Int J Softw Tools Technol TransferDOI 10.1007/s10009-013-0288-8

REGULAR PAPER

Termination proofs for linear simple loops

Hong Yi Chen · Shaked Flur ·Supratik Mukhopadhyay

© Springer-Verlag Berlin Heidelberg 2013

Abstract Analysis of termination and other liveness prop-erties of a program can be reduced to termination proof syn-thesis for simple loops, i.e., loops with only variable updatesin the loop body. Among simple loops, the subset of lin-ear simple loops (LSLs) is particularly interesting becauseit is common in practice and expressive in theory. Exist-ing techniques can successfully synthesize a linear rankingfunction for an LSL if there exists one. However, when aterminating LSL does not have a linear ranking function,these techniques fail. In this paper, we describe an automaticmethod that generates proofs of (universal) termination forLSLs based on the synthesis of disjunctive ranking relations.The method repeatedly finds linear ranking functions on par-titions of the state space and checks whether the transitiveclosure of the transition relation is included in the unionof the ranking relations. Our method extends the work ofPodelski and Rybalchenko (A complete method for the syn-thesis of linear ranking functions. In: Proceedings of the 5thinternational conference on VMCAI, Jan 2004, Venice, Italy,

This research is partially supported by NSF under the Grant 0965024.Any opinions, findings, and conclusions or recommendations expressedin this material are those of the author(s) and do not necessarily reflectthe views of the National Science Foundation.

A preliminary version of this paper appears in proceedings of SAS2012.

H. Y. Chen (B) · S. MukhopadhyayDepartment of Computer Science, Louisiana State University,Baton Rouge, LA 70803, USAe-mail: hchen11@lsu.edu

S. Mukhopadhyaye-mail: supratik@csc.lsu.edu

S. FlurDepartment of Computer Science, The Technion, 32000 Haifa, Israele-mail: fshaked@cs.technion.ac.il

pp 239–251, 2004). We have implemented a prototype of themethod and have shown experimental evidence of the effec-tiveness of our method.

Keywords Termination · Linear simple loops ·Disjunctive ranking relations · Static analysis

1 Introduction

Termination proof synthesis for simple loops, i.e., loopswith only variable updates in the loop body, is the build-ing block of liveness analysis of complex imperative systems[9,15,16,21–23,25,26]. In particular, we consider a subclassof simple loops which contain only linear updates with theflexibility of handling non-determinism. We call them lin-ear simple loops (LSLs). LSLs are interesting because mostloops in practice are indeed linear; more importantly, withthe capability to handle non-determinism LSLs are expres-sive enough to serve as a foundational model for other sim-ple loops. It is well known that [30] termination of simpleloops with linear guards and linear assignments (they formthe deterministic subclass of LSL) over rationals or realsis decidable. The termination problem for “homogeneouscases” over integers, of the deterministic LSL subclass isalso decidable [8]. However, when we reduce the analysis ofa complex system to that of an LSL, knowing whether or notthe LSL terminates is not enough, we often need to obtaina termination proof, such as a ranking function or a rankingrelation, that the overall analysis can build upon [9,15,16,21–23,25,26]. When it comes to finding termination proofs forLSLs, Podelski and Rybalchenko’s technique [24] can gener-ate a linear ranking function if there exists one. This methodis based on Farkas’s lemma [29] that provides a technique toderive hidden constraints from a system of linear inequalities.The method is complete when LSLs range over rationals or

123

H. Y. Chen et al.

reals. However, if a terminating LSL has only non-linearranking functions, this method will return failure. In thispaper, we extend the method of Podelski and Rybalchenko,and solve cases for which only non-linear ranking functionsexist.

Our approach is closely related to the previous work on ter-mination proof synthesis based on disjunctive ranking rela-tions. The traditional method for proving program termina-tion, proposed by Turing [31], relies on proving R ⊆ τ( f ),where R is the program’s transition relation, τ( f ) is a rank-ing relation given by a ranking function f . The difficultywith Turing’s method is that a single ranking function is usu-ally hard to find. With LSLs in particular, non-linear rankingfunctions are often difficult to synthesize. To address thisproblem Podelski and Rybalchenko proposed [25] provingR+ ⊆ τ( f1) ∪ · · · ∪ τ( fn), where R+ is the transitive clo-sure of R, and τ( f1)∪· · ·∪τ( fn) is a finite union of rankingrelations. Many recent approaches for proving terminationfor general programs are based on disjunctive ranking rela-tions [1–3,16,17,22,23,26]. In this paper, instead of trying tosynthesize a single non-linear ranking function, we generatedisjunctive linear ranking functions and check the validity ofR+ ⊆ τ( f1) ∪ · · · ∪ τ( fn).

To be able to apply the disjunctive ranking relation proofrule [25], we need the technique of binary reachability check(BRC). That is, given a disjunctive ranking relation T , weneed to prove or disprove the inclusion R+ ⊆ T . We use thetechnique developed by the Terminator team [16] to checkthis inclusion. Their approach is to syntactically transformthe program so that binary reachability check is reduced tounary reachability check, which is a well-studied task andcan be carried out on any temporal safety checker. Moreover,if the validity of R+ ⊆ T is not satisfied, the constructionof the transformed program will enable the safety checkerto generate an error path that violates the inclusion. In ourproblem setting, if the input to BRC is an LSL, the error pathwill induce a new LSL which is an unrolling of the originalLSL. Thus, we can repeatedly check for binary reachabilityand expand the current disjunctive ranking relation.

In this paper, we provide a method for automatically gen-erating disjunctive ranking relations as proofs of (universal)termination for LSLs. Roughly speaking, the idea is to repeat-edly generate linear ranking functions fi ’s on partitions ofthe state space until R ⊆ ⋃

τ( fi ). However this does not suf-fice as a termination proof, since the inclusion should referto R+ and not to R. For a termination proof we leverageBRC; if R+ ⊆ ⋃

τ( fi ) is satisfied, it returns success; if not,BRC provides a new LSL, and we look for the next series ofranking functions f j ’s. We then again check for the inclusionR+ ⊆ ⋃

τ( fi ) ∪ ⋃τ( f j ). This process continues until we

successfully find an over-approximation of R+. The questionthat remains is how to effectively find the sub-space for whicha linear ranking function exists. To answer this question, we

resort to the simple fact that when variables range over Z

and updates are deterministic, two constraints x ≥ b andx > x ′, where b is a number, x ′ represents the value of x afterone transition, guarantees x to be a ranking function. Simi-larly, whenever we have a constraint of the form ϕ ≥ b, wepartition the state space by constraint ϕ > Shift(ϕ) (func-tion Shift is formally defined in Sect. 4.2) and its negationϕ ≤ Shift(ϕ). When the variables range over Q or R, orupdates are non-deterministic, more complicated partitionneeds to be performed, as is described in Sects. 3.2 and 4.2.

Lastly, we provide experimental results showing that ourmethod outperforms both linear ranking function synthesis[24] and polyranking method [7] on a suite of LSL examplesprovided in [10].

The rest of the paper is organized as follows. After review-ing the preliminaries in Sect. 2, we will demonstrate ourapproach with an example in Sect. 3. In Sect. 4, we describethe algorithm formally and prove its correctness. Section 5provides experimental results for an LSL benchmark. Andlastly, Sect. 6 concludes the paper.

1.1 Changes from earlier version

The first version of this paper was published in the LNCSconference proceedings of SAS’12. In the current version,we added the proofs for Theorem 1, Lemma 1, Theorems2 and 3, making the presentation more complete. We alsoadded to the Experiments section (Sect. 5) comparison withone more tool, namely Terminator [16].

1.2 Related work

In addition to the work mentioned above, other related worksinclude the method of proving conditional termination devel-oped by Cook et al. [14], which first finds potential rankingfunctions then solves for the sub-space that guarantees thepotential ranking function to be a true ranking function.

Instead of simple loops, Colón and Sipma’s work on linearloops with multiple paths and assertional transition relationsattempts to synthesize linear ranking functions via polyhedralmanipulation in [12,13]. Bradley et al. show how to synthe-size lexicographic linear ranking functions with supportinglinear invariants over loops with linear assertional transitionrelations in [5].

Another related topic is the termination principle forpolyranking functions provided by Bradley et al. A polyrank-ing function need not always decrease but decreases eventu-ally. It is a generalization of the regular polynomial rank-ing function. In [6], the authors show a method for findingbounded expressions that are eventually negative over loopswith parallel transitions. In [7], the authors demonstrate amethod to synthesize lexicographic linear polyranking func-tions with supporting linear invariants over linear loops.

123

Termination proofs for linear simple loops

In contrast with loops without control statements that weaddress in this paper, Gulwani et al. [20] compute symbolicbounds for multiple path loops and nested loops using controlflow refinement. Moreover, their approach does not providea termination proof in terms of disjunctive ranking relations.

For proving termination of an LSL, Terminator [16] wouldfirst invoke the linear ranking function synthesis algorithm[24]. Once the algorithm fails to return a linear ranking func-tion, Terminator provides a counterexample by unrolling theloop once. The linear ranking function synthesis algorithm isagain invoked on this counterexample; if it still fails a coun-terexample is provided by unrolling the loop twice and theprocess continues. If the process succeeds, it is checked ifthe transitive closure of the transitive relation is included inthe ranking relation obtained. In contrast, we “partition” theinput space of the program in such a way that the program hasa linear ranking function when each partition is consideredas the “input space”; the “global” ranking relation is thenthe disjunction of the ranking relations corresponding to theindividual ranking functions.

In [18], Cousot uses Lagrangian relaxation (instead ofFarkas’ lemma) to provide termination proofs (and invari-ance) for loops with more general expressions than that han-dled by Podelski et al. in [24]. His approach is sound yet notcomplete. In [19], Cousot et al. present an abstract interpreta-tion approach for proving termination, using trace segments,which are stronger than the usual representation of binarytransition relation. Our approach also considers a conceptsimilar to trace segments. We use counter examples to guideus to the “trace segments” in question.

2 Preliminaries

2.1 Loop model and semantics

Through out this paper, all variables range over domain Z, Q,or R. The following definition provides the syntax of LSLs.

Definition 1 (Linear simple loops) A linear simple loopover program variables X0 = (x1, x2, . . . , xm) and itsn copies X1, X2, . . . , Xn (m, n ≥ 1) is a tuple L =〈Cond,Update, i, j〉 where

– Cond is a set of linear constraints of the formai Xi b ( ∈ {<,≤,=,≥,>}).

– Update is a set of linear constraints of the form a0

X0 + · · · + an Xn b ( ∈ {<,≤,=,≥,>}).– i and j are integers and 0 ≤ i < j ≤ n.– ak and b are coefficients that range over Z or Q.

We sometime refer to Cond and Update as loop condi-tions and loop updates, respectively. Intuitively, L describesunrolling of a loop (and maybe some extra constraints) witha back edge from j to i .

The formal semantics of LSLs is defined as follows. LetL = 〈Cond,Update, i, j〉 be an LSL over variables X0

and its n copies X1, X2, . . . , Xn . An (n + 1)-trace of L isa tuple (s0, s1, . . . , sn) such that all the constraints in Condand Update are satisfied simultaneously when assigning s0

to X0, s1 to X1, …, and sn to Xn . We denote by Rn+1(L)the set of all (n + 1)-traces of L and R(L) the relation Ldescribes.

R(L) = {(si , s j ) | (s0, s1, . . . , sn) ∈ Rn+1(L)}The most simple LSL L = 〈Cond,Update, 0, 1〉

involves only X0 and X1. Without explicitly stating i andj , by default we assume i = 0, j = 1. An L =〈Cond,Update, 0, 1〉 describes a transition relation froma state that is before a transition (given by X0) to the corre-sponding state that is after the transition (given by X1). Forexample, the following while loop

while (x > 0)

x := x − 1;can be rewritten as the following LSL

L1 � 〈{x0 > 0}, {x1 = x0 − 1}, 0, 1〉An L = 〈Cond,Update, 0, 1〉 can also have more than

two copies of variables. For example,

L2 � 〈{x0 > 0},{x1 = x0 − 1, x1 > 0, x2 = x1 − 1, x2 ≤ 0}, 0, 2〉

X1 and X0 represent the values of the variable X after andbefore a transition, respectively. The constraint x2 ≤ 0restrains the input space of L2 to x0 ∈ {2}. Note that x0 = 1is not in our input space, since there does not exist x1 andx2 satisfying L2. In our approach, we add such constraintsover future transition states such that the restrained LSL isguaranteed to have a linear ranking function.

An LSL L = 〈Cond,Update, 0, k〉 describes a transitionrelation between X0 and Xk . For example, in

L3 � 〈{x0 > 0, }, {x1 = x0 − 1, x1>0, x2 = x1−1}, 0, 2〉the transition pairs described by L3 include: (5, 3), (4, 2),(3, 1), …. We often use L = 〈Cond,Update, 0, k〉 whenwe are looking at the k-th unrolling of some L ′ =〈Cond′

,Update′, 0, 1〉.

To further generalize our loop model, we provide the abil-ity not only to look ahead, but also to look back.

L4 � 〈{x1 > 0},{x0 > 0, x1 = x0 − 1, x2 = x1 − 1, x2 ≤ 0}, 1, 2〉

Despite having the same constraints as in L2, the input spaceof L4(1, 2) is x1 ∈ {1}.

Note that LSLs allow non-determinism. To be specific,we can have linear expressions on both sides of an update

123

H. Y. Chen et al.

statement, and inequalities instead of equal relation. Thisgives us more flexibility to model non-deterministic inputsor non-linear operations. For example, we can have an LSLsuch as

L5 � 〈{x0 > 0}, {x0 + x1 ≤ 1}, 0, 1〉that cannot be expressed in any conventional programminglanguage.

2.2 Disjunctive ranking relations

Definition 2 (Well-ordered sets) A set D is well ordered withrespect to a relation < if,

1. < is a strict total ordered and,2. There is no infinite sequence d0, d1, d2, . . . of elements

in D such that di+1 < di for every i ∈ N.

Definition 3 (Ranking functions) Given a transition relationR ⊆ S × S, a function r : S → D is a ranking function, ifD is a well-ordered set and for every (s1, s2) ∈ R we haver(s2) < r(s1), where < is the well order associated with D.

A ranking function is called linear (linear ranking func-tion) if r is linear.

Definition 4 (Ranking relations) Given a ranking functionr : S → D, we define the corresponding ranking relation by

τ(r) = {(s1, s2) | r(s2) < r(s1)}where < is the well order associated with D.

Definition 5 (Disjunctive ranking relations) A disjunctiveranking relation T is a finite union of ranking relations. Thatis,

T = T1 ∪ · · · ∪ Tn

where Ti is a ranking relation for 1 ≤ i ≤ n, n ∈ N

The relation between disjunctive ranking relations and ter-mination has been established in [25] using Ramsey’s Theo-rem [27]. Let P be a program, R be the corresponding transi-tion relation induced by P , R+ be the non-reflexive transitiveclosure of R, then P is terminating if and only if

R+ ⊆ T

for some disjunctive ranking relation T .

2.3 Binary reachability check

Given an LSL L and a disjunctive ranking relation T , the goalof binary reachability check is to verify whether R+(L) ⊆ T .If yes, the procedure returns “true”. Otherwise, the procedurereturns an error path which induces a new LSL L ′ such thatL ′ is an unrolling of L and R(L ′) � T . The input and output

of procedure BRC are described as follows (see [16] for moredetails):inputLSL L , disjunctive ranking relation Toutputif (R+(L) ⊆ T ) return “true”else return LSL L ′ such that L ′ is an unrolling of L andR(L ′) � T

2.4 Simple linear ranking function synthesis

The following theorem is proved in [24].

Theorem An LSL given by the system (A0 A1)(x0

x1

) ≤ b (i.e.i = 0, j = 1) is terminating if there exist non-negative vec-tors λ1, λ2 over rationals such that the following system issatisfiable:

λ1 A1 = 0 (1)

(λ1 − λ2)(A0) = 0 (2)

λ2(A0 + A1) = 0 (3)

λ2b < 0 (4)

Moreover, the LSL has a linear ranking function of theform

ρ(X0) ={

r X0 if exists X1 such that (A0 A1)(x0

x1

) ≤ bδ0 − δ otherwise

where r � λ2 A1, δ0 � −λ1b, and δ � −λ2b.

We will extend this method in Sect. 4 so that it works for thegeneral form of LSLs.

3 Example

We first demonstrate our technique with a simple determinis-tic LSL over the integers. Then we will extend our techniquefor non-deterministic updates and rational/real variables.

3.1 Deterministic updates over integer domain

Consider the while loop in Fig. 1. It has only three simpleassignments, but it is not obvious whether it is terminating.It is easy to see that the traces of z are composed of two alter-nating numbers, one negative the other non-negative, andthat the negative number has a higher value. The variable y

Fig. 1 Example

123

Termination proofs for linear simple loops

always gets assigned to value of z from the previous state.Hence it behaves like z, except being one step behind. Thevariable x increments itself with y. Therefore, x will alterna-tively increase (or stay unchanged) and decrease. Moreoverthe decrease is larger than the increase, hence x will eventu-ally become negative and the loop will terminate.

Let us first convert the while loop above to an LSL.

L = 〈{x0 ≥ 0}, {x1 = x0 + y0,

y1 = z0, z1 = −z0 − 1}, 0, 1〉If we apply the method of Sect. 2.4 to L , it will return failure,since L does not have a linear ranking function. As men-tioned earlier, we want to construct multiple linear rankingfunctions, each of them over a restrained input space. Wedo this by adding constraints to L such that the new LSL isguaranteed to have a linear ranking function. From CondL ,we see that we already have the linear expression x0 that isbounded, i.e., x0 ≥ 0. If we add to L a constraint x0 > x1,then we know x0 can serve as a ranking function for therestrained LSL because x0 has a lower bound and is strictlydecreasing, which is a sufficient condition for x0 to becomea ranking function over the integer domain.

We partition L into two LSLs L1.1 and L1.2 such that L1.1

is obtained by combining L with constraint x0 > x1, andL1.2 is obtained by combining L with the negation of theconstraint, namely x0 ≤ x1.

L1.1 = 〈CondL ,UpdateL ∪ {x0 > x1}, (trivial case) 0, 1〉L1.2 = 〈CondL ,UpdateL ∪ {x0 ≤ x1},

(synthesis case) 0, 1〉We call L1.1 the trivial case, since we immediately obtain alinear ranking function from it.

ρ1(X0) =

{x0 if ∃X1 such that X0, X1 satisfies L1.1

−1 otherwise

We call L1.2 the synthesis case, since it needs further exam-ination. We call CondL the Seed for partitioning L .

From this point onwards, we only need to take care of L1.2.First, we check whether L1.2 has a linear ranking functionalready. In this particular case, we find out that this is nottrue. Next, we would like to repeat the earlier process onL1.2, i.e., adding constraints to L1.2 such that a linear rankingfunction must exist. Since L1.2 already includes x0 ≤ x1,using x0 ≥ 0 ∧ x0 > x1 again will no longer make sense.However, we observe that the new constraint in L1.2 gives anew linear expression that is bounded below, i.e., x1 ≥ x0.This constraint will become our new Seed, and we can use itto partition L1.2. This time we use the constraint (x1 − x0) >

(x2 − x1) and its negation for partitioning.At this point a new issue arises, x2 is introduced to denote

the value of x after one transition from x1. However fromL1.2 alone, there is no such information about x2. To remedy

this situation, we first need to unroll L so that the unrolledtransition involves x2. We do this by making a copy of all theloop constraints in L , then changing X1 to X2, X0 to X1 (theprocess is formally described by Unroll(L) in Sect. 4). Weget L2 as follows.

L ′ = Unroll2(L)

= 〈{x0 ≥ 0}, {x1 = x0 + y0, y1 = z0, z1 = −z0 − 1,

x1 ≥ 0, x2 = x1 + y1, y2 = z1, z2 =−z1−1}, 0, 1〉L2 = 〈CondL ′ ,UpdateL ′ ∪ Seed, 0, 1〉

= 〈{x0 ≥ 0}, {x1 = x0 + y0, y1 = z0, z1 = −z0 − 1,

x1 ≥ 0, x2 = x1 + y1, y2 = z1, z2 = −z1 − 1}∪ {x1 ≥ x0}, 0, 1〉

Now we can partition L2 using the constraint mentionedabove.

L2.1 = 〈CondL2 , (trivial case)

UpdateL2 ∪{(x1 − x0) > (x2 − x1)}, 0, 1〉

L2.2 = 〈CondL2 , (synthesis case)

UpdateL2 ∪{(x1 − x0) ≤ (x2 − x1)}, 0, 1〉

L2.1 is again the trivial case, where a linear ranking functionis guaranteed

ρ2(X0) =

⎧⎨

⎩

x1 − x0 = y0 if ∃X1, X2 such thatX0, X1, X2 satisfies L2.1

0 otherwise

Now we check whether the synthesis case has a linearranking function. Notice that this time we can not use themethod described in Sect. 2.4 any more, since now the syn-thesis case LSL involves X2. In Sect. 4, we describe a gen-eral ranking function synthesis method which can handle thisgeneral form of LSLs. If we feed L2.2 to the method in Sect.4, we get the following linear ranking function.

ρ3(X0) =

⎧⎨

⎩

2x0 + z0 if ∃X1, X2 such thatX0, X1, X2 satisfies L2.2

−1 otherwise

As shown in Fig. 2, up to this point we have divided Linto three LSLs, L1.1, L2.1, and L2.2. Each of these three hasa linear ranking function. Let T = τ(ρ1) ∪ τ(ρ2) ∪ τ(ρ3).Theorem 2 in Sect. 4 shows us that R(L) ⊆ T . That is, anytwo consecutive states form a pair that belongs to T .

Recall that our goal is to find a T such that R+(L) ⊆T . We first check whether the T we found already satisfiesR+(L) ⊆ T . As it turns out for this particular case, it is not.BRC gives an error path that executes L twice. Therefore,swe get a new LSL L ′′ that unrolls L twice and L ′′ describesa relation from X0 to X2.

123

H. Y. Chen et al.

Fig. 2 Execution ofL � 〈{x0 ≥ 0}, {x1 = x0 + y0,

y1 = z0, z1 = −z0 − 1}, 0, 1〉

L ′′ = Unroll2(L) with iL ′′ = 0, jL ′′ = 2

Note L ′′ has the same set of constraints as L ′, but has differentbackedge. We feed L ′′ to the method described in Sect. 4.1.It shows that L ′′ has a linear ranking function already.

ρ4(X0) =

⎧⎨

⎩

x0 + y0 if ∃X1, X2 such thatX0, X1, X2 satisfies L ′

−1 otherwise

Again we update T by T = T ∪ τ(ρ4) and this time thetest R+(L) ⊆ T succeeds, i.e., we have successfully founda disjunctive ranking relation T for the original LSL L .

3.2 Variables over Q or R and non-deterministic updates

Notice that when variables range over Q or R, the two con-straints ϕ ≥ b and ϕ > ϕ′ (ϕ′ denotes the formula ϕ withthe addition of prime to every variable in ϕ, for more detailssee function Shift in Sect. 4.2) can no longer guarantee ϕto be a linear ranking function. One way to remedy that isto pick a small positive value c and partition the state spaceby ϕ − Shift(ϕ) > c and its negation ϕ − Shift(ϕ) ≤ c.Similar to the integer example, the former constraint will gen-erate the trivial case, and the latter constraint will generatethe synthesis case.

Another way is to still partition with ϕ > Shift(ϕ) andits negation ϕ ≤ Shift(ϕ). However, since the former canno longer generate a trivial case, we need to continue thepartition process on the trivial case as well.

Non-deterministic updates are also an issue. If we lookat ranking function ρ2 above, the expression y0 originatesfrom the expression x1 − x0. We cannot use x1 − x0 directlybecause the ranking functions need to be expressed in termsof X0. With deterministic updates, we can get rid of x1 bysubstituting it with x0 + y0. With non-deterministic updates,we may not be able to simplify the expression in this man-ner. Therefore, we need to apply Theorem 1 in Sect. 4.1 togenerate ranking functions on X0 only, and when we fail tofind one, we need to partition the trivial case further. In ouralgorithm shown in Fig. 4, this is the approach we take in allsituations.

4 Algorithm for synthesizing disjunctive rankingrelations

4.1 Extended linear ranking function synthesis

Let A denote the row vector (A0 · · · Ai · · · A j · · · An), Ai

denote the i-th element Ai , A−i denote the row vector with allbut the i-th element (A0 · · · Ai−1 Ai+1 · · · A j · · · An). Sim-ilarly, we define column vectors X, Xi , and X−i . Then weprove the following theorem.

Theorem 1 An LSL L = 〈Cond,Update, i, j〉 given bythe system AX ≤ b is terminating if there exist non-negativevectors λ1, λ2 over rationals such that the following systemis satisfied:

λ1A−i = 0 (1)

λ2A−i,− j = 0 (2)

(λ1 − λ2)Ai = 0 (3)

λ2(Ai + A j ) = 0 (4)

λ2b < 0 (5)

Moreover, the LSL has a linear ranking function of the form

ρ(Xi ) ={

r Xi if exists X j such that (Xi , X j ) ∈ R(L)δ0 − δ otherwise

where r � λ2A j , δ0 � −λ1b, and δ � −λ2b.

Proof Let the pair of non-negative vectors λ1 and λ2 be asolution of the system (1)–(5). For every X satisfying AX ≤b, by assumption λ1 ≥ 0, we have λ1AX ≤ λ1b. We carryout the following sequence of transformations.

λ1A−i X−i + λ1Ai Xi ≤ λ1b

λ1Ai Xi ≤ λ1b by (1)

123

Termination proofs for linear simple loops

λ2Ai Xi ≤ λ1b by (3)

−λ2A j Xi ≤ λ1b by (4)

From the assumption λ2 ≥ 0, we have λ2AX ≤ λ2b. Wecarry out the following sequence of transformations.

λ2A−i,− j X−i,− j + λ2Ai Xi + λ2A j X j ≤ λ2b

λ2Ai Xi + λ2A j X j ≤ λ2b by (2)

−λ2A j Xi + λ2A j X j ≤ λ2b by (4)

We define r � λ2A j , δ0 � −λ1b, δ � −λ2b and then wehave,

rXi ≥ δ0 (a)

rXi − rX j ≥ δ (b)

Lastly by (5), we have

δ > 0 (c)

We define a function ρ(Xi ) as stated in the theorem. By (a),(b), and (c) we conclude that ρ(Xi )must be a linear rankingfunction for the system L(i, j). ��

Note that Theorem 1 cannot be replaced using the Theo-rem in Sect. 2.4 because Theorem 1 guarantees to generateranking functions expressed in Xi only, while the originaltheorem does not. The proof is given in the Appendix. Just asin [24], the converse of the above theorem is true for rationalsand reals. Since this paper does not focus on the applicationof the converse theorem, we do not elaborate it here.

4.2 Formal description

To help describe the algorithm, we need to define a few nota-tions here. We start by defining Shift, which is the process oftransforming constraint from a certain copy of X to a highercopy. It does so by incrementing the superscript of each Xi .For example, Shift(x0 − x1 < 1) = x1 − x2 < 1.

Definition 6 (Shift) Given a linear combination ψ : a0 X0 +a1 X1 + · · · + an Xn , a linear constraint ϕ : ψ ≤ b, a set oflinear constraints C , where b ∈ Z, we define

Shift(ψ) � a0 X1 + a1 X2 + · · · + an Xn+1

Shift1(ϕ) � Shift(ψ) ≤ b

Shiftk+1(ϕ) � Shiftk(Shift(ψ) ≤ b)

Shiftk(C) � {Shiftk(ϕ) | ϕ ∈ C}

Next, we define function Unroll. This function producesan LSL with the same traces as the original, but with morecopies of X . It does so by adding Shift of the constraints toitself. Note that function Unroll is used in the partitioningprocess (see L ′ in Sect. 3.1). The BRC procedure also unrollsan LSL (see L ′′ in Sect. 3.1). The only difference betweenthe two unrolling is that BRC changes the value of j to thenumber of iterations in the error path.

Definition 7 (Unroll) Given a set of linear constraints C , anLSL L = 〈Cond, Update, i, j〉, we define

Unroll1,d (C) � C

Unrollk+1,d (C) � C ∪ Shiftd (Unrollk,d (C))

Unrollk(L) � 〈Cond,Unrollk, j−i (Cond ∪ Update), i, j〉Lastly, we define function Diff. This function creates

new constraints that we use to partition the original LSL.It does so by taking constraint, shifting it and then bindingthe constraint and its shift with > or ≤. For instance, forconstraint ϕ : x0 ≤ 0 we have Diff1,>(ϕ) = x1 > x0 andDiff1,≤(ϕ) = x1 ≤ x0.

Definition 8 (Diff) Given a linear constraint ϕ : ψ ≤ b andset of constraints Seed, where b ∈ Z. We define

Diffi,∼(ϕ) � Shifti (ψ) ∼ ψ

Diffi,∼(Seed) � {Diffi,∼(ϕ) | ϕ ∈ Seed}where ∼ is one of {>,≤}.

Now we give two procedures main and DRR (for “dis-junctive ranking relation”). DRR, described in Fig. 4, is arecursive procedure, that given an LSL L returns a disjunc-tive ranking relation T such that R(L) ⊆ T . Procedure Main,described in Fig. 3, repeatedly calls DRR while R+(L) � T ,each time feeding DRR with an unrolling of the original L .

Suppose that DRR is called recursively k times with inputs(L1, Seed1), (L2, Seed2), …, (Lk, Seedk). If the linear rank-ing function synthesis for Lk succeeds and return the para-meters r, δ0, δ the following is the ranking function we use,

Fig. 3 Procedure main

123

H. Y. Chen et al.

Fig. 4 Procedure DRR

ρk(X) =

⎧⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎨

⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎪⎩

r(X) if exists X1 such that(X, X1) ∈ R(Lk) [case-0]

δ0 − δ else if exists X1 such that(X, X1) ∈ R(Lk−1) [case-1]

δ0 − 2δ else if exists X1 such that(X, X1) ∈ R(Lk−2) [case-2]

......

δ0 − (k − 1)δ else if exists X1 such that(X, X1) ∈ R(L1) [case-(k-1)]

δ0 − kδ otherwise [case-k](#)

4.3 Correctness proof

Theorem 2 insures the disjunctive ranking relation returnedby DRR is large enough to contain the transition relation ofthe input LSL. This, in turn, insures that BRC will give anew counterexample for each iteration (until R+(L) ⊆ T )and the termination condition converges towards a solution.The Proof of Theorem 2 relies on Lemma 1. Lastly Theorem3 asserts the correctness of the algorithm. All the proofs areprovided in the appendix.

Lemma 1 Let s0, . . . , s j , . . . , sm· j be an (m · j + 1)-traceof some L = 〈Cond, Update, 0, j〉 and let Seed be overX0, . . . , Xm·( j−1). If DRR is called with L and Seed as inputand it succeeds then (s0, s j ) is contained in the return set ofDRR.

Proof We prove the claim by induction on the recursiondepth.

Base: No recursion, i.e., the synthesizer synthesized a rank-ing function for L . By the correctness of the rankingfunction synthesizer it follows that (s0, s j ) ∈ T

Step: We separate the proof into two cases:

1. Exists sm· j +1, . . . , sm·( j+1) such thats0, . . . , sm·( j+1) is an (m·( j+1)+1)-trace of Unroll j (L).This case is further refined into two sub-cases:

(a) Exists ϕ ∈ Seed such that s0, . . . , sm·( j+1) satisfyDiff j,>(ϕ). In this case, by the induction hypothesis,(s0, s j )will be in the return value of the recursive callto DRR for ϕ and therefore (s0, s j ) ∈ T .

(b) s0, . . . , sm·( j+1) satisfy Diff j,≤(ϕ) for all ϕ ∈ Seed.In this case, by the induction hypothesis, (s0, s j )willbe in the return value of the last recursive call to DRRand therefore (s0, s j ) ∈ T .

2. There does not exist sm· j + 1, . . . , sm·( j+1) such thats0, . . . , sm·( j+1) is an (m·( j+1)+1)-trace of Unroll j (L).In this case s0 is assigned a value by the ranking functionlabeled (�) from a case that supersede the case the func-tion assign to s j and therefore s0 gets a higher ranking.It follows that (s0, s j ) ∈ T . ��

Theorem 2 Suppose that DRR is called with input (L =〈Cond,Update, 0, j〉, Seed) where L is over X0, . . . , X j

and Seed = CondL . If DRR terminates successfully withreturn value T then R(L) ⊆ T .

Proof Assume that DRR with input (L =〈Cond,Update, 0,j〉, Seed) terminates successfully. Let (s0, s j ) ∈ R(L). Bythe definition of R(L), there exists s1, . . . , s j−1 such thats0, . . . , s j be a ( j + 1)-trace of L . It follows immediatelyfrom Lemma 1 that (s0, s j ) is contained in the return set ofDRR. ��Theorem 3 If procedure Main terminates successfully on aprogram P, then P terminates and has a disjunctive linearranking relation T .

Proof If procedure Main terminates successfully on programP then we have found a disjunctive ranking relation T suchthat R+(P) ⊆ T . As shown in [25], this is a sufficient con-dition for the termination of P and therefore P terminates.

��

4.4 Termination and complexity of the algorithm

The procedures Main and DRR as given in this section maynot always terminate, in particular when the input LSL is notterminating. When implemented we need to bound the recur-sion depth of DRR and the number of iterations of the mainloop. When the input LSL is deterministic and the variablesrange over Z, the recursive calls to DRR for each ϕ ∈ Seedwill succeed with no further calls and, therefore, the numberof calls to DRR will be linear in the depth bound. When theLSL is non-deterministic or the variables range over Q orR, the number of calls to DRR in the worst case is expo-nential in the depth bound. Finally, we note that the LSL

123

Termination proofs for linear simple loops

Table 1 Experiment results

# Terminating Linear Polyrank Terminator Ours BRC DRR Failed Proc

1 Yes No No No No – – DRR

2 Yes Yes Yes Yes Yes 0 1 –

3 Yes Yes Yes Yes Yes 0 1 –

4 Yes Yes Yes Yes Yes 0 1 –

5 Yes Yes No Yes Yes 0 1 –

6 Yes No No No Yes 0 2 –

7 No – – – – – – DRR

8 No – – – – – – DRR

9 No – – – – – – DRR

10 No – – – – – – DRR

11 Yes No No No No – – DRR

12 Yes No No No Yes 0 2 –

13 Yes No No No Yes 0 2 –

14 Yes No No No Yes 0 2 –

15 Yes Yes No Yes Yes 0 1 –

16 No – – – – – – DRR

17 No – – – – – – DRR

18 Yes No No No Yes 0 2 –

19 No – – – – – – DRR

20 No – – – – – – DRR

21 Yes No No No Yes 0 2 -

22 No – – – – – – DRR

23 Yes No No No Yes 0 2 -

24 Yes No No No Yes 0 2 -

25 Yes Yes Yes Yes Yes 0 1 -

26 Yes No No No Yes 0 2 -

27 Yes No No No Yes 0 2 -

28 Yes No No No Yes 0 2 -

29 No – – – – – – DRR

30 Yes No No No No ∞ 3 BRC

31 Yes No No No Yes 0 2 –

32 Yes No No No Yes 0 2 –

33 No – – – – – – DRR

34 Yes No No No Yes 1 3 –

35 Yes No No No Yes 0 2 –

36 Yes No No No Yes 0 2 –

37 Yes Yes Yes Yes Yes 0 1 –

38 Yes No No No Yes 0 2 –

Unrollk(L) has k times as many constraints and variables asin L .

5 Experiments

We created a test suite of LSL loops. To our knowledge it isthe first LSL test suite. The loops are collected from otherresearch work [4–6,8,11,12,14,24,25,30] and real code. The

test suite is still growing. At the time of our submission, itcontains 38 LSL loops. Among them 11 are non-terminatingloops, 7 are terminating with linear ranking functions, 20 areterminating with non-linear ranking functions. Moreover, 6are non-deterministic, 32 are deterministic, 5 have 1 variable,22 have 2 variables, 10 have 3 variables, and one has 4 vari-ables. All loops are executed over domain Z. The test suiteas well as the implementation are available at [10].

123

H. Y. Chen et al.

We compared our method to linear ranking functionsynthesis method [24] using the implementation found in[28], the polyranking method [7] using the implementa-tion found in [4], and Terminator [16]. Detailed experi-mental results are provided in Table 1. The “Terminating”columns indicate whether the LSL terminates. The columnsof “Linear”, “Polyrank”, “Terminator”, and “Ours” indi-cate whether the methods of Podelski et al.’s linear rankingfunction synthesis method [24], Bradley et al.’s polyrank-ing method [7], Cook et al.’s Terminator method andours, respectively, have successfully found a terminationproof or run overtime. The “BRC” column states the num-ber of times procedure BRC was called and the “DRR” col-umn states the accumulative depth of DRR recursion. The“Failed Proc” column indicates which procedure, Main orDRR, failed terminating if the whole process failed to ter-minate. Since the runtime for all three methods was in themagnitude of a few milliseconds we omitted it from thetable.

As shown in the table, our method considerably outper-formed the other two methods. We succeed for all sevenloops with a linear ranking function. Out of the 20 termi-nating loops that have no linear ranking function we aresuccessful for 17. For all non-terminating loops, the exe-cution needs to be manually terminated. Except for oneloop, all the proof searches fail in procedure DRR. Incomparison, the linear ranking function synthesis method[24] succeeds for all the seven loops with a linear rank-ing function; it fails to find a termination proof for all the20 examples among the rest that were terminating. Thepolyranking method [7] succeeds in proving termination forfive out of the seven examples with a linear ranking func-tion; it fails to find a termination proof for all the 20 exam-ples among the rest that were terminating. We set the treedepth to be 100 for the polyranking method. Terminatorsucceeds for all the seven loops with linear ranking func-tions, fails for all the 20 examples with non-linear rankingfunctions.

6 Conclusions

This paper describes an automatic method for generating dis-junctive ranking relations for linear simple loops. The methodrepeatedly finds linear ranking functions on restricted statespace until it reaches an over-approximation of the transitiveclosure of the transition relation. As demonstrated experi-mentally, we largely expanded the scope of LSLs that canbe solved. We also extended an existing technique for linearranking function synthesis. The extended method can handlemore general form of LSLs. Another contribution is that wecreated the first LSL test suite.

References

1. Balaban, I., Cohen, A., Pnueli, A.: Ranking abstraction of recursiveprograms. In: Proceedings of the verification, model checking, andabstract interpretation (VMCAI06), pp. 267–281. Springer, Berlin(2006)

2. Berdine, J., Chawdhary, A., Cook, B., Distefano, D., O’Hearn, P.:Variance analyses from invariance analyses. In: Proceedings of the34th annual ACM SIGPLAN-SIGACT symposium on principlesof programming languages (POPL ’07), New York, NY, USA, pp.211–224 (2007) (ISBN 1-59593-575-4)

3. Berdine, J., Cook, B., Distefano, D., OHearn, P. W.: Automatic ter-mination proofs for programs with shape-shifting heaps. In: Pro-ceedings of the 18th international conference on computer aidedverification (CAV), lecture notes in computer science vol. 4144,pp. 386–400 (2006)

4. Bradley, A.R.: polyrank: tools for termination analysis. http://theory.stanford.edu/arbrad/software/polyrank.html (2005)

5. Bradley, A.R., Manna, Z., Sipma, H.B.: Linear ranking with reach-ability. In: Proceedings of the computer aided verification (CAV),pp. 491–504. Springer, Berlin (2005)

6. Bradley, A.R., Manna, Z., Sipma, H.B.: Termination of polyno-mial programs. In: Proceedings of the verification, model check-ing, and abstract interpretation (VMCAI2005), vol. 3385 of LNCS,pp. 113–129. Springer, Berlin (2005)

7. Bradley, A.R., Manna, Z., Sipma, H.B.: The polyranking principle.In: Proceedings of the 32nd international colloquim on automata,languages and programming (ICALP), Lisbon, Portugal, 11–15July 2005, pp. 1349–1361. Springer, Berlin (2005)

8. Braverman, M.: Termination of integer linear programs. In: Pro-ceedings of the 18th international conference on computer aidedverification (CAV), lecture notes in computer science vol. 4144,pp. 372–385 (2006)

9. Chawdhary, A., Cook, B., Gulwani, S., Sagiv, M., HongseokY.:Ranking abstractions, Technical report (2008)

10. Yi Chen, H., Flur, S., Mukhopadhyay, S.: LSL test suite. https://tigerbytes2.lsu.edu/users/hchen11/lsl/

11. Colon, M. , Uribe, T.: Generating finite-state abstractions of reac-tive systems using decision procedures. In:Proceedings of thecomputer aided verification (CAV), pp. 293–304. Springer, Berlin(1998)

12. Colón, M., Sipma, H.: Synthesis of linear ranking functions. In:Proceedings of the 7th international conference on tools and algo-rithms for the construction and analysis of systems (TACAS 2001),pp. 67–81. Springer, London (2001) (ISBN 3-540-41865-2) http://dl.acm.org/citation.cfm?id=646485.694449

13. Colón, M., Sipma, H.: Practical methods for proving program ter-mination. In: Proceedings of the 14th international conference oncomputer aided verification (CAV ’02), pp. 442–454. Springer,London (2002) (ISBN 3-540-43997-8). http://dl.acm.org/citation.cfm?id=647771.734281

14. Cook, B., Gulwani S., Lev-ami, T., Rybalchenko, A., S.: Moolyproving conditional termination. In: Proceedings of the computeraided verification (CAV) lecture notes in computer science vol.5123, pp. 328–340. Springer, Berlin (2008)

15. Cook, B., Podelski, A., Rybalchenko, A.: Abstraction refinementfor termination. In: Proceedings of the static analysis symposium(SAS2005), vol. 3672 of LNCS, pp. 87–101. Springer, Berlin(2005)

16. Cook, B., Podelski, A., Rybalchenko, A.: Termination proofs forsystems code. In: Proceedings of the 2006 ACM SIGPLAN confer-ence on programming language design and implementation (PLDI’06), pp. 415–426. New York, NY, USA, (2006) (ISBN 1-59593-320-4)

123

Termination proofs for linear simple loops

17. Cook, B., Rybalchenko, A.: Proving that programs eventually dosomething good. In: Proceedings of the principles of programminglanguages (POPL06), pp. 265–276. Springer, Berlin (2007)

18. Cousot, P.: Proving program invariance and termination byparametric abstraction, Lagrangian relaxation and semidefiniteprogramming. In: Proceedings of the 6th international confer-ence on verification, model checking and abstract interpretation(VMCAI’05), pp. 1–24. Paris, LNCS 3385, Springer, Berlin (2005)(ISBN 978-3-540-24297-0). doi:10.1007/b105073, http://www.springerlink.com/content/qkufe4uekjgyja4f

19. Cousot, P., Cousot, R.: An abstract interpretation framework fortermination. In: Field, J., Hicks, M. (eds.) Proceedings of the 39thACM SIGPLAN-SIGACT symposium on principles of program-ming languages (POPL), Philadelphia, USA, 22–28 Jan 2012, pp.245–258. ACM (2012) (ISBN 978-1-4503-1083-3)

20. Gulwani, S., Jain, S., Koskinen E.: Control-flow refinement andprogress invariants for bound analysis. SIGPLAN Not. 44, 375–385, (2009) (ISSN 0362–1340)

21. Gulwani, S., Mehra, K.K., Chilimbi, T.: SPEED: precise and effi-cient static estimation of program computational complexity. In:Proceedings of the 36th annual ACM SIGPLAN-SIGACT sym-posium on principles of programming languages (POPL ’09), pp.127–139. New York, NY, USA, ACM (2009) (ISBN 978-1-60558-379-2)

22. Kroening, D., Sharygina, N., Tsitovich, A., Wintersteiger, C., Ter-mination analysis with compositional transition invariants. In: Pro-ceedings of CAV, vol. 6174 of LNCS, pp. 89–103. Springer, Berlin(2010) (ISBN 978-3-642-14294-9)

23. Podelski, A., Rybalchenk, A.: Software model checking of livenessproperties via transition invariants. Technical report (2003)

24. Podelski, A., Rybalchenko, A.: A complete method for the synthe-sis of linear ranking functions. In: Proceedings of the VMCAI, pp.239–251 (2004)

25. Podelski, A., Rybalchenko, A.: Transition invariants. In: Proceed-ings of the LICS, pp. 32–41 (2004)

26. Podelski, A., Rybalchenko, A.: Transition predicate abstraction andfair termination. In: Proceedings of the 32nd ACM SIGPLAN-SIGACT symposium on Principles of programming languages(POPL ’05). ACM (2005)

27. Ramsey, F.P.: On a problem of formal logic. In: Proceedings of theLondon Mathematical Society, vol. 30, pp. 491–504 (1930)

28. RankFinder, A.R.:http://www.mpi-sws.org/ybal/rankfinder/29. Schrijver, A.: Theory of linear and integer programming. Wiley,

New York (1986) (ISBN 0-471-90854-1)30. Tiwari, A.: Termination of linear programs. In: Alur, R., Peled,

D. (eds.) Proceedings of the CAV, vol. 3114 of lecture notes incomputer science, pp. 70–82. Springer, Berlin (2004) (ISBN 3-540-22342-8)

31. Turing, A.M.: Checking a large routine. In: Report of a conferenceon high speed automatic calculating machines, pp. 67–69 (1948)

123