figure a

1 Introduction

Termination Verification by Ranking Functions and CEGIS. Termination verification is a fundamental but challenging problem in program analysis. Termination verification usually involves some well-foundedness arguments. Among them are those methods which synthesize ranking functions [16]: a ranking function assigns a natural number (or an ordinal, more generally) to each program state, in such a way that the assigned values strictly decrease along transition. Existence of such a ranking function witnesses termination, where well-foundedness of the set of natural numbers (or ordinals) is crucially used.

We study synthesis of ranking functions by CounterExample Guided Inductive Synthesis (CEGIS) [29]. CEGIS is an iterative learning model in which a synthesizer and a validator interact to find solutions for given constraints. At each iteration, (1) a synthesizer tries to find a candidate solution from the current examples, and (2) a validator accepts the candidate solution if it is correct, or rejects it providing counterexamples. These counterexamples are then used as part of the next examples (Fig. 1).

CEGIS has been applied not only to program verification tasks (synthesis of inductive invariants [17, 18, 25, 26], that of ranking functions [19], etc.) but also to constraint solving (for CHC [12, 14, 28, 36], for \(\mathrm {pwCSP}\)(\(\mathcal {T}\)) [30, 31], etc.). The success of CEGIS is attributed to the degree of freedom that synthesizers enjoy. In CEGIS, synthesizers receive a set of individual examples that synthesizers can use in various creative and speculative manners (such as machine learning). In contrast, in other methods such as [5,6,7,8, 24, 27], synthesizers receive logical constraints that are much more binding.

Fig. 1.
figure 1

The CEGIS architecture

Full size image

Segmented Synthesis in CEGIS-Based Termination Analysis. The choice of a candidate space for candidate solutions \(\sigma \) is important in CEGIS. A candidate space should be expressive: by limiting a candidate space, the CEGIS architecture may miss a genuine solution. At the same time, complexity should be low: a larger candidate space tends to be more expensive for synthesizers to handle.

This tradeoff is also in the choice of the type of examples: using an expressive example type, a small number of examples can prune a large portion of the candidate space; however, finding such expressive examples tends to be expensive.

In this paper, we use piecewise affine functions as our candidate space for ranking functions. Piecewise affine functions are functions of the form

$$\begin{aligned} f(\widetilde{x}) \quad =\quad {\left\{ \begin{array}{ll} \widetilde{a}_1 \cdot \widetilde{x} + b_1 &{} \widetilde{x} \in L_1 \\ \quad \vdots \\ \widetilde{a}_n \cdot \widetilde{x} + b_n &{} \widetilde{x} \in L_n \end{array}\right. } \end{aligned}$$
(1)

where \(\{ L_1, \dots , L_n \}\) is a partition of the domain of \(f(\widetilde{x})\) such that each \(L_i\) is a polyhedron (i.e. a conjunction of linear inequalities). We say segmented synthesis to emphasize that our synthesis targets are piecewise affine functions with case distinction. Piecewise affine functions stand on a good balance between expressiveness and complexity: the tasks of synthesizers and validators can be reduced to linear programming (LP); at the same time, case distinction allows them to model a variety of situations, especially where there are discontinuities in the function values and/or derivatives.

We use transition examples as our example type (Table 1). Transition examples are pairs of program states that represent transitions; they are much cheaper to handle compared to trace examples (finite traces of executions until termination) used e.g. in [15, 33]. The current work is the first to pursue segmented synthesis of ranking functions with transition examples; see Table 1.

Table 1. Ranking function synthesis by CEGIS
Full size table

Decision Tree Learning for CEGIS-Based Termination Analysis: a Challenge. In this paper, we represent piecewise affine functions (1) by the data structure of decision trees. The data structure suits the CEGIS architecture (Fig. 1): iterative refinement of candidate solutions can be naturally expressed by growing decision trees. The main challenge of this paper is the design of an effective synthesizer for decision trees—such a synthesizer learns decision trees from examples.

In fact, decision tree learning in the CEGIS architecture has already been actively pursued, for the synthesis of invariants as opposed to ranking functions [12, 14, 18, 22, 36]. It is therefore a natural idea to adapt the decision tree learning algorithms used there, from invariants to ranking functions. However, we find that a naive adaptation of those algorithms for invariants does not suffice: they are good at handling state examples that appear in CEGIS for invariants; but they are not good at handling transition examples.

Fig. 2.
figure 2

Decision tree learning

Full size image

More specifically, when decision tree learning is applied to invariant synthesis (Fig. 2a), examples are given in the form of program states labeled as positive or negative. Decision trees are then built by iteratively selecting the best halfspaces—where “best” is in terms of some quality measures—until each leaf contains examples with the same label. One common quality measure used here is an information-theoretic notion of information gain.

We extend this from invariant synthesis to ranking function synthesis where examples are given by transitions instead of states (Fig. 2b). In this case, a major challenge is to cope with examples that cross a border of the current segmentation—such as the transition \(e_4\) crossing the border \(h_1\) in Fig. 2b. Our decision tree learning algorithm should handle such crossing examples, taking into account the constraints imposed on the leaf labels affected by those examples (the affected leaf labels are \(f_1(\widetilde{x})\) and \(f_3(\widetilde{x})\) in the case of \(e_4\)).

Our Algorithm: Cycle-Based Decision Tree Learning for Transition Examples. We use what we call the cycle detection theorem (Theorem 17) as a theoretical tool to handle such crossing examples. The theorem claims the following: if there is no piecewise affine ranking function with the current segmentation of the domain (such as the one in Fig. 2b given by \(h_1\) and \(h_2\)), then this must be caused by a certain type of cycle of constraints, which we call an implicit cycle.

In our decision tree learning algorithm, when we do not find a piecewise affine ranking function with the current segmentation, we find an implicit cycle and refine the segmentation to break the cycle. Once all the implicit cycles are gone, the cycle detection theorem guarantees the existence of a candidate piecewise affine ranking function with the segmentation.

We integrate this decision tree learning algorithm in the CEGIS architecture (Fig. 1) and use it as a synthesizer. Our implementation of this framework gives promising experimental results on existing benchmark sets.

Contribution. Our contribution is summarized as follows.

  • We provide a decision tree-based synthesizer for ranking functions integrated into the CEGIS architecture. Our synthesizer uses transition examples to find candidate piecewise affine ranking functions. A major challenge here, namely handling constraints arising from crossing examples, is coped with by our theoretical observation of the cycle detection theorem.

  • We implement our synthesizer for ranking functions implemented in MuVal and report the experience of using MuVal for termination and non-termination analysis. The experiment results show that MuVal’s performance is comparable to state-of-the-art termination analyzers [7, 10, 13, 21] from Termination Competition 2020, and that MuVal can prove (non-)termination of some benchmarks with which other analyzers struggle.

Organization. Section 2 shows the overview of our method via examples. Section 3 explains our target class of predicate constraint satisfaction problems and how to encode (non-)termination problem into such constraints. In Sect. 4, we review CEGIS architecture, and then explain simplification of examples into positive/negative examples. Section 5 proposes our main contribution, our decision tree-based ranking function synthesizer. Section 6 shows our implementation and experimental results. Related work is discussed in Sect. 7, and we conclude in Sect. 8.

2 Preview by Examples

We present a preview of our method using concrete examples. We start with an overview of the general CEGIS architecture, after which we proceed to our main contribution, namely a decision tree learning algorithm for transition examples.

2.1 Termination Verification by CEGIS

Our method follows the usual workflow of termination verification by CEGIS. It works as follows: given a program, we encode the termination problem into a constraint solving problem, and then use the CEGIS architecture to solve the constraint solving problem.

Encoding the Termination Problem. The first step of our method is to encode the termination problem as the set \(\mathcal {C}\) of constraints.

Example 1

As a running example, consider the following C program.

figure b

The termination problem is encoded as the following constraints.

$$\begin{aligned} x< 0 \wedge x' = x + 1&\implies R(x, x') \end{aligned}$$
(2)
$$\begin{aligned} \lnot (x < 0) \wedge x' = x - 1&\implies R(x, x') . \end{aligned}$$
(3)

Here, R is a predicate variable representing a well-founded relation, and term variables \(x, x'\) are universally quantified implicitly.

The set \(\mathcal {C}\) of constraints claims that the transition relation for the given program is subsumed by a well-founded relation. So, verifying termination is now rephrased as the existence of a solution for \(\mathcal {C}\). Note that we omitted constraints for invariants for simplicity in this example (see Sect. 3 for the full encoding).

Fig. 3.
figure 3

An example of CEGIS iterations

Full size image

Constraint solving by CEGIS. The next step is to solve \(\mathcal {C}\) by CEGIS.

In the CEGIS architecture, a synthesizer and a validator iteratively exchange a set \(\mathcal {E}\) of examples and a candidate solution \(R(x, x')\) for \(\mathcal {C}\). At the moment, we present a rough sketch of CEGIS, leaving the details of our implementation to Sect. 2.2.

Example 2

Figure 3 shows how the CEGIS architecture solves the set \(\mathcal {C}\) of constraints shown in (2) and (3). Figure 3 consists of three pairs of interactions (i)–(vi) between a synthesizer and a validator.

  1. (i)

    The synthesizer takes \(\mathcal {E}= \emptyset \) as a set of examples and returns a candidate solution \(R(x, x') = \bot \) synthesized from \(\mathcal {E}\). In general, candidate solutions are required to satisfy all constraints in \(\mathcal {E}\), but the requirement is vacuously true in this case.

  2. (ii)

    The validator receives the candidate solution and finds out that the candidate solution is not a genuine solution. The validator finds that the assignment \(x = 1, x' = 0\) is a counterexample for (3), and thus adds R(1, 0) to \(\mathcal {E}\) to prevent the same candidate solution in the next iteration.

  3. (iii)

    The synthesizer receives the updated set \(\mathcal {E}= \{ R(1, 0) \}\) of examples, finds a ranking function \(f(x) = x\) for \(\mathcal {E}\) (i.e. for the transition from \(x = 1\) to \(x' = 0\)), and returns a candidate solution \(R(x, x') = x > x' \wedge x \ge 0\).

  4. (iv)

    The validator checks the candidate solution, finds a counterexample \(x = -2, x' = -1\) for (2), and adds \(R(-2, -1)\) to \(\mathcal {E}\).

  5. (v)

    The synthesizer finds a ranking function \(f(x) = |x|\) for \(\mathcal {E}\) and returns \(R(x, x') = |x| > |x'| \wedge |x| \ge 0\) as a candidate solution. Note that the synthesizer have to synthesize a piecewise affine function here, but details are deferred to Sect. 2.2.

  6. (vi)

    The validator accepts the candidate solution because it is a genuine solution for \(\mathcal {C}\).

2.2 Handling Cycles in Decision Tree Learning

We explain the importance of handling cycles in our decision tree-based synthesizer of piecewise affine ranking functions.

In what follows, we deal with such decision trees as shown in Fig. 4: their internal nodes have affine inequalities (i.e. halfspaces); their leaves have affine functions; and overall, such a decision tree expresses a piecewise affine function (Fig. 4). When we remove leaf labels from such a decision tree, then we obtain a template of piecewise functions where condition guards are given but function bodies are not. We shall call the latter a segmentation.

Fig. 4.
figure 4

An example of a decision tree that represents a piecewise affine ranking function f(xy)

Full size image

Input and Output of our Synthesizer. The input of our synthesizer is a set \(\mathcal {E}\) of transition examples (e.g. \(\mathcal {E}= \{R(1, 0), R(-2, -1)\}\)) as explained in Sect. 2.1. The output of our synthesizer is a well-founded relation where \(\widetilde{x}\) is a sequence of variables and \(f(\widetilde{x})\) is a piecewise affine function, which is represented by a decision tree (Fig. 4). Therefore our synthesizer aims at learning a suitable decision tree.

Refining Segmentations and Handling Cycles. Roughly speaking, our synthesizer learns decision trees in the following steps.

  1. 1.

    Generate a set H of halfspaces from the given set \(\mathcal {E}\) of examples. This H serves as the vocabulary for internal nodes. Set the initial segmentation to be the one-node tree (i.e. the trivial segmentation).

  2. 2.

    Try to synthesize a piecewise affine ranking function f for \(\mathcal {E}\) with the current segmentation—that is, try to find suitable leaf labels. If found, then use this f in a candidate well-founded relation \(R(\widetilde{x}, \widetilde{x}') = f(\widetilde{x}) > f(\widetilde{x}') \wedge f(\widetilde{x}) \ge 0\).

  3. 3.

    Otherwise, refine the current segmentation with some halfspace in H, and go to Step 2.

The key step of our synthesizer is Step 3. We show a few examples.

Example 3

Suppose we are given \(\mathcal {E}= \{ R(1, 0), R(-2, -1) \}\) as a set of examples. Our synthesizer proceeds as follows: (1) Our synthesizer generates the set from the examples in \(\mathcal {E}\). (2) Our synthesizer tries to find a ranking function of the form \(f(x) = a x + b\) (with the trivial segmentation), but there is no such ranking function. (3) Our synthesizer refines the current segmentation with \((x \ge 0) \in H\) because \(x \ge 0\) “looks good”. (4) Our synthesizer tries to find a ranking function of the form \(f(x) = \mathbf {if}\ x \ge 0\ \mathbf {then}\ a x + b\ \mathbf {else}\ c x + d\), using the current segmentation. Our synthesizer obtains \(f(x) = \mathbf {if}\ x \ge 0\ \mathbf {then}\ x\ \mathbf {else}\ -x\) and use this f(x) for a candidate solution.

How can we decide which halfspace in H “looks good”? We use quality measure that is a value representing the quality of each halfspace and select the halfspace with the maximum quality measure.

Figure 5 shows the comparison of the quality of \(x \ge 0\) and \(x \ge -2\) in this example. Intuitively, \(x \ge 0\) is better than \(x \ge -2\) because we can obtain a simple ranking function \(\mathbf {if}\ x \ge 0\ \mathbf {then}\ x\ \mathbf {else}\ -x\) with \(x \ge 0\) (Fig. 5a) while we need further refinement of the segmentation with \(x \ge -2\) (Fig. 5b). In Sect. 5, we introduce a quality measure for halfspaces following this intuition.

Our synthesizer iteratively refines segmentations following this quality measure, until examples contained in each leaf of the decision tree admit an affine ranking function. This approach is inspired by the use of information gain in the decision tree learning for invariant synthesis.

Fig. 5.
figure 5

Selecting halfspaces. Transition examples are shown by red arrows. Boundaries of halfspaces are shown by dashed lines.

Full size image

Example 3 showed a natural extension of a decision tree learning method for invariant synthesis. However, this is not enough for transition examples, for the reasons of explicit and implicit cycles. Here are their examples.

Fig. 6.
figure 6

Two examples \(R(-1, 1)\) and R(1, 0) make an implicit cycle between \(x \ge 1\) and \(\lnot (x \ge 1)\).

Full size image

Example 4

Suppose we are given \(\mathcal {E}= \{ R(1, 0), R(0, 1) \}\). In this case, there is no ranking function because \(\mathcal {E}\) contains a cycle \(1 \rightarrow 0 \rightarrow 1\) witnessing non-termination. We call such a cycle an explicit cycle.

Example 5

Let \(\mathcal {E}= \{ R(-1, 1), R(1, 0), R(-1, -2), R(2, 3) \}\) (Fig. 6). Our synthesizer proceeds as follows. (1) Our synthesizer generates the set of halfspaces. (2) Our synthesizer tries to find a ranking function of the form \(f(x) = a x + b\) (with the trivial segmentation), but there is no such. (3) Our synthesizer refines the current segmentation with \((x \ge 1) \in H\) because \(x \ge 1\) “looks good” (i.e. is the best with respect to a quality measure).

We have reached the point where the naive extension of decision tree learning explained in Example 3 no longer works: although all constraints contained in each leaf of the decision tree admit an affine ranking function, there is no piecewise affine ranking function for \(\mathcal {E}\) of the form \(f(x) = \mathbf {if}\ x \ge 1\ \mathbf {then}\ a x + b\ \mathbf {else}\ c x + d\).

More specifically, in this example, the leaf representing \(x \ge 1\) contains R(2, 3), and the other leaf representing \(\lnot (x \ge 1)\) contains \(R(-1, -2)\). The example R(2, 3) admits an affine ranking function \(f_1(x) = - x + 2\), and \(R(-1, -2)\) admits \(f_2(x) = x + 1\), respectively. However, the combination \(f(x) = \mathbf {if}\ x \ge 1\ \mathbf {then}\ f_1(x)\ \mathbf {else}\ f_2(x)\) is not a ranking function for \(\mathcal {E}\). Moreover, there is no ranking function for \(\mathcal {E}\) of the form \(f(x) = \mathbf {if}\ x \ge 1\ \mathbf {then}\ a x + b\ \mathbf {else}\ c x + d\).

It is clear that this failure is caused by the crossing examples \(R(-1, 1)\) and R(1, 0). It is not that every crossing example is harmful. However, in this case, the set \(\{ R(-1, 1), R(1, 0) \}\) forms a cycle between the leaf for \(x \ge 1\) and the leaf for \(\lnot (x \ge 1)\) (see Fig. 6). This “cycle” among leaves—in contrast to explicit cycles such as \(\{ R(1, 0), R(0, 1) \}\) in Example 4—is called an implicit cycle.

Once an implicit cycle is found, our synthesizer cuts it by refining the current segmentation. Our synthesizer continues the above steps (1–3) of decision tree learning as follows. (4) Our synthesizer selects \((x \ge 0) \in H\) and cuts the implicit cycle \(\{ R(-1, 1), R(1, 0) \}\) by refining segmentations. (5) Using the refined segmentation, our synthesizer obtains \(f(x) = \mathbf {if}\ x \ge 1\ \mathbf {then}\ - x + 2\ \mathbf {else}\ \mathbf {if}\ x \ge 0\ \mathbf {then}\ 0\ \mathbf {else}\ x + 3\) as a ranking function for \(\mathcal {E}\).

As explained in Example 4, and 5, handling (explicit and implicit) cycles is crucial in decision tree learning for transition examples. Moreover, our cycle detection theorem (Theorem 17) claims that if there is no explicit or implicit cycle, then one can find a ranking function for \(\mathcal {E}\) without further refinement of segmentations.

3 (Non-)Termination Verification as Constraint Solving

We explain how to encode (non-)termination verification to constraint solving.

Following [31], we formalize our target class \(\mathrm {pwCSP}\) of predicate constraint satisfaction problems parametrized by a first-order theory \(\mathcal {T}\).

Definition 6

Given a formula \(\phi \), let \( ftv (\phi )\) be the set of free term variables and \( fpv (\phi )\) be the set of free predicate variables in \(\phi \).

Definition 7

A \(\mathrm {pwCSP}\) is defined as a pair \((\mathcal {C},\mathcal {R})\) where \(\mathcal {C}\) is a finite set of clauses of the form

$$\begin{aligned} \phi \vee \left( \bigvee _{i=1}^{\ell } X_i(\widetilde{t}_i) \right) \vee \left( \bigvee _{i=\ell +1}^m \lnot X_i(\widetilde{t}_i) \right) \end{aligned}$$
(4)

and \(\mathcal {R}\subseteq fpv (\mathcal {C})\) is a set of predicate variables that are required to denote well-founded relations. Here, \(0 \le \ell \le m\). Meta-variables t and \(\phi \) range over \(\mathcal {T}\)-terms and \(\mathcal {T}\)-formulas, respectively, such that \( ftv (\phi )=\emptyset \). Meta-variables x and X range over term and predicate variables, respectively.

A \(\mathrm {pwCSP}\) \((\mathcal {C},\mathcal {R})\) is called \(\mathrm {CHCs}\) (constrained Horn clauses, [9]) if \(\mathcal {R}= \emptyset \) and \(\ell \le 1\) for all clauses \(c \in \mathcal {C}\). The class of \(\mathrm {CHCs}\) has been widely studied in the verification community [12, 14, 28, 36].

Definition 8

A predicate substitution \(\sigma \) is a finite map from predicate variables X to closed predicates of the form \(\lambda x_1,\dots ,x_{\mathrm {ar}(X)}.\phi \). We write \(\mathrm {dom}(\sigma )\) for the domain of \(\sigma \) and \(\sigma (\mathcal {C})\) for the application of \(\sigma \) to \(\mathcal {C}\).

Definition 9

A predicate substitution \(\sigma \) is a (genuine) solution for \((\mathcal {C},\mathcal {R})\) if (1) \( fpv (\mathcal {C}) \subseteq \mathrm {dom}(\sigma )\); (2) \(\models \bigwedge \sigma (\mathcal {C})\) holds; and (3) for all \(X \in \mathcal {R}\), \(\sigma (X)\) represents a well-founded relation, that is, \(\mathrm {sort}(\sigma (X))=(\widetilde{s},\widetilde{s}) \rightarrow \bullet \) for some sequence \(\widetilde{s}\) of sorts and there is no infinite sequence \(\widetilde{v}_1,\widetilde{v}_2,\dots \) of sequences \(\widetilde{v}_i\) of values of the sorts \(\widetilde{s}\) such that \(\models \rho (X)(\widetilde{v}_i,\widetilde{v}_{i+1})\) for all \(i\ge 1\).

Encoding Termination. Given a set of initial state \(\iota (\widetilde{x})\) and a transition relation \(\tau (\widetilde{x}, \widetilde{x}')\), the termination verification problem is expressed by the \(\mathrm {pwCSP}\) \((\mathcal {C}, \mathcal {R})\) where \(\mathcal {R}= \{ R \}\), and \(\mathcal {C}\) consists of the following clauses.

$$\begin{aligned} \iota (\widetilde{x}) \implies I(\widetilde{x}) \qquad \tau (\widetilde{x}, \widetilde{x}') \wedge I(\widetilde{x}) \implies I(\widetilde{x}') \qquad \tau (\widetilde{x}, \widetilde{x}') \wedge I(\widetilde{x}) \implies R(\widetilde{x}, \widetilde{x}') \end{aligned}$$

We use \(\phi \implies \psi \) as syntax sugar for \(\lnot \phi \vee \psi \), so this is a \(\mathrm {pwCSP}\). The well-founded relation R asserts that \(\tau \) is terminating. We also consider an invariant I for \(\tau \) to avoid synthesizing ranking functions on unreachable program states.

Encoding Non-termination. We can also encode a problem of non-termination verification to \(\mathrm {pwCSP}\) via recurrent sets [20]. For simplicity, we explain the encoding for the case of only one program variable x. We consider a recurrent set R satisfying the following conditions.

$$\begin{aligned} \iota (x)&\implies R(x) \end{aligned}$$
(5)
$$\begin{aligned} R(x)&\implies \exists x'. \tau (x, x') \wedge R(x') \end{aligned}$$
(6)

To remove \(\exists \) from (6), we use the following constraint that is equivalent to (6).

$$\begin{aligned} R(x)&\implies E(x, 0) \end{aligned}$$
(7)
$$\begin{aligned} E(x, x')&\implies \big (\tau (x, x') \wedge R(x')\big ) \nonumber \\&\vee \big (S(x', x'-1) \wedge E(x, x'-1)\big ) \vee \big (S(x', x'+1) \wedge E(x, x'+1)\big ) \end{aligned}$$
(8)

The intuition is as follows. Given x in the recurrent set R, the relation \(E(x, x')\) searches for the value of \(\exists x'\) in (6). The search starts from \(x' = 0\) in (7), and \(x'\) is nondeterministically incremented or decremented in (8). The well-founded relation S asserts that the search finishes within finite steps. As a result, we obtain a \(\mathrm {pwCSP}\) for non-termination defined by \((\mathcal {C}, \mathcal {R})\) where \(\mathcal {R}= \{ S \}\) and \(\mathcal {C}\) is given by (5), (7), and (the disjunctive normal form of) (8).

Example 10

Consider the following C program.

figure c

The non-termination problem is encoded as the \(\mathrm {pwCSP}\) \((\mathcal {C}, \mathcal {R})\) where \(\mathcal {R}= \{ S \}\), and \(\mathcal {C}\) consists of

$$\begin{aligned} x > 0&\implies R(x) \qquad \qquad \qquad \qquad R(x) \implies E(x, 0) \\ E(x, x')&\implies x' = -2 x + 9 \wedge R(x') \\&\qquad \vee (S(x', x'-1) \wedge E(x, x'-1)) \vee (S(x', x'+1) \wedge E(x, x'+1)). \end{aligned}$$

The program is non-terminating when \(x = 3\). This is witnessed by a solution \(\sigma \) for \((\mathcal {C}, \mathcal {R})\), which is given by , , and .

4 CounterExample-Guided Inductive Synthesis (CEGIS)

We explain how CounterExample-Guided Inductive Synthesis [29] (CEGIS for short) works for a given \(\mathrm {pwCSP}\) \((\mathcal {C},\mathcal {R})\) following [31]. Then, we add the extraction of positive/negative examples to the CEGIS architecture, which enables our decision tree-based synthesizer to use a simplified form of examples.

CEGIS proceeds through the iterative interaction between a synthesizer and a validator (Fig. 1), in which they exchange examples and candidate solutions.

Definition 11

A formula \(\phi \) is an example of \(\mathcal {C}\) if \( ftv (\phi ) = \emptyset \) and \(\bigwedge \mathcal {C}\models \phi \) hold. Given a set \(\mathcal {E}\) of examples of \(\mathcal {C}\), a predicate substitution \(\sigma \) is a candidate solution for \((\mathcal {C}, \mathcal {R})\) that is consistent with \(\mathcal {E}\) if \(\sigma \) is a solution for \((\mathcal {E},\mathcal {R})\).

Synthesizer. The input for a synthesizer is a set \(\mathcal {E}\) of examples of \(\mathcal {C}\) collected from previous CEGIS iterations. The synthesizer tries to find a candidate solution \(\sigma \) consistent with \(\mathcal {E}\) instead of a genuine solution for \((\mathcal {C}, \mathcal {R})\). If the candidate solution \(\sigma \) is found, then \(\sigma \) is passed to the validator. If \(\mathcal {E}\) is unsatisfiable, then \(\mathcal {E}\) witnesses unsatisfiability of \((\mathcal {C}, \mathcal {R})\). Details of our synthesizer is described in Sect. 5.

Validator. A validator checks whether the candidate solution \(\sigma \) from the synthesizer is a genuine solution of \( (\mathcal {C},\mathcal {R})\) by using SMT solvers. That is, satisfiability of \(\models \lnot \bigwedge \sigma (\mathcal {C})\) is checked. If \(\models \lnot \bigwedge \sigma (\mathcal {C})\) is not satisfiable, then \(\sigma \) is a genuine solution of the original \(\mathrm {pwCSP}\) \((\mathcal {C},\mathcal {R})\), so the validator accepts this. Otherwise, the validator adds new examples to the set \(\mathcal {E}\) of examples. Finally, the synthesizer is invoked again with the updated set \(\mathcal {E}\) of examples.

If \(\models \lnot \bigwedge \sigma (\mathcal {C})\) is satisfiable, new examples are constructed as follows. Using SMT solvers, the validator obtains an assignment \(\theta \) to term variables such that \(\models \lnot \theta (\psi )\) holds for some \(\psi \in \sigma (\mathcal {C})\). By (4), \(\models \lnot \theta (\psi )\) is a clause of the form \(\models \lnot \theta (\phi ) \wedge \big ( \bigwedge _{i=1}^{\ell } \lnot \sigma (X_i)(\theta (\widetilde{t}_i)) \big ) \wedge \big ( \bigwedge _{i=\ell +1}^m \sigma (X_i)(\theta (\widetilde{t}_i)) \big )\). To prevent this counterexample from being found in the next CEGIS iteration again, the validator adds the following example to \(\mathcal {E}\).

$$\begin{aligned} \bigvee _{i=1}^{\ell } X_i(\theta (\widetilde{t}_i)) \vee \bigvee _{i=\ell +1}^m \lnot X_i(\theta (\widetilde{t}_i)) \end{aligned}$$
(9)

The CEGIS architecture repeats this interaction between the synthesizer and the validator until a genuine solution for \((\mathcal {C},\mathcal {R})\) is found or \(\mathcal {E}\) witnesses unsatisfiability of \((\mathcal {C},\mathcal {R})\).

Extraction of Positive/Negative Examples. Examples obtained in the above explanation are a bit complex to handle in our decision tree-based synthesizer: each example in \(\mathcal {E}\) is a disjunction (9) of literals, which may contain multiple predicate variables.

To simplify the form of examples, we extract from \(\mathcal {E}\) the sets \(\mathcal {E}_X^+\) and \(\mathcal {E}_X^-\) of positive examples (i.e., examples of the form \(X(\widetilde{v})\)) and negative examples (i.e., examples of the form \(\lnot X(\widetilde{v})\)) for each \(X \in fpv (\mathcal {E})\). This allows us to synthesize a predicate \(\sigma (X)\) for each predicate variable \(X \in fpv (\mathcal {E})\) separately. For simplicity, we write \(\widetilde{v} \in \mathcal {E}_X^+\) and \(\widetilde{v} \in \mathcal {E}_X^-\) instead of \(X(\widetilde{v}) \in \mathcal {E}_X^+\) and \(\lnot X(\widetilde{v}) \in \mathcal {E}_X^-\).

The extraction is done as follows. We first substitute for each predicate variable application \(X(\widetilde{v})\) in \(\mathcal {E}\) a boolean variable \(b_{X(\widetilde{v})}\) to obtain a SAT problem \(\mathbf {SAT}(\mathcal {E})\). Then, we use SAT solvers to obtain an assignment \(\eta \) that is a solution for \(\mathbf {SAT}(\mathcal {E})\). If a solution \(\eta \) exists, then we construct positive/negative examples from \(\eta \); otherwise, \(\mathcal {E}\) is unsatisfiable.

Definition 12

Let \(\eta \) be a solution for \(\mathbf {SAT}(\mathcal {E})\). For each predicate variable \(X \in fpv (\mathcal {E})\), we define the set \(\mathcal {E}^{+}_{X}\) of positive examples and the set \(\mathcal {E}^{+}_{X}\) of negative examples under the assignment \(\eta \) by and .

Note that some of predicate variable applications \(X(\widetilde{v})\) may not be assigned true nor false because they do not affect the evaluation of \(\mathbf {SAT}(\mathcal {E})\). Such predicate variable applications are discarded from \(\{(\mathcal {E}^{+}_{X}, \mathcal {E}^{-}_{X})\}_{X \in fpv (\mathcal {E})}\).

Our method uses the extraction of positive and negative examples when the validator passes examples to the synthesizer. If \(X \in fpv (\mathcal {E}) \cap \mathcal {R}\), then we apply our ranking function synthesizer to \((\mathcal {E}^{+}_{X}, \mathcal {E}^{-}_{X})\). If \(X \in fpv (\mathcal {E}) \setminus \mathcal {R}\), then we apply an invariant synthesizer.

We say a candidate solution \(\sigma \) is consistent with \(\{(\mathcal {E}^{+}_{X}, \mathcal {E}^{-}_{X})\}_{X \in fpv (\mathcal {E})}\) if \(\models \sigma (X)(\widetilde{v}^{+})\) and \(\models \lnot \sigma (X)(\widetilde{v}^{-})\) hold for each predicate variable \(X \in fpv (\mathcal {E})\), \(\widetilde{v}^{+} \in \mathcal {E}^{+}_{X}\), and \(\widetilde{v}^{-} \in \mathcal {E}^{-}_{X}\). If a candidate solution \(\sigma \) is consistent with \(\{(\mathcal {E}^{+}_{X}, \mathcal {E}^{-}_{X})\}_{X \in fpv (\mathcal {E})}\), then \(\sigma \) is also consistent with \(\mathcal {E}\).

Note that unsatisfiability of \(\{(\mathcal {E}^{+}_{X}, \mathcal {E}^{-}_{X})\}_{X \in fpv (\mathcal {E})}\) does not immediately implies unsatisfiability of \(\mathcal {E}\) nor \((\mathcal {C}, \mathcal {R})\) because \(\{(\mathcal {E}^{+}_{X}, \mathcal {E}^{-}_{X})\}_{X \in fpv (\mathcal {E})}\) depends on the choice of the assignment \(\eta \). Therefore, the CEGIS architecture need to be modified: if synthesizers find unsatisfiability of \(\{(\mathcal {E}^{+}_{X}, \mathcal {E}^{-}_{X})\}_{X \in fpv (\mathcal {E})}\), then we add the negation of an unsatisfiability core to \(\mathcal {E}\) to prevent using the same assignment \(\eta \) again.

Note that some restricted forms of (9) have also been considered in previous work and are called implication examples in [17] and implication/negation constraints in [12]. Our extraction of positive and negative examples is applicable to the general form of (9).

5 Ranking Function Synthesis

In this section, we describe one of the main contributions, that is, our decision tree-based synthesizer, which synthesizes a candidate well-founded relation \(\sigma (R)\) from a finite set \(\mathcal {E}^+_{R}\) of examples. We assume that only positive examples are given because well-founded relations occur only positively in \(\mathrm {pwCSP}\) for termination analysis (see Sect. 3). The aim of our synthesizer is to find a piecewise affine lexicographic ranking function \(\widetilde{f}(\widetilde{x})\) for the given set \(\mathcal {E}^+_R\) of examples. Below, we fix a predicate variable \(R \in \mathcal {R}\) and omit the subscript \(\mathcal {E}^+_R = \mathcal {E}^+\).

5.1 Basic Definitions

To represent piecewise affine lexicographic ranking functions, we use decision trees like the one in Fig. 4. Let \(\widetilde{x} = (x_1, \dots , x_n)\) be the program variables where each \(x_i\) ranges over \(\mathbb {Z}\).

Definition 13

A decision tree D is defined by where \(\widetilde{g}(\widetilde{x}) = (g_k(\widetilde{x}), \dots , g_0(\widetilde{x}))\) is a tuple of affine functions and \(h(\widetilde{x})\) is an affine function. A segmentation tree S is defined as a decision tree with undefined leaves \(\bot \): that is, . For each decision tree D, we can canonically assign a segmentation tree by replacing the label of each leaf with \(\bot \). This is denoted by S(D). For each decision tree D, we denote the corresponding piecewise affine function by \(\widetilde{f}_D(\widetilde{x}) : \mathbb {Z}^n \rightarrow \mathbb {Z}^{k+1}\).

Each leaf in a segmentation tree S corresponds to a polyhedron. We often identify the segmentation tree S with the set of leaves of S and a leaf with the polyhedron corresponding to the leaf. For example, we say something like “for each \(L \in S\), \(\widetilde{v} \in L\) is a point in the polyhedron L”.

Suppose we are given a segmentation tree S and a set \(\mathcal {E}^+\) of examples.

Definition 14

For each \(L_1, L_2 \in S\), we denote the set of example transitions from \(L_1\) to \(L_2\) by . An example \((\widetilde{v}, \widetilde{v}') \in \mathcal {E}^+\) is crossing w.r.t. S if \((\widetilde{v}, \widetilde{v}') \in \mathcal {E}^+_{L_1, L_2}\) for some \(L_1 \ne L_2\), and non-crossing if \((\widetilde{v}, \widetilde{v}') \in \mathcal {E}^+_{L, L}\) for some L.

Definition 15

We define the dependency graph \(G(S, \mathcal {E}^+)\) for S and \(\mathcal {E}^+\) by the graph (VE) where vertices \(V = S\) are leaves, and edges \(E = \{ (L_1, L_2) \mid L_1 \ne L_2, \exists (\widetilde{v}, \widetilde{v}') \in \mathcal {E}^+_{L_1, L_2} \}\) are crossing examples.

We denote the set of start points \(\widetilde{v}\) and end points \(\widetilde{v}'\) of examples \((\widetilde{v}, \widetilde{v}') \in \mathcal {E}^+\) by .

5.2 Segmentation and (Explicit and Implicit) Cycles: One-Dimensional Case

For simplicity, we first consider the case where \(\widetilde{f}(\widetilde{x}) = f(\widetilde{x}) : \mathbb {Z}^n \rightarrow \mathbb {Z}\) is a one-dimensional ranking function. Our aim is to find a ranking function \(f(\widetilde{x})\) for \(\mathcal {E}^+\), which satisfies \(\forall (\widetilde{v}, \widetilde{v}') \in \mathcal {E}^+.\ f(\widetilde{v}) > f(\widetilde{v}')\) and \(\forall (\widetilde{v}, \widetilde{v}') \in \mathcal {E}^+.\ f(\widetilde{v}) \ge 0 \). If our ranking function synthesizer finds such a ranking function \(f(\widetilde{x})\), then a candidate well-founded relation \(R_f\) is constructed as .

Our synthesizer builds a decision tree D to find a ranking function \(f_D(\widetilde{x})\) for \(\mathcal {E}^+\). The main question in doing so is “when and how should we refine partitions of decision trees?” To answer this question, we consider the case where there is no ranking function \(f_D(\widetilde{x})\) for \(\mathcal {E}^+\) with a fixed segmentation S, and classify reasons for this into three cases as follows.

Case 1: Explicit Cycles in Examples. We define an explicit cycle in \(\mathcal {E}^+\) as a cycle in the graph \((\mathbb {Z}^n, \mathcal {E}^+)\). An explicit cycle witnesses that there is no ranking function for \(\mathcal {E}^+\) (see e.g., Example 4).

Case 2: Non-crossing Examples are Unsatisfiable. The second case is when there is a leaf \(L \in S\) such that no affine (not piecewise affine) ranking function for the set \(\mathcal {E}^+_{L, L}\) of non-crossing examples exists. This prohibits the existence of piecewise affine function \(f_D(\widetilde{x})\) for \(\mathcal {E}^+\) with segmentation \(S = S(D)\) because the restriction of \(f_D(\widetilde{x})\) to \(L \in S\) must be an affine ranking function for \(\mathcal {E}^+_{L, L}\).

Case 3: Implicit Cycles in the Dependency Graph. We define an implicit cycle by a cycle in the dependency graph \(G(S, \mathcal {E}^+)\). Case 3 is the case where an implicit cycle prohibits the existence of piecewise affine ranking functions for \(\mathcal {E}^+\) with the segmentation S (e.g., Example 5). If Case 1 and Case 2 do not hold but no piecewise affine ranking function for \(\mathcal {E}^+\) with the segmentation S exists, then there must be an implicit cycle by (the contraposition of) the following proposition.

Proposition 16

Assume \(\mathcal {E}^+\) is a set of examples that does not contain explicit cycles (i.e. Case 1 does not hold). Let S be a segmentation tree and assume that for each \(L \in S\), there exists an affine ranking function \(f_L(\widetilde{x})\) for \(\mathcal {E}^+_{L, L}\) (i.e. Case 2 does not hold). If the dependency graph \(G(S, \mathcal {E}^+)\) is acyclic, then there exists a decision tree D with the segmentation \(S(D) = S\) such that \(f_{D}(\widetilde{x})\) is a ranking function for \(\mathcal {E}^+\).

Proof

By induction on the height (i.e. the length of a longest path from a vertex) of vertices in \(G(S, \mathcal {E}^+)\). We construct a decision tree D as follows. If the height of \(L \in S\) is 0, then we assign to the leaf L where \(f_L(\widetilde{x})\) is a ranking function for \(\mathcal {E}^+_{L, L}\). If the height of \(L \in S\) is \(n > 0\), then we assign to the leaf L where \(c \in \mathbb {Z}\) is a constant that satisfies \(\forall (\widetilde{v}, \widetilde{v}') \in \mathcal {E}^+_{L, L'}, f_{L}(\widetilde{v}) + c > f'_{L'}(\widetilde{v}')\) for each cell \(L'\) with the height less than n.

   \(\square \)

Note that the converse of Proposition 16 does not hold: the existence of implicit cycles in \(G(S, \mathcal {E}^+)\) does not necessarily imply that no piecewise affine ranking function exists with the segmentation S.

5.3 Segmentation and (Explicit and Implicit) Cycles: Multi-Dimensional Lexicographic Case

We consider a more general case where \(\widetilde{f}(\widetilde{x}) = (f_k(\widetilde{x}), \dots , f_0(\widetilde{x}))\) is a multi-dimensional lexicographic ranking function and k is a fixed nonnegative integer.

Given a function \(\widetilde{f}(\widetilde{x})\), we consider the well-founded relation \(R_{\widetilde{f}}(\widetilde{x}, \widetilde{x}')\) defined inductively as follows.

(10)

Our aim here is to find a lexicographic ranking function \(\widetilde{f}(\widetilde{x})\) for \(\mathcal {E}^+\), i.e. a function \(\widetilde{f}(\widetilde{x})\) such that \(R_{\widetilde{f}}(\widetilde{v}, \widetilde{v}')\) holds for each \((\widetilde{v}, \widetilde{v}') \in \mathcal {E}^+\). Our synthesizer does so by building a decision tree. The same argument as the one-dimensional case holds for lexicographic ranking functions.

Theorem 17

(cycle detection). Assume \(\mathcal {E}^+\) is a set of examples that does not contain explicit cycles. Let S be a segmentation tree and assume that for each \(L \in S\), there exists an affine function \(\widetilde{f}_L(\widetilde{x})\) that satisfies \(\forall (\widetilde{v}, \widetilde{v}') \in \mathcal {E}^+_{L, L}, R_{\widetilde{f}_L}(\widetilde{v}, \widetilde{v}')\). If the dependency graph \(G(S, \mathcal {E}^+)\) is acyclic, then there exists a decision tree D with the segmentation \(S(D) = S\) such that \(R_{\widetilde{f}_{D}}(\widetilde{v}, \widetilde{v}')\) holds for each \((\widetilde{v}, \widetilde{v}') \in \mathcal {E}^+\).

Proof

The proof is almost the same as Proposition 16. Here, note that if \(\widetilde{f}'(\widetilde{x}) = \widetilde{f}(\widetilde{x}) + \widetilde{c}\) where \(\widetilde{c}\) is a tuple of nonnegative integer constants, then \(R_{\widetilde{f}'}(\widetilde{x}, \widetilde{x}')\) subsumes \(R_{\widetilde{f}}(\widetilde{x}, \widetilde{x}')\).    \(\square \)

5.4 Our Decision Tree Learning Algorithm

We design a concrete algorithm based on Theorem 17. It is shown in Algorithm 1 and consists of three phases. We shall describe the three phases one by one.

figure d
figure e
figure f

Phase 1. Phase 1 (Line 1–3) detects explicit cycles in \(\mathcal {E}^+\) to exclude Case 1. Here, we use a cycle detection algorithm for directed graphs.

Phase 2. Phase 2 (Line 4) detects and resolves Case 2 by using ResolveCase2 (Algorithm 2), which is a function that grows a decision tree recursively. ResolveCase2 takes non-crossing examples in a leaf, divides the leaf, and returns a template tree that is fine enough to avoid Case 2. Here, template trees are decision trees whose leaves are labeled by affine templates.

Algorithm 2 shows the detail of ResolveCase2. ResolveCase2 builds a template tree recursively starting from the trivial segmentation \(S = \bot \) and all given examples. In each polyhedron, ResolveCase2 checks whether the set C of constraints imposed by non-crossing examples can be satisfied by an affine lexicographic ranking function on the polyhedron (Line 2–3). If the set C of constraints is not satisfiable, then ResolveCase2 chooses a halfspace \(h(\widetilde{x}) \ge 0\) (Line 6) and divides the current polyhedron by the halfspace.

There is a certain amount of freedom in the choice of halfspaces. To guarantee termination of the whole algorithm, we require that the chosen halfspace h separates at least one point in from the other points in \(\underline{\mathcal {E}'^{+}}\). That is:

Assumption 18

If halfspace \(h(\widetilde{x}) \ge 0\) is chosen in Line 6 of Algorithm 2, then there exist \(\widetilde{v}, \widetilde{u} \in \underline{\mathcal {E}'^{+}}\) such that \(h(\widetilde{v}) \ge 0\) and \(h(\widetilde{u}) < 0\).

We explain two strategies (eager and lazy) to choose halfspaces that can be used to implement ChooseQualifier. Both of them are guaranteed to terminate, and moreover, intended to yield simple decision trees.

Eager Strategy. In the eager strategy, we eagerly generate a finite set H of halfspaces from the set \(\mathcal {E}^+\) of all examples beforehand and choose the best one from H with respect to a certain quality measure. To satisfy Assumption 18, H are generated so that any two points \(\widetilde{u}, \widetilde{v} \in \underline{\mathcal {E}^+}\) can be separated by some halfspace \((h(\widetilde{x}) \ge 0) \in H\).

For example, we can use intervals \(H = \{\pm (x_i - a_i) \ge 0 \mid i = 1, \dots , n \wedge (a_1, \dots , a_n) \in \underline{\mathcal {E}^+} \}\) and octagons \(H = \{\pm (x_i - a_i) \pm (x_j - a_j) \ge 0 \mid i \ne j \wedge (a_1, \dots , a_n) \in \underline{\mathcal {E}^+}\}\) where \(\widetilde{x} = (x_1, \dots , x_n)\). For any input \(\mathcal {E}'^{+} \subseteq \mathcal {E}^+\) of ResolveCase2, intervals and octagons satisfy , so Assumption 18 is satisfied by choosing the best halfspace with respect to the quality measure from \(H'\).

For each halfspace \((h(\widetilde{x}) \ge 0) \in H'\), we calculate QualityMeasure in Algorithm 3, and choose one that maximizes . calculates the sum of the maximum number of satisfiable constraints in each leaf divided by \(h(\widetilde{x}) \ge 0\) plus an additional term \((|E_{+-}| + |E_{-+}|) (1 - \mathrm {entropy}(|E_{+-}|, |E_{-+}|))\) where \(\mathrm {entropy}(x, y) = - \frac{x}{x + y} \log _2 \frac{x}{x + y} - \frac{y}{x + y} \log _2 \frac{y}{x + y}\). Therefore, the term \((|E_{+-}| + |E_{-+}|) (1 - \mathrm {entropy}(|E_{+-}|, |E_{-+}|))\) is close to \(|E_{+-}| + |E_{-+}|\) if almost all examples in \(E_{+-} \cup E_{-+}\) cross h in the same direction and close to 0 if \(|E_{+-}|\) is almost equal to \(|E_{-+}|\).

Lazy Strategy. In the lazy strategy, we lazily generate halfspaces. We divide the current polyhedron so that non-crossing examples in the cell point to almost the same direction.

First, we label states that occur in \(\mathcal {E}^+_{C, C}\) as follows. We find a direction that most examples in C point to by solving the MAX-SMT . For each \((\widetilde{v}, \widetilde{v}') \in \mathcal {E}^+_{C, C}\), we label two points \(\widetilde{v}, \widetilde{v}'\) with \(+1\) if \(\mathbf {a} \cdot (\widetilde{v}- \widetilde{v}') > 0\) and with \(-1\) otherwise.

Then we apply weighted C-SVM to generate a hyperplane that separates most of the positive and negative points. To guarantee termination of Algorithm 1, we avoid “useless” hyperplanes that classify all the points by the same label. If we obtain such a useless hyperplane, then we undersample a majority class and apply C-SVM again. By undersampling suitably, we eventually get linearly separable data with at least one positive point and one negative point.

Note that since coefficients of hyperplanes extracted from C-SVM are floating point numbers, we have to approximate them by hyperplanes with rational coefficients. This is done by truncating continued fraction expansions of coefficients by a suitable length.

Phase 3. In Line 5–18 of Algorithm 1, we further refine the segmentation S(D) to resolve Case 3. Once Case 2 is resolved by ResolveCase2, Case 2 never holds even after refining S(D) further. This enables to separate Phases 2 and 3.

Given a template tree D, we consider the set C of constraints on parameters in D that claims \(\widetilde{f}_D(\widetilde{x})\) is a ranking function for \(\mathcal {E}^+\) (Line 6).

If C is satisfiable, we use an SMT solver to obtain a solution of C (i.e. an assignment \(\rho \) of integers to parameters) while minimizing the sum of absolute values of unknown parameters in D at the same time (Line 8). This minimization is intended to give a simple candidate ranking function. The solution \(\rho \) is used to instantiate the template tree D (Line 11).

If C cannot be satisfied, there must be an implicit cycle in the dependency graph \(G(S(D), \mathcal {E}^+)\) by Theorem 17. The implicit cycle can be found in an unsatisfiable core of C. We refine the segmentation of D to cut the implicit cycle in Line 16. To guarantee termination, we choose a halfspace satisfying the following assumption, which is similar to Assumption 18.

Assumption 19

If halfspace \(h(\widetilde{x}) \ge 0\) is chosen in Line 16 of Algorithm 1, then there exist \(\widetilde{v}, \widetilde{u} \in \underline{\mathcal {E}^+}\) such that \(h(\widetilde{v}) \ge 0\) and \(h(\widetilde{u}) < 0\).

We have two strategy (eager and lazy) to refine the segmentation of D.

In eager strategy, we choose a halfspace \((h(\widetilde{x}) \ge 0) \in H\) that separates two distinct points \(\widetilde{v}'_i\) and \(\widetilde{v}_{i+1}\) in the implicit cycle. In doing so, we want to reduce the number of implicit cycles in \(G(S(D), \mathcal {E}^+)\), but adding a new halfspace may introduce new implicit cycles if there exists \((\widetilde{v}, \widetilde{v}') \in \mathcal {E}^+_{C, C}\) that crosses the new border from the side of \(\widetilde{v}'_i\) to the side of \(\widetilde{v}_{i+1}\). Therefore, we choose a hyperplane that minimizes the number of new crossing examples.

In lazy strategy, we use an SMT solver to find a hyperplane \(h(\widetilde{x}) \in H\) that separates \(\widetilde{v}'_i\) and \(\widetilde{v}_{i+1}\) and minimizes the number of new crossing examples.

Termination. Assumption 18 and Assumption 19 guarantees that every leaf in S(D) contains at least one point in the finite set \(\underline{\mathcal {E}^+}\). Because the number of leaves in S(D) strictly increases after each iteration of Phase 2 and Phase 3, we eventually get a segmentation S(D) where each \(L \in S(D)\) contains only one point in \(\underline{\mathcal {E}^+}\) in the worst case. Since we have excluded Case 1 at the beginning, Theorem 17 guarantees the existence of ranking function with the segmentation S(D). Therefore, the algorithm terminates within \(|\underline{\mathcal {E}^+}|\) times of refinement.

Theorem 20

If Assumption 18 and Assumption 19 hold, then Algorithm 1 terminates. If Algorithm 1 returns a piecewise affine lexicographic function \(\widetilde{f}(\widetilde{x})\), then the function satisfies \(R_{\widetilde{f}}(\widetilde{x}, \widetilde{x}')\) for each \((\widetilde{x}, \widetilde{x}') \in \mathcal {E}^+\) where \(\mathcal {E}^+\) is the input of the algorithm.    \(\square \)

5.5 Improvement by Degenerating Negative Values

There is another way to define well-founded relation from the tuple \(\widetilde{f}(\widetilde{x}) = (f_k(\widetilde{x}), \dots , f_0(\widetilde{x}))\) of functions, that is, the well-founded relation \(R'_{\widetilde{f}}(\widetilde{x}, \widetilde{x}')\) defined inductively by .

In this definition, we loosen the equality \(f_{i}(\widetilde{x}) = f_{i}(\widetilde{x}')\) (where \(i = 1, \dots , k\)) of the usual lexicographic ordering (10) to \(f_{i}(\widetilde{x}') < 0 \vee f_{i}(\widetilde{x}) = f_{i}(\widetilde{x}')\). This means that once \(f_{i}(\widetilde{x})\) becomes negative, \(f_i(\widetilde{x})\) must stay negative but the value do not have to be the same, which is useful for the synthesizer to avoid complex candidate lexicographic ranking functions and thus improves the performance.

However, if we use this well-founded relation \(R'_{\widetilde{f}}(\widetilde{x}, \widetilde{x}')\) instead of \(R_{\widetilde{f}}(\widetilde{x}, \widetilde{x}')\) in (10), then Theorem 17 fails because \(R'_{\widetilde{f}}(\widetilde{x}, \widetilde{x}')\) is not necessarily subsumed by \(R'_{\widetilde{f} + \widetilde{c}}\) where \(\widetilde{c} = (c_k, \dots , c_0)\) is a nonnegative constant (see the proof of Proposition 16 and Theorem 17). As a result, there is a chance that no implicit cycle can be found in line 14 of Algorithm 1. Therefore, when we use \(R'_{\widetilde{f}}(\widetilde{x}, \widetilde{x}')\), we modify Algorithm 1 so that if no implicit cycle can be found in line 14, then we fall back on the former definition of \(R_{\widetilde{f}}(\widetilde{x}, \widetilde{x}')\) and restart Algorithm 1.

6 Implementation and Evaluation

Implementation. We implemented a constraint solver MuVal that supports invariant synthesis and ranking function synthesis. For invariant synthesis, we apply an ordinary decision tree learning (see [12, 14, 18, 22, 36] for existing techniques). For ranking function synthesis, we implemented the algorithm in Sect. 5 with both eager and lazy strategies for halfspace selection. Our synthesizer uses well-founded relation explained in Sect. 5.5. Given a benchmark, we run our solver for both termination and non-termination verification in parallel, and when one of the two returns an answer, we stop the other and use the answer. MuVal is written in OCaml and uses Z3 as an SMT solver backend. We used clang and llvm2kittel [1] to convert C benchmarks to T2 [3] format files, which are then translated to \(\mathrm {pwCSP}\) by MuVal.

Experiments. We evaluated our implementation MuVal on C benchmarks from Termination Competition 2020 (C Integer) [4]. We compared our tool with AProVE [10, 13], iRankFinder [7], and Ultimate Automizer [21]. Experiments are conducted on StarExec [2] (CentOS 7.7 (1908) on Intel(R) Xeon(R) CPU E5-2609 0 @ 2.40GHz (2393 MHZ) with 263932744 kB main memory). The time limit was 300 s.

Table 2. Numbers of solved benchmarks
Full size table

Results. Results are shown in Table 2. Yes/No/TO/U means the number of benchmarks that these tools could verify termination/could verify non-termination/could not answer within 300 s and timed out (TimeOut)/gave up before 300 s (Unknown), respectively. We also show scatter plots of runtime in Fig. 7.

MuVal was able to solve more benchmarks than Ultimate Automizer. Compared to iRankFinder, MuVal solved slightly fewer benchmarks, but was faster in a large number of benchmarks: 265 benchmarks were solved faster by MuVal, 68 by iRankFinder, and 2 were not solved by both tools within 300 s (here, we regard U (unknown) as 300 s). Compared to AProVE, MuVal solved fewer benchmarks. However, there are several benchmarks that MuVal could solve but AProVE could not. Among them is “TelAviv-Amir-Minimum_true-termination.c”, which does require piecewise affine ranking functions. MuVal found a ranking function \(f(x, y) = \mathbf {if}\ x - y \ge 0\ \mathbf {then}\ y\ \mathbf {else}\ x\), while AProVE timed out.

We also observed that using CEGIS with transition examples itself showed its strengths even for benchmarks that do not require piecewise affine ranking functions. Notably, there are three benchmarks that MuVal could solve but the other tools could not; they are examples that do not require segmentations. Further analysis of these benchmarks indicates the following strengths of our framework: (1) the ability to handle nonlinear constraints (to some extent) thanks to the example-based synthesis and the recent development of SMT solvers; and (2) the ability to find a long lasso-shaped non-terminating trace assembled from multiple transition examples. See [23, Appendix A] for details.

Fig. 7.
figure 7

Scatter plots of runtime. Ultimate Automizer and AProVE sometimes gave up before the time limit, and such cases are regarded as 300s.

Full size image

7 Related Work

There are a bunch of works that synthesize ranking functions via constraint solving. Among them is a counterexample-guided method like CEGIS [29]. CEGIS is sound but not guaranteed to be complete in general: even if a given constraint has a solution, CEGIS may fail to find the solution. A complete method for ranking function synthesis is proposed in [19]. They collect only extremal counterexamples instead of arbitrary transition examples to avoid infinitely many examples. A limitation of their method is that the search space is limited to (lexicographic) affine ranking functions.

Another counterexample-guided method is proposed in [33] and implemented in SeaHorn. This method can synthesize piecewise affine functions, but their approach is quite different from ours. Given a program, they construct a safety property that the number of loop iterations does not exceed the value of a candidate ranking function. The safety property is checked by a verifier. If it is violated, then a trace is obtained as a counterexample and the candidate ranking function is updated by the counterexample. The main difference from our method is that their method uses trace examples while our method uses transition examples (which is less expensive to handle). FreqTerm [15] also uses the connection to safety property, but they exploit syntax-guided synthesis for synthesizing ranking functions.

Aside from counterexample-guided methods, constraint solving is widely studied for affine ranking functions [27], lexicographic affine ranking functions [5, 7, 24], and multiphase affine ranking functions [6, 8]. Their implementation includes RankFinder and iRankFinder. Farkas’ lemma or Motzkin’s transposition theorem are often used as a tool to transform \(\exists \forall \)-constraints to \(\exists \)-constraints. However, when we apply this technique to piecewise affine ranking functions, we get nonlinear constraints [24].

Abstract interpretation is also applied to segmented synthesis of ranking functions and implemented in FuncTion [32, 34, 35]. In this series of work, decision tree representation of ranking functions is used in [35] for better handling of disjunctions. Compared to their work, we believe that our method is more easily extensible to other theories than linear integer arithmetic as long as the theories are supported by SMT solvers (although such extensions are out of the scope of this paper).

Other state-of-the-art termination verifiers include the following. Ultimate Automizer [21] is an automata-based method. It repeatedly finds a trace and computes a termination argument that contains the trace until termination arguments cover the set of all traces. Büchi automata are used to handle such traces. AProVE [10, 13] is based on term rewriting systems.

8 Conclusions and Future Work

In this paper, we proposed a novel decision tree-based synthesizer for ranking functions, which is integrated into the CEGIS architecture. The key observation here was that we need to cope with explicit and implicit cycles contained in given examples. We designed a decision tree learning algorithm using the theoretical observation of the cycle detection theorem. We implemented the framework and observed that its performance is comparable to state-of-the-art termination analyzers. In particular, it solved three benchmarks that no other tool solved, a result that demonstrates the potential of the current combination of CEGIS, segmented synthesis, and transition examples.

We plan to extend our ranking function synthesizer to a synthesizer of piecewise affine ranking supermartingales. Ranking supermartingales [11] are probabilistic version of ranking functions and used for verification of almost-sure termination of probabilistic programs.

We also plan to implement a mechanism to automatically select a suitable set of halfspaces with which decision trees are built. In our ranking function synthesizer, intervals/octagons/octahedron/polyhedra can be used as the set of halfspaces. However, selecting an overly expressive set of halfspaces may cause the problem of overfitting [25] and result in poor performance. Therefore, applying heuristics that adjusts the expressiveness of halfspaces based on the current examples may improve the performance of our tool.