗ 𝑖 · · · 𝑐 ∗ 𝑘 𝑐 𝜔𝑘 + (cid:121) and we need to prove T 𝜔 (cid:74) 𝑑 𝜔ℓ + (cid:75) | = T 𝜔 (cid:113) 𝑐 ∗ 𝑖 − 𝑐 ∗ 𝑖 · · · 𝑐 ∗ 𝑘 𝑐 𝜔𝑘 + (cid:121) By the fact that 𝑑 𝑓 ( 𝑖 − ) = 𝑑 ℓ + = 𝑐 𝑖 − and the assump-tions of this lemma, we have T 𝜔 (cid:74) 𝑑 𝜔ℓ + (cid:75) = T 𝜔 (cid:74) 𝑑 ∗ ℓ + 𝑑 𝜔ℓ + (cid:75) thus by Lemma A.2 T 𝜔 (cid:74) 𝑑 𝜔ℓ + (cid:75) = 𝑑 ∗ ℓ + . MP T 𝜔 (cid:74) 𝑑 𝜔ℓ + (cid:75) | = 𝑐 ∗ 𝑖 − . MP T 𝜔 (cid:113) 𝑐 ∗ 𝑖 · · · 𝑐 ∗ 𝑘 𝑐 𝜔𝑘 + (cid:121) = T 𝜔 (cid:113) 𝑐 ∗ 𝑖 − 𝑐 ∗ 𝑖 · · · 𝑐 ∗ 𝑘 𝑐 𝜔𝑘 + (cid:121) 𝑓 ( 𝑖 − ) = 𝑓 ( 𝑖 ) < 𝑓 ( 𝑘 + ) = ℓ +
1: Then 𝑑 𝑓 ( 𝑖 − ) = 𝑑 𝑓 ( 𝑖 ) = 𝑐 𝑖 = 𝑐 𝑖 − . According to Lemma A.5 and induc-tive hypothesis, T 𝜔 (cid:114) 𝑑 ∗ 𝑓 ( 𝑖 − ) . . . 𝑑 ∗ ℓ 𝑑 𝜔ℓ + (cid:122) = T 𝜔 (cid:114) 𝑑 ∗ 𝑓 ( 𝑖 ) . . . 𝑑 ∗ ℓ 𝑑 𝜔ℓ + (cid:122) | = T 𝜔 (cid:113) 𝑐 ∗ 𝑖 . . . 𝑐 ∗ 𝑘 𝑐 𝜔𝑘 + (cid:121) = T 𝜔 (cid:113) 𝑐 ∗ 𝑖 − 𝑐 ∗ 𝑖 . . . 𝑐 ∗ 𝑘 𝑐 𝜔𝑘 + (cid:121) 𝑓 ( 𝑖 − ) < 𝑓 ( 𝑖 ) : By Lemma A.5 and the inductivehypothesis, T 𝜔 (cid:114) 𝑑 ∗ 𝑓 ( 𝑖 − )+ . . . 𝑑 ∗ 𝑓 ( 𝑖 ) . . . 𝑑 ∗ ℓ 𝑑 𝜔ℓ + (cid:122) | = T 𝜔 (cid:114) 𝑑 ∗ 𝑓 ( 𝑖 ) . . . 𝑑 ∗ ℓ 𝑑 𝜔ℓ + (cid:122) | = T 𝜔 (cid:113) 𝑐 ∗ 𝑖 . . . 𝑐 ∗ 𝑘 𝑐 𝜔𝑘 + (cid:121) By Lemma A.2 we have that since 𝑑 𝑓 ( 𝑖 − ) = 𝑐 𝑖 − , 𝑑 ∗ 𝑓 ( 𝑖 − ) · MP T 𝜔 (cid:114) 𝑑 ∗ 𝑓 ( 𝑖 − )+ . . . 𝑑 ∗ 𝑓 ( 𝑖 ) . . . 𝑑 ∗ ℓ 𝑑 𝜔ℓ + (cid:122) | = 𝑐 ∗ 𝑖 − · MP T 𝜔 (cid:113) 𝑐 ∗ 𝑖 . . . 𝑐 ∗ 𝑘 𝑐 𝜔𝑘 + (cid:121) which implies T 𝜔 (cid:114) 𝑑 ∗ 𝑓 ( 𝑖 − ) . . . 𝑑 ∗ 𝑓 ( 𝑖 ) . . . 𝑑 ∗ ℓ 𝑑 𝜔ℓ + (cid:122) | = T 𝜔 (cid:113) 𝑐 ∗ 𝑖 − 𝑐 ∗ 𝑖 . . . 𝑐 ∗ 𝑘 𝑐 𝜔𝑘 + (cid:121) □ Theorem 6.3 (Monotonicity) . Let mp be a monotone mortalprecondition operator and let 𝑃 be a set of transition pred-icates. Suppose that for any transition formula 𝐹 , we havewp ( 𝐹 ★ , mp ( 𝐹 )) = mp ( 𝐹 ) . Then the mortal precondition oper-ator mp Phase ( 𝑃, mp ) is monotone.Proof. Let 𝐹 and 𝐹 be transition formulas with 𝐹 | = 𝐹 . Let 𝐺 = PTG ( 𝐹 , 𝑃 ) and 𝐺 = PTG ( 𝐹 , 𝑃 ) , and let 𝑟 and 𝑟 bethe roots of 𝐺 and 𝐺 , respectively. What we need to showhere is T 𝜔 (cid:114) PathExp 𝜔𝐺 ( 𝑠 ) (cid:122) | = T 𝜔 (cid:114) PathExp 𝜔𝐺 ( 𝑠 ) (cid:122) Since 𝐹 | = 𝐹 , we have that the 𝐹 -invariant subset of 𝑃 isa subset of the 𝐹 invariant subset of 𝑃 , and that P ( 𝐹 , 𝑃 ) is ermination Analysis Without the Tears Conference’17, July 2017, Washington, DC, USA finer than P ( 𝐹 , 𝑃 ) . For any cell 𝑐 ∈ P ( 𝐹 , 𝑃 ) , define proj ( 𝑐 ) to be the unique cell of P ( 𝐹 , 𝑃 ) such that 𝑐 | = proj ( 𝑐 ) . Projec-tion can be lifted to map 𝜔 -regular expressions over P ( 𝐹 , 𝑃 ) to 𝜔 -regular expressions over P ( 𝐹 , 𝑃 ) in the obvious way.By monotonicity, we have T 𝜔 (cid:74) proj ( 𝑓 ) (cid:75) | = T 𝜔 (cid:74) 𝑓 (cid:75) for any 𝜔 -regular expression 𝑓 .Expanding the path expression on the RHS to its canon-ical forms according to Lemma A.7, we only need to show T 𝜔 (cid:114) PathExp 𝜔𝐺 ( 𝑠 ) (cid:122) | = T 𝜔 (cid:74) 𝑃 + 𝑃 . . . + 𝑃 𝑁 (cid:75) , where the 𝑃 𝑖 ’sare in canonical form. Since T 𝜔 (cid:74) 𝑃 + 𝑃 . . . + 𝑃 𝑁 (cid:75) = T 𝜔 (cid:74) 𝑃 (cid:75) ∧· · · ∧ T 𝜔 (cid:74) 𝑃 𝑁 (cid:75) it is sufficient to prove T 𝜔 (cid:114) PathExp 𝜔𝐺 ( 𝑠 ) (cid:122) | = T 𝜔 (cid:74) 𝑃 𝑖 (cid:75) forall 𝑖 .Since (by monotonicity) we have T 𝜔 (cid:74) proj ( 𝑃 𝑖 ) (cid:75) | = T 𝜔 (cid:74) 𝑃 𝑖 (cid:75) ,it is sufficient to show T 𝜔 (cid:114) PathExp 𝜔𝐺 ( 𝑠 ) (cid:122) | = T 𝜔 (cid:74) proj ( 𝑃 𝑖 ) (cid:75) .Write 𝑃 𝑖 as 𝑐 ∗ 𝑐 ∗ · · · 𝑐 ∗ 𝑘 𝑐 𝜔𝑘 + . Then for each 𝑗 , we have that 𝑐 𝑗 ◦ 𝑐 𝑗 + is satisfiable (because there is a corresponding phasetransition in 𝐺 ), and thus proj ( 𝑐 𝑗 ) ◦ proj ( 𝑐 𝑗 + ) is satisfiable.It follows that the sequence proj ( 𝑐 ) , proj ( 𝑐 ) , ..., proj ( 𝑐 𝑘 + ) meets the conditions of Lemma A.10, and so T 𝜔 (cid:114) PathExp 𝜔𝐺 ( 𝑠 ) (cid:122) | = T 𝜔 (cid:74) proj ( 𝑃 𝑖 ) (cid:75) . □ Lastly, we note that mp exp and mp LLRF satisfy the con-ditions of Theorem 6.3 (that is, wp ( 𝐹 ★ , 𝐹 𝜔 ) = 𝐹 𝜔 for anytransition formula 𝐹 ). B Interprocedural analysis
The algebraic framework extends to the interprocedural caseusing the method of Cook et al. [21]. This section providesa sketch for how this extension works. The essential pointis that no additional work is required on the part of theanalysis designer to extend an algebraic termination analysisto the interprocedural case: the same analysis that is used toprove conditional termination for loops also can be appliedto prove conditional termination for recursive functions, andthe monotonicity results extend as well.Suppose that the set of variables
Var is divided into a setof local variables
LVar and a set of global variables
GVar . Aprogram can be represented as a tuple 𝑃 = ⟨ 𝑉 , 𝐸,
Proc , Λ , entry , exit ⟩ , where ⟨ 𝑉 , 𝐸 ⟩ is a finite directed graph, Proc is a finite set ofprocedure names, Λ : 𝐸 → TF ∪ Proc labels each edge byeither a transition formula or a procedure call, and entry , exit : Proc → 𝑉 are functions associating each procedure namewith an entry and an exit vertex. Note that procedures do nothave parameters or return values, but these can be modeledusing global variables (see Figure 5 for an example).An activation record is a pair ⟨ 𝑣, 𝑠 ⟩ consisting a controlflow vertex 𝑣 ∈ 𝑉 and a state 𝑠 : State → Z . A stack is a sequence of activation records; let Stack denote the set ofstacks. Define a transition system TS ( 𝑃 ) = ⟨ Stack , 𝑅 ( 𝑃 )⟩ ,where the states are stacks, and where there is a transition stack → TS ( 𝑃 ) stack ′ iff one of the three conditions hold: • (Local) there is a transition ⟨ 𝑣, 𝑠 ⟩ base → TS ( 𝑃 ) ⟨ 𝑣 ′ , 𝑠 ′ ⟩ base for any stack base , any activation record ⟨ 𝑣, 𝑠 ⟩ , anyvertex 𝑣 ′ and any state 𝑠 such that ⟨ 𝑣, 𝑣 ′ ⟩ ∈ 𝐸 , Λ ( 𝑣, 𝑣 ′ ) is a transition formula, and [ 𝑠, 𝑠 ′ ] | = Λ ( 𝑣, 𝑣 ′ ) . • (Call) There is a transition ⟨ 𝑣, 𝑠 ⟩ base → TS ( 𝑃 ) ⟨ entry ( Λ ( 𝑣, 𝑣 ′ )) , 𝑠 ⟩ ⟨ 𝑣 ′ , 𝑠 ⟩ base for any stack base , any activation record ⟨ 𝑣, 𝑠 ⟩ , and anyedge ⟨ 𝑣, 𝑣 ′ ⟩ labeled by a call. • (Return) There is a transition ⟨ exit ( 𝑝 ) , 𝑠 ⟩ ⟨ 𝑣, 𝑠 ⟩ base → TS ( 𝑃 ) ⟨ 𝑣, 𝑠 ⟩ base for any stack base , any procedure 𝑝 , any state 𝑠 , andany activation record ⟨ 𝑣, 𝑠 ⟩ , where 𝑠 is the state de-fined by 𝑠 ( 𝑥 ) ≜ (cid:40) 𝑠 ( 𝑥 ) if 𝑥 ∈ GVar 𝑠 ( 𝑥 ) if 𝑥 ∈ LVar . B.1 Procedure summarization A summary assignment is a function 𝑆 : 𝑃 → TF mappingeach procedure to a transition formula. Given a summary as-signment 𝑠 , we can define a semantic function 𝐿 𝑆 : 𝐸 → TF by 𝐿 𝑆 ( 𝑒 ) ≜ (cid:40) 𝑆 ( Λ ( 𝑒 )) if 𝑒 is a call edge ( Λ ( 𝑒 ) ∈ 𝑃 ) Λ ( 𝑒 ) if 𝑒 is a transition edge ( Λ ( 𝑒 ) ∈ TF ) A closure operator on transition formulas is a function 𝜌 : TF → TF that is: • (Monotone): for all 𝑇 ,𝑇 with 𝑇 | = 𝑇 , we have 𝜌 ( 𝑇 ) | = 𝜌 ( 𝑇 )• (Extensive): for all 𝑇 , we have 𝑇 | = 𝜌 ( 𝑇 )• (Idempotent): for all 𝑇 , we have 𝜌 ( 𝜌 ( 𝑇 )) ≡ 𝜌 ( 𝑇 ) We say that a transition formula is closed under 𝜌 if 𝜌 ( 𝑇 ) ≡ 𝑇 . We say that 𝜌 satisfies the ascending chain condition if for every infinite chain 𝑇 | = 𝑇 | = 𝑇 · · · of transitionformulas that are closed under 𝜌 eventually stabilizes (thereexists some 𝑚 such that for all 𝑛 ≥ 𝑚 we have 𝑇 𝑖 ≡ 𝑇 𝑚 ). Example 2.1 (Closure operator) Two simple closure opera-tors that satisfy the ascending chain condition are as follows: • Fix a set of predicates 𝑃 , then define 𝜌 𝑃 ( 𝑇 ) ≜ (cid:211) 𝑝 ∈ 𝑃 𝑇 | = 𝑝 . • Define 𝜌 aff ( 𝑇 ) ≜ 𝐴 x ′ = 𝐵 x + c , where 𝐴 x ′ = 𝐵 x + c isa representation of the affine hull of 𝑇 . The affine hullcan be computed using the algorithm from [39]. onference’17, July 2017, Washington, DC, USA Shaowei Zhu and Zachary Kincaid Finally, observe that closure operators can be combined.In our implementation we use the closure operator: 𝜌 ( 𝑇 ) ≜ 𝜌 𝑃 ( 𝑇 ) ∧ 𝜌 aff ( 𝑇 ) where 𝑃 ≜ { 𝑥 ⊲⊳ 𝑥 ′ : 𝑥 ∈ Var , 𝑥 ′ ∈ Var ′ , ⊲⊳ ∈ { > , ≥ , = , ≤ , < }} the set of ordering predicates between primed and unprimedvariables. ⌟ We define an infinite sequence 𝑆 , 𝑆 , ... : 𝑃 → TF ofsummary assignments where 𝑆 ( 𝑝 ) ≜ false 𝑆 𝑖 + ( 𝑝 ) ≜ 𝜌 (∃ LVar , LVar ′ .𝑀 ( 𝑝, 𝑆 𝑖 )) ∧ (cid:219) 𝑥 ∈ LVar 𝑥 = 𝑥 ′ where 𝑀 ( 𝑝, 𝑆 𝑖 ) ≜ T 𝑆 𝑖 (cid:74) PathExp 𝐺 ( entry ( 𝑝 ) , exit ( 𝑝 )) (cid:75) It follows from the fact that 𝜌 is a closure operator satisfyingthe ascending chain condition that there exists some 𝑖 suchthat 𝑆 𝑖 = 𝑆 𝑖 + ; define 𝑆 to be 𝑆 𝑖 for the least such 𝑖 . Lemma B.2.
For any procedure 𝑝 , states 𝑠, 𝑠 ′ , and stack stsuch that ⟨ entry ( 𝑝 ) , 𝑠 ⟩ st → ∗ TS ( 𝑃 ) ⟨ exit ( 𝑝 ) , 𝑠 ′ ⟩ st, we have that [ 𝑠, 𝑠 ′ ] | = 𝑆 ( 𝑝 ) . B.2 Termination analysis
Infinite paths through a multi-procedure program (includingpaths that are infinite due to the presence of recursion) can becaptured by an 𝜔 -regular expression, by treating call edgesusing their “big step” semantics, and by encoding transferof control between procedures using additional edges. Weformalize this idea using interprocedural control flow graphs.Fix a program 𝑃 . Define its interprocedural control flowgraph ICFG to be the directed graph
ICFG ≜ ( 𝑉 , 𝐸
ICFG ) whichhas the same vertices as 𝑃 but the edges 𝐸 ICFG ≜ 𝐸 ∪ Interproc contain an additional set of interprocedural edges, defined by
Interproc ≜ {⟨ 𝑢, entry ( 𝑝 )⟩ : ∃ ⟨ 𝑢, 𝑣 ⟩ ∈ 𝐸. Λ ( 𝑢, 𝑣 ) = 𝑝 } (i.e., for each edge ⟨ 𝑢, 𝑣 ⟩ labeled with a call to procedure 𝑝 ,we add an edge from 𝑢 to the entry of 𝑝 (see the dashed edgesin Figure 5)).With a summary assignment 𝑆 : 𝑃 → TF in hand, we candefine a semantic function 𝐿 𝑆 : 𝐸 ICFG → TF by 𝐿 𝑆 (⟨ 𝑢, 𝑣 ⟩) ≜ 𝑆 ( 𝑝 ) if ⟨ 𝑢, 𝑣 ⟩ ∈ 𝐸 and Λ ( 𝑢, 𝑣 ) = 𝑝 Λ ( 𝑢, 𝑣 ) if ⟨ 𝑢, 𝑣 ⟩ ∈ 𝐸 and Λ ( 𝑢, 𝑣 ) ∈ TF (cid:211) 𝑥 ∈ GVar 𝑥 ′ = 𝑥 if ⟨ 𝑢, 𝑣 ⟩ ∈ Interproc
Then for any vertex 𝑣 , we may compute an 𝜔 -regular expres-sion PathExp 𝜔 ICFG ( 𝑣 ) representing the paths through ICFG emanating from 𝑣 . The program terminates starting fromany state that satisfies T 𝜔 (cid:113) PathExp 𝜔 ICFG ( 𝑣 ) (cid:121) . fib ( n ): if ( n ≤ return else return fib ( n - 1) + fib ( n - 2) 𝑟𝑎 𝑥𝑏𝑐𝑑 𝑒𝑛 ′ = 𝑔 𝑛 ≤ ∧ 𝑟 ′ = 𝑛 ≥ ∧ 𝑛 ′ = 𝑛 ∧ 𝑔 ′ = 𝑛 − fib 𝑡 ′ = 𝑟 ∧ 𝑔 ′ = 𝑛 − ∧ 𝑛 ′ = 𝑛 call fib 𝑟 ′ = 𝑟 + 𝑡 Figure 5.
The recursive Fibonacci function (top), and rep-resentation as an interprocedural control flow graph (bot-tom). The parameter and return are represented by the globalvariables 𝑔 and 𝑟 (respectively); 𝑡 is a local temporary vari-able used to store the return value of the first recursive call.Dashed edges are interprocedural. Theorem B.3 (Interprocedural Soundness) . Fix a program 𝑃 . For any procedure 𝑝 ∈ 𝑃 , T 𝜔 (cid:113) PathExp 𝜔 ICFG ( entry ( 𝑝 )) (cid:121) isa mortal precondition for the procedure 𝑝 , in the sense thatfor any state 𝑠 such that 𝑠 | = T 𝜔 (cid:113) PathExp 𝜔 ICFG ( entry ( 𝑝 )) (cid:121) , wehave that ⟨ entry ( 𝑝 ) , 𝑠 ⟩ is a mortal state of TS ( 𝑃 ) . Example 2.4
Consider again the example in Figure 5. Theinterprocedural control flow graph for this program is givenin the figure to the right. We have
PathExp 𝜔 ICFG ( 𝑟 ) = body 𝜔 , where body = ⟨ 𝑟, 𝑎 ⟩ ⟨ 𝑎, 𝑏 ⟩ (⟨ 𝑏, 𝑟 ⟩ + ⟨ 𝑏, 𝑐 ⟩ ⟨ 𝑐, 𝑑 ⟩ ⟨ 𝑑, 𝑟 ⟩) Observe that any infinite execution of the Fibonacci functioncorresponds to a path in
ICFG , and therefore
PathExp 𝜔 ICFG ( 𝑟 ) .Finally, we can compute a precondition under which Fi-bonacci terminates by evaluating PathExp 𝜔 ICFG ( 𝑟 ) , using mp LLRF as the mortal precondition operator: T (cid:74) body (cid:75) ≡ 𝑔 ≥ ∧ ( 𝑔 ′ = 𝑔 − ∨ 𝑔 ′ = 𝑔 − )T 𝜔 (cid:113) PathExp 𝜔 ICFG ( 𝑟 ) (cid:121) = truetrue