Abstract
This paper shows how techniques for linear dynamical systems can be used to reason about the behavior of general loops. We present two main results. First, we show that every loop that can be expressed as a transition formula in linear integer arithmetic has a best model as a deterministic affine transition system. Second, we show that for any linear dynamical system f with integer eigenvalues and any integer arithmetic formula G, there is a linear integer arithmetic formula that holds exactly for the states of f for which G is eventually invariant. Combining the two, we develop a monotone conditional termination analysis for general loops.
You have full access to this open access chapter, Download conference paper PDF
Similar content being viewed by others
Keywords
 Termination
 Conditional termination
 Best abstraction
 Reflective subcategory
 Linear dynamical systems
 Monotone analysis
1 Introduction
Linear and affine dynamical systems are a model of computation that is easy to analyze (relative to nonlinear systems), making them useful across a broad array of applications. In the context of program analysis, affine dynamical systems correspond to loops of the form
where G is a formula, A is a matrix, \(\mathbf {x}\) is a vector of program variables, and \(\mathbf {b}\) is a constant vector. The termination problem for such loops has been shown to be decidable for several variations of this model [4, 9, 12, 24, 29]. However, few loops in real programs take this form, and so this work has not yet made an impact on practical termination analysis tools. This paper bridges the gap between theory and practice, showing how techniques for linear and affine dynamical systems can be used to reason about general programs.
Example 1
We illustrate our methodology using the example program in Fig. 1 (left). First, observe that although the body of this loop is not of the form (\(\dagger \)), the value of the sum \(x+y\) decreases by z each iteration, and z remains the same. Thus, we can approximate the loop by the linear dynamical system in Fig. 1 (right), where the nature of the approximation is given by the linear map in the center of Fig. 1 (i.e., the a coordinate corresponds to \(x+y\), and the b coordinate to z). The linear map is a simulation, in the sense that it transforms the state space of the program into the state space of the linear dynamical system so that every step in the loop has a corresponding step in the linear dynamical system.
Next, we compute the image of the guard of the loop (\(x \ge 0 \wedge y \ge 0\)) under the simulation, which yields \(a \ge 0\) (corresponding to the constraint \(x + y \ge 0\) over the original program variables). We can compute a closed form for this constraint holding on the kth iteration of the loop by exponentiating the dynamics matrix of the linear dynamical system, multiplying on the left by the row vector corresponding to the constraint, and on the right by the simulation:
We then analyze the asymptotic behavior of the closed form:
We conclude that \(z > 0 \vee (x+y) < 0\) is a sufficient condition for the loop to terminate.
The paper is organized as follows. To serve as the class of “linear models” of loops, we introduce deterministic affine transition systems (DATS), a computational model that generalizes affine dynamical systems. Sect. 3 shows that any loop expressed as a linear integer arithmetic formula has a DATSreflection, which is a best representation of the behavior of the loop as a DATS. Moreover, this holds for a restricted class of DATS with rational eigenvalues. Section 4 shows that for a linear map f with integer eigenvalues and a linear integer arithmetic formula G, there is a linear integer arithmetic formula that holds exactly for those states x such that \(G(f^k(x))\) holds for all but finitely many \(k \in \mathbb {N}\). Section 5 brings the results together, showing that the analysis of a DATS with rational eigenvalues can be reduced to the analysis of a linear dynamical system with integer eigenvalues. The fact that DATSreflections are best implies monotonicity of the analysis. Finally, in Sect. 6, we demonstrate experimentally that the analysis can be successfully applied to general programs, using the framework of algebraic termination analysis [34] to lift our loop analysis to a wholeprogram conditional termination analysis. Some proofs are omitted for space, but may be found in the extended version of this paper [33].
2 Preliminaries
This paper assumes familiarity with linear algebra – see for example [19]. We recall some basic definitions below.
In the following, a linear space refers to a finitedimensional linear space over the field of rational numbers \(\mathbb {Q}\). For V a linear space and \(U \subseteq V\), \(\textit{span}(U)\) is the linear space generated by U; i.e., the smallest linear subspace of V that contains U. An affine subspace of a linear space V is the image of a linear subspace of V under a translation (i.e., a set of the form \(\{ v + v_0 : v \in U \}\) for some linear subspace \(U \subseteq V\) and some \(v_0 \in V\)). For any scalar \(a \in \mathbb {Q}\), and any linear space V, we use \(\underline{a}\) to denote the linear map \(\underline{a} : V \rightarrow V\) that maps \(v \mapsto av\) (in particular, \(\underline{1}\) is the identity). A linear functional on a linear space V is a linear map \(V \rightarrow \mathbb {Q}\); the set of all linear functionals on V forms a linear space called the dual space of V, denoted \(V^\star \). A linear map \(f : V_1 \rightarrow V_2\) induces a dual linear map \(f^\star : V_2^\star \rightarrow V_1^\star \) where \(f^\star (g) \triangleq g \circ f\). For any linear space V, V is naturally isomorphic to \(V^\star {}^\star \), where the isomorphism maps \(x \mapsto \lambda f : V^\star . f(x)\).
Let V be a linear space. A linear map \(f : V \rightarrow V\) is associated with a characteristic polynomial \(p_f(x)\), which is defined to be the determinant of \((xI  A_f)\), where \(A_f\) is a matrix representation of f with respect to some basis (the choice of which is irrelevant). Define the spectrum (set of eigenvalues) of f to be the set of (possibly complex) roots of its characteristic polynomial, \(\textit{spec}(f) \triangleq \{ \lambda \in \mathbb {C} : p_f(\lambda ) = 0 \}\). We say that f has rational spectrum if \(\textit{spec}(f) \subseteq \mathbb {Q}\); equivalently (by the spectral theorem – see e.g. [19, Ch. 6, Theorem 7]):

There is a basis \(\{x_1,...,x_n\}\) for V consisting of generalized (right) eigenvectors, satisfying \((f  \underline{\lambda _i})^{r_i}(x_i) = 0\) for some \(\lambda _i \in \textit{spec}(f)\) and some \(r_i \ge 1\) (\(r_i\) is called the rank of \(x_i\))

There is a basis \(\{g_1,...,g_n\}\) for \(V^\star \) consisting of generalized left eigenvectors, satisfying \(g_i \circ (f  \underline{\lambda _i})^{r_i} = 0\) for some \(\lambda _i \in \textit{spec}(f)\) and some \(r_i \ge 1\)
It is possible to determine whether a linear map has rational spectrum (and compute the basis of eigenvectors for V and \(V^\star \)) in polynomial time by computing its characteristic polynomial [15], factoring it [22], and checking whether each factor is linear.
The syntax of linear integer arithmetic (LIA) is given as follows:
Let \(X \subseteq \textsf {Variable}\) be a set of variables. A valuation over X is a map \(v : X \rightarrow \mathbb {Z}\). If F is a formula whose free variables range over X and v is a valuation over X, then we say that v satisfies F (written \(v \models F\)) if the formula F is true when interpreted over the standard model of the integers, using v to interpret the free variables. We write \(F \models G\) if every valuation that satisfies F also satisfies G.
2.1 Transition Systems
A transition system T is a pair \(T = \left\langle S_T, R_T \right\rangle \) where \(S_T\) is a set of states and \(R_T \subseteq S_T \times S_T\) is a transition relation. Within this paper, we shall assume that the state space of any transition system is a finitedimensional linear space (over \(\mathbb {Q}\)). We write \(x \rightarrow _{T} x'\) to denote that the pair \(\left\langle x,x' \right\rangle \) belongs to \(R_T\). We define the domain of a transition system T, \(\text {dom}(T) \triangleq \{ x \in S_T : \exists x'. x \rightarrow _{T} x' \}\), to be the set of states that have a Tsuccessor. We define the \(\omega \)domain \(\text {dom}^\omega (T)\) of T to be the set of states from which there exist infinite Tcomputations:
A transition formula \(F(X,X')\) is an LIA formula whose free variables range over a designated finite set of variables X and a set of “primed copies” \(X' = \{ x' : x \in X\}\). For example, a transition formula that represents the body of the loop in Fig. 1 is
We use \(\mathbf{TF} {}\) to denote the set of transition formulas. A transition formula \(F(X,X')\) defines a transition system where the state space is the set of functions \(X \rightarrow \mathbb {Q}\), and where \(v \rightarrow _F v'\) if and only if both (1) v and \(v'\) map each \(x \in X\) to an integer and (2) \([v,v'] \models F\), where \([v,v']\) denotes the valuation that maps each \(x \in X\) to v(x) and each \(x' \in S'\) to \(v'(x)\). Defining the state space of F to be \(X \rightarrow \mathbb {Q}\) rather than \(X \rightarrow \mathbb {Z}\) is a technical convenience (\(X \rightarrow \mathbb {Q} \cong \mathbb {Q}^{X}\) is a linear space), but does not materially affect the results of this paper since only (integral) valuations are involved in transitions.
Let \(T = \left\langle S_T,R_T \right\rangle \) be a transition system. We say that T is:

linear if \(R_T\) is a linear subspace of \(S_T \times S_T\),

affine if \(R_T\) is an affine subspace of \(S_T \times S_T\),

deterministic if \(x \rightarrow _{T} x_1'\) and \(x \rightarrow _{T} x_2'\) implies \(x_1' = x_2'\)

total if for all \(x \in S_T\) there exists some \(x' \in S_T\) with \(x \rightarrow _{T} x'\)
For example, the transition system T with transition relation
is deterministic and affine, but not linear or total. The transition system U with transition relation
is total, linear (and affine), but not deterministic. The classical notion of a linear dynamical system—a transition system where the state evolves according to a linear map—corresponds to a total, deterministic, linear transition system. Similarly, an affine dynamical system is a transition system that is total, deterministic, and affine.
For any map \(s : X \rightarrow Y\), and any relation \(R \subseteq X \times X\), define the image of R under s to be the relation \(s[R] = \left\{ \left\langle s(x),s(x') \right\rangle : \left\langle x,x' \right\rangle \in R \right\} \). For any relation \(R \subseteq Y \times Y\), define the inverse image of R under s to be the relation \(s^{1}[R] = \left\{ \left\langle x,x' \right\rangle : \left\langle s(x),s(x') \right\rangle \in R \right\} \). Let \(T = \left\langle S_T,R_T \right\rangle \) and \(U = \left\langle S_U,R_U \right\rangle \) be transition systems. We say that a linear map \(s : S_T \rightarrow S_U\) is a linear simulation from T to U, and write \(s : T \rightarrow U\), if for all \(x \rightarrow _{T} x'\), we have \(s(x) \rightarrow _{U} s(x')\). Observe that the following are equivalent: (1) s is a simulation, (2) \(s[R_T] \subseteq R_U\), and (3) \(R_T \subseteq s^{1}[R_U]\).
An example of a simulation between a transition formula and a linear dynamical system is given in Fig. 1. In fact, there are many linear dynamical systems that overapproximate this loop; however, the simulation and linear dynamical system given in Fig. 1 is its best abstraction.
To formalize the meaning of best abstractions, it is convenient to use the language of category theory [17]. Any class of transition systems defines a category, where the objects are transitions systems of that class, and the arrows are linear simulations between them. We use boldface letters (Linear, Affine, Deterministic, Total) to denote categories of transition systems (e.g., \(\mathbf {DATS}\) denotes the category of Deterministic Affine Transition Systems).
If T is a transition system and \(\mathbf {C}\) is a category of transition systems, a \(\mathbf {C}\)abstraction of T is a pair \(\left\langle U,s \right\rangle \) consisting of a transition system U belonging to \(\mathbf {C}\) and a linear simulation \(s : T \rightarrow U\). A \(\mathbf{C} \)reflection of T is a \(\mathbf {C}\)abstraction that satisfies a universal property among \(\mathbf{C} \)abstractions of T: for any \(\mathbf {C}\)abstraction \(\left\langle V,t \right\rangle \) of T there exists a unique simulation \(\overline{t} : U \rightarrow V\) such that \(\overline{t} \circ s = t\); i.e., the following diagram commutes:
If \(\mathbf {D}\) is a category of transition systems and \(\mathbf {C}\) is a subcategory such that every transition system in \(\mathbf {D}\) has a \(\mathbf {C}\)reflection, we say that \(\mathbf {C}\) is a reflective subcategory of \(\mathbf {D}\).
Our ultimate goal is to bring techniques from linear dynamical systems to bear on transition formulas. Fig. 1 gives an example of a program and its linear dynamical system reflection. Unfortunately, such reflections do not exist for all transition formulas, which motivates our investigation of alternative models.
Proposition 1
The transition formula \(x' = x \wedge x = 0\) has no \(\mathbf {TDATS}\)reflection.
Proof
Let F be the 1dimensional transition formula \(x' = x \wedge x = 0\). For a contradiction, suppose that \(\left\langle A,s \right\rangle \) is a \(\mathbf {TDATS}\)reflection of F. Since F contains the origin, then so must the transition relation of A, and so A is linear. Next, consider that for any \(\lambda \in \mathbb {Q}\), we have the simulation \(\textit{id} : F \rightarrow A_\lambda \), where \(\textit{id}\) is the identity function and \(A_\lambda = \left\langle \mathbb {Q},x \mapsto \lambda x \right\rangle \). Since \(\left\langle A,s \right\rangle \) is a reflection of F, for any \(\lambda \), there is some \(t_\lambda \) such that \(t_\lambda : A \rightarrow A_\lambda \) and \(\textit{id} = t_\lambda \circ s\). Since \(t_\lambda \) is a simulation, we have \(\lambda t_\lambda = A_\lambda \circ t_\lambda = t_\lambda \circ A\). Since \(\textit{id} = t_\lambda \circ s\), we must have \(t_\lambda \) nonzero, and so \(t_\lambda \) is a left eigenvector of A with eigenvalue \(\lambda \). Since this holds for all \(\lambda \), A must have infinitely many eigenvalues, a contradiction.
3 Linear Abstractions of Transition Formulas
Proposition 1 shows that not every transition formula has a total deterministic affine reflection. In the following we show that totality is the only barrier: every transition formula has a (computable) \(\mathbf {DATS}{}\)reflection. Moreover, we show that every transition formula has a rational spectrum \(\mathbf {DATS}{}\) (\(\mathbb {Q}\text {}\mathbf {DATS}\))reflection, a restricted class of \(\mathbf {DATS}{}\) that generalizes affine maps \(x \mapsto A\mathbf {x} + \mathbf {b}\) where A has rational eigenvalues. The restriction on eigenvalues makes it easier to reason about the termination behavior of \(\mathbb {Q}\text {}\mathbf {DATS}\).
In the remainder of this section, we show that every transition formula has a \(\mathbb {Q}\text {}\mathbf {DATS}{}\)reflection by establishing a chain of reflective subcategories:
The fact that \(\mathbb {Q}\text {}\mathbf {DATS}{}\) is a reflective subcategory of \(\mathbf {TF}\) then follows from the fact that a reflective subcategory of a reflective subcategory is reflective.
3.1 Affine Abstractions of Transition Formulas
Let \(F(X,X')\) be a transition formula. The affine hull of F, denoted \(\textit{aff}(F)\), is the smallest affine set \(\textit{aff}(F) \subseteq (X \cup X') \rightarrow \mathbb {Q} \cong (X \rightarrow \mathbb {Q}) \times (X \rightarrow \mathbb {Q})\) that contains all of the models of F. Reps et al. give an algorithm that can be used to compute \(\textit{aff}(F)\), by using an SMT solver to sample a set of generators [26].
Lemma 1
Let \(F(X,X')\) be a transition formula. The affine hull of F (considered as a transition system) is the best affine abstraction of F (where the simulation from F to \(\textit{aff}(F)\) is the identity).
Example 2
Consider the example program in Fig. 1. Letting F denote the transition formula corresponding to the program, \(\textit{aff}(F)\) can be represented as the solutions to the constraints
Notice that \(\textit{aff}(F)\) is 4dimensional and has a transition relation defined by 3 constraints, and thus is not deterministic. The next step is to find a suitable projection onto a lowerdimensional space so that the resulting transition system is deterministic.
3.2 Reflections via the Dual Space
This section presents a key technical tool that will be used in the next two subsections to prove the existence of reflections. For any transition system T, an abstraction \(\left\langle U,s \right\rangle \) of T consisting of a transition system U and a simulation \(s : S_T \rightarrow S_U\) induces a subspace of \(S_T^\star \), which is the range of the dual map \(s^\star \) (i.e., the set of all linear functionals on \(S_T\) of the form \(g \circ s\) where \(g \in S_U^\star \)). The essential idea is we can apply this in reverse: any subspace \(\varLambda \) of \(S_T^\star \) induces a transition system U and a simulation \(s : T \rightarrow U\) that satisfies a universal property among all abstractions \(\left\langle V,v \right\rangle \) of T where the range of \(v^\star \) is contained in \(\varLambda \). We will now formalize this idea.
Let T be a transition system, and let \(\varLambda \) be a subspace of \(S_T^\star \). Define \(\alpha _\varLambda (T)\) to be the pair \(\alpha _\varLambda (T) \triangleq \left\langle U,s \right\rangle \) consisting of a transition system U and a linear simulation \(s : T \rightarrow U\) where

\(s : S_T \rightarrow \varLambda ^\star \) sends each \(x \in S_T\) to \(\lambda f : \varLambda . f(x)\)

\(S_U \triangleq \varLambda ^\star \), and \(R_U \triangleq s[R_T] = \left\{ \left\langle s(x),s(x') \right\rangle : \left\langle x,x' \right\rangle \in R_T \right\} \)
Lemma 2
(Dual space simulation). Let T be a transition system, let \(\varLambda \) be a subspace of \(S_T^\star \), and let \(\left\langle U,s \right\rangle = \alpha _\varLambda (T)\). Suppose that Z is a transition system and \(z : T \rightarrow Z\) is a simulation such that the range of \(z^\star \) is contained in \(\varLambda \). Then there exists a unique simulation \(\overline{z} : U \rightarrow Z\) such that \(\overline{z} \circ s = z\).
Proof
The highlevel intuition is that since the range of \(z^\star \) is contained in \(\varLambda \), we may consider it to be a map \(z^\star : S_Z^\star \rightarrow \varLambda \); dualizing again, we get a map \(z^\star {}^\star : \varLambda ^\star \rightarrow S_Z^{\star \star }\), whose domain is \(S_U\) and codomain is (isomorphic to) \(S_Z\).
More formally, let \(j : S_Z \rightarrow S_Z^{\star \star }\) be the natural isomorphism between \(S_Z\) and \(S_Z^{\star \star }\) defined by \(j(y) \triangleq \lambda g : S_Z^\star . g(y)\). Define \(\overline{z} : \varLambda ^\star \rightarrow S_Z\) by
First we show that \(\overline{z} \circ s = z\). Let \(x \in S_Z\). Then we have
Next we show that \(\overline{z}\) is a simulation. Suppose \(y \rightarrow _{U} y'\). Since \(R_{U} = s[R_T]\), there is some \(x,x' \in S_T\) such that \(x \rightarrow _{T} x'\), \(s(x) = y\), and \(s(x') = y'\). Since \(z : T \rightarrow Z\) is a simulation, we have that \(z(x) \rightarrow _{Z} z(x)\), and so \(\overline{z}(s(x)) \rightarrow _{Z} \overline{z}(s(x'))\), and we may conclude that \(\overline{z}(y) \rightarrow _{Z} \overline{z}(y')\).
Finally, observe that s is surjective, and therefore the solution to the equation \(\overline{z} \circ s = z\) is unique.
We conclude this section by illustrating how to compute the function \(\alpha \) for affine transition systems. Suppose that T is an affine transition system of dimension n. We can represent states in \(S_T\) by vectors in \(\mathbb {Q}^n\), and the transition relation \(R_T\) by a finite set of transitions \(B \subseteq \mathbb {Q}^n \times \mathbb {Q}^n\) that generates \(R_T\) (i.e., \(R_T = \textit{aff}(B)\)). Suppose that \(\varLambda \) is an mdimensional subspace of \(S_T^\star \); elements of \(S_T^\star \) can be represented by ndimensional row vectors, and \(\varLambda \) can be represented by a basis \(\mathbf {f}^\intercal _1, \dots , \mathbf {f}^\intercal _m\). We can compute a representation of \(\left\langle U,s \right\rangle = \alpha _\varLambda (T)\) as follows. The elements of \(S_U = \varLambda ^\star \) can be represented by mdimensional vectors (with respect to the basis \(g_1, \dots , g_m\) such that \(g_i\) is the linear map that sends \(\mathbf {f}^\intercal _j\) to 1 if \(i=j\) and to 0 otherwise). The simulation s can be represented by the \(m \times n\) matrix where the ith row is \(\mathbf {f}_i^\intercal \). Finally, the transition relation \(R_U\) can be represented by a set of generators \(\left\{ \left\langle s(\mathbf {x}), s(\mathbf {x}') \right\rangle : \left\langle \mathbf {x},\mathbf {x}' \right\rangle \in B \right\} \).
3.3 Determinization
In this section, we show that any transition system operating over a finitedimensional vector space has a best deterministic abstraction, and give an algorithm for computing the best deterministic affine abstraction (or determinization) of an affine transition system.
Towards an application of Lemma 2, we seek to characterize the determinization of a transition system by a space of functionals on its state space. For any linear space V and space of functionals \(\varLambda \) on V, define an equivalence relation \(\equiv _\varLambda \) on V by \(x \equiv _\varLambda y\) iff \(f(x) = f(y)\) for all \(f \in \varLambda \). If T is a transition system and \(\varLambda ,\varLambda '\) are spaces of functionals on \(S_T\), we say that T is \((\varLambda ,\varLambda ')\)deterministic if for all \(x_1,x_2\) \(x_1',x_2'\) such that \(x_1 \equiv _\varLambda x_2\), \(x_1 \rightarrow _{T} x_1'\), and \(x_2 \rightarrow _{T} x_2'\), then we also have \(x_1' \equiv _{\varLambda '} x_1'\). Observe that if D is a deterministic transition system and \(d : T \rightarrow D\) is a simulation, then T must be \((\varLambda _d,\varLambda _d)\)deterministic, where \(\varLambda _d\) is the range of the dual map \(d^\star \).
For any T and \(\varLambda \), define \(\textsf {Det}(T,\varLambda ) \triangleq \left\{ f : T \text { is } (\varLambda ,\left\{ f \right\} )\text {deterministic} \right\} \) to be the greatest set of functionals such that T is \((\varLambda ,\textsf {Det}(T,\varLambda ))\)deterministic. Observe that \(\textsf {Det}(T, )\) is a monotone operator on the complete lattice of linear subspaces of \(S_T^\star \) (i.e., if \(\varLambda _1 \subseteq \varLambda _2\) then \(\textsf {Det}(T,\varLambda _1) \subseteq \textsf {Det}(T,\varLambda _2)\), since \(\varLambda _1\) induces a coarser equivalence relation than \(\varLambda _2\)). By the KnasterTarski fixpoint theorem [28], \(\textsf {Det}(T,)\) has a greatest fixpoint, which we denote by \(\textsf {Det}(T)\). Then we have that T is \((\textsf {Det}(T),\textsf {Det}(T))\)deterministic, and \(\textsf {Det}(T)\) contains every space \(\varLambda \) such that T is \((\varLambda ,\varLambda )\)deterministic.
Lemma 3
(Determinization). For any transition system T, \(\alpha _{\textsf {Det}(T)}(T)\) is a deterministic reflection of T.
Proof
Let \(\left\langle D,d \right\rangle \triangleq \alpha _{\textsf {Det}(T)}(T)\). First, we show that D is deterministic. Suppose that \(y \rightarrow _{D} y_1'\) and \(y \rightarrow _{D} y_2'\); we must show that \(y_1' = y_2'\). Since \(R_D\) is defined to be \(d[R_T]\), there must be \(x_1\), \(x_2\), \(x_1'\), and \(x_2'\) in \(S_T\) such that \(x_1 \rightarrow _{T} x_1'\), \(x_2 \rightarrow _{T} x_2'\), \(d(x_1) = d(x_2) = y\), \(d(x_1') = y_1'\), and \(d(x_2') = y_2\). Since \(d(x_1) = d(x_2)\), we have \((\lambda f : \textsf {Det}(T). f(x_1)) = (\lambda f : \textsf {Det}(T). f(x_2))\), and therefore \(x_1 \equiv _{\textsf {Det}(T)} x_2\). We thus have \(x_1' \equiv _{\textsf {Det}(T,\textsf {Det}(T))} x_2'\), and since \(\textsf {Det}(T,\textsf {Det}(T)) = \textsf {Det}(T)\), we have \(y_1' = d(x_1') = d(x_2') = y_2'\).
It remains to show that \(\left\langle D,d \right\rangle \) is a deterministic reflection of T. Suppose that \(\left\langle U,u \right\rangle \) is another deterministic abstraction of T. Define G to be the range of \(u^\star \). Since U is deterministic, we must have \(G \subseteq \textsf {Det}(T,G)\), and since \(\textsf {Det}(T)\) is the greatest fixpoint of \(\textsf {Det}(T,)\) we have \(G \subseteq \textsf {Det}(T)\). By Lemma 2, there is a unique linear simulation \(\overline{u} : D \rightarrow U\) such that \(\overline{u} \circ d = u\).
If a transition system T is affine, then its determinization can be computed in polynomial time. Fixing a basis for the state space \(S_T\) (of some dimension n), we can represent the transition relation of T in the form \(R_T = \{ \left\langle \mathbf {x},\mathbf {x}' \right\rangle : A\mathbf {x}' = B\mathbf {x} + \mathbf {c} \}\) where \(A, B \in \mathbb {Q}^{m \times n}\) and \(\mathbf {c} \in \mathbb {Q}^m\) (for some m). We can represent functionals on \(S_T\) by ndimensional vectors, where the vector \(\mathbf {v} \in \mathbb {Q}^n\) corresponds to the functional that maps \(\mathbf {u} \mapsto \mathbf {v}^\intercal \mathbf {u}\). A linear space of functionals \(\varLambda \) can be represented by a system of linear equations \(\varLambda = \left\{ \mathbf {x} : M\mathbf {x} = 0 \right\} \). The ith row \(\mathbf {a}_i^\intercal \mathbf {v} = \mathbf {b}_i^\intercal \mathbf {u} + c_i\), of the system of equations \(A\mathbf {x}' = B\mathbf {x} + \mathbf {c}\) can be read as “T is \((\left\{ \mathbf {b}_i^\intercal \right\} ,\left\{ \mathbf {a}_i^\intercal \right\} )\)deterministic.” Thus, the functionals \(\mathbf {f}^\intercal \) such that T is \((\varLambda ,\left\{ \mathbf {f}^\intercal \right\} )\)deterministic are those that can be written as a linear combination of the rows of A such that the corresponding linear combination of the rows of B belongs to \(\varLambda \); i.e.,
A representation of \(\textsf {Det}(T,\varLambda )\) can be computed in polynomial time using Gaussian elimination. Since the lattice of linear subspaces of \(S_T^\star \) has height n, the greatest fixpoint of \(\textsf {Det}(T,)\) can be computed in polynomial time.
Example 3
Continuing the example from Fig. 1 and Example 2, we consider the determinization of the affine transition system in Eq. (2). The rows of the matrix on the lefthand side correspond to generators for \(\textsf {Det}(\textit{aff}(F),{\mathbb {Q}^4}^\star )\):
which is the greatest fixpoint \(\textsf {Det}(\textit{aff}(F))\). Intuitively: after one step of \(\textit{aff}(F)\), the values of w, \(x+y\), and z are affine functions of the input; after two steps \(x+y\) and z are affine functions of the input but w is not, since the value of w on the second step depends upon the value of x in the first, and x is not an affine function of the input.
This yields the deterministic reflection \(\left\langle D,d \right\rangle \) (pictured in Fig. 1) where
3.4 RationalSpectrum Reflections of DATS
In this section, we define rationalspectrum \(\mathbf {DATS}{}\) and show that every \(\mathbf {DATS}{}\) has a rationalspectrumreflection.
In the following, it is convenient to work with transition systems that are linear rather than affine. We will prove that every deterministic linear transition system has a best abstraction with rational spectrum. The result extends to the affine case through the use of homogenization: i.e., we embed a (nonempty) affine transition system into a linear transition system with one additional dimension, such that if we fix that dimension to be 1 then we recover the affine transition system. If the transition relation of a \(\mathbf {DATS}{}\) is represented in the form \(A\mathbf {x}' = B\mathbf {x} + \mathbf {c}\), then its homogenization is simply
For a \(\mathbf {DATS}{}\) T, we use \(\textsf {homog}(T)\) to denote the pair \(\left\langle L, h \right\rangle \), consisting the \(\mathbf {DLTS}\) L resulting from homogenization and the affine simulation \(h : T \rightarrow L\) that maps each \(\mathbf {x} \in S_T\) to \(\begin{bmatrix} \mathbf {x} \\ 1 \end{bmatrix}\) (i.e., the affine simulation h formalizes the idea that if we fix the extra dimension y to be 1, we recover the original \(\mathbf {DATS}\) T).
Let T be a deterministic linear transition system. Since our goal is to analyze the asymptotic behavior of T, and all longrunning behaviors of T reside entirely within \(\text {dom}^\omega (T)\), we are interested in the structure of \(\text {dom}^\omega (T)\) and T’s behavior on this set. First, we observe that \(\text {dom}^\omega (T)\) is a linear subspace of \(S_T\) and is computable. For any k, let \(T^k\) denote the linear transition system whose transition relation is the kfold composition of the transition relation of R. Consider the descending sequence of linear spaces
(i.e., the set of states from which there are T computations of length 1, length 2, length 3, ...). Since the space \(S_T\) is finite dimensional, this sequence must stabilize at some k. Since the states in \(\text {dom}(T^k)\) have Tcomputations of any length and T is deterministic, we have that \(\text {dom}(T^k)\) is precisely \(\text {dom}^\omega (T)\).
Since T is total on \(\text {dom}^\omega (T)\) and the successor of a state in \(\text {dom}^\omega (T)\) must also belong to \(\text {dom}^\omega (T)\), T defines a linear map \(T_\omega : \text {dom}^\omega (T) \rightarrow \text {dom}^\omega (T)\). In this way, we can essentially reduce asymptotic analysis of \(\mathbf {DATS}{}\) to asymptotic analysis of linear dynamical systems. The asymptotic analysis of linear dynamical systems developed in Sects. 4 and 5 requires rational eigenvalues; thus we are interested in \(\mathbf {DATS}{}\) T such that \(T_\omega \) has rational eigenvalues. With this in mind, we define \(\textit{spec}(T) = \textit{spec}(T_\omega )\), and say that T has rational spectrum if \(\textit{spec}(T) \subseteq \mathbb {Q}\). Define \(\mathbb {Q}\text {}\mathbf {DLTS}{}\) to be the subcategory of \(\mathbf {DLTS}{}\) with rational spectrum, and \(\mathbb {Q}\text {}\mathbf {DATS}{}\) to be the subcategory of \(\mathbf {DATS}{}\) whose homogenization lies in \(\mathbb {Q}\text {}\mathbf {DLTS}{}\).
Example 4
Consider the \(\mathbf {DLTS}{}\) T with
The bottommost equation corresponds to a constraint that only vectors where the x and y coordinates are equal have successors, so we have:
Supposing that the x and y coordinates are equal in some prestate, they are equal in the poststate exactly when \(z=0\), so we have
It is easy to check that \(\text {dom}(T^3) = \text {dom}(T^2)\), and therefore \(\text {dom}^\omega (T) = \text {dom}(T^2)\). The vector \(\begin{bmatrix}1&1&0\end{bmatrix}^\intercal \) is a basis for \(\text {dom}^\omega (T)\), and the matrix representation of \(T_\omega \) with respect to this basis is \(\begin{bmatrix} 2 \end{bmatrix}\) (i.e., \(\begin{bmatrix}1&1&0\end{bmatrix}^\intercal \rightarrow _T \begin{bmatrix}2&2&0\end{bmatrix}^\intercal \)). Thus we can see \(\textit{spec}(T) = \left\{ 2 \right\} \), and T is a \(\mathbb {Q}\text {}\mathbf {DLTS}{}\).
Towards an application of Lemma 2, define the generalized rational eigenspace of a DLTS T to be
Lemma 4
Let T be a DLTS, and define \(\left\langle Q,q \right\rangle \triangleq \alpha _{E_\mathbb {Q}(T)}(T)\). Then for any \(\mathbb {Q}\text {}\mathbf {DLTS}{}\) U and any simulation \(s : T \rightarrow U\), there is a unique simulation \(\overline{s} : Q \rightarrow U\) such that \(\overline{s} \circ q = s\).
While \(\alpha _{E_\mathbb {Q}(T)}(T)\) satisfies a universal property for \(\mathbb {Q}\text {}\mathbf {DLTS}{}\), it does not necessary belong to \(\mathbb {Q}\text {}\mathbf {DLTS}{}\) itself because it need not be deterministic. However, by iterative interleaving of Lemma 4 and determinization as shown in Algorithm 1, we arrive at a \(\mathbb {Q}\text {}\mathbf {DLTS}{}\)reflection. Example 5 demonstrates how we calculate a \(\mathbb {Q}\text {}\mathbf {DLTS}{}\)reflection of a particular \(\mathbf {DLTS}{}\).
Example 5
Consider the \(\mathbf {DLTS}{}\) T with transition relation
We can calculate the \(\omega \)domain of T \(\text {dom}^\omega (T) = \left\{ \begin{bmatrix}w&x&y&z\end{bmatrix}^\intercal : w = x \right\} \), which has a basis \(B = \begin{bmatrix}1&1&0&0\end{bmatrix}^\intercal , \begin{bmatrix}0&0&1&0\end{bmatrix}^\intercal , \begin{bmatrix}0&0&0&1\end{bmatrix}^\intercal \). With respect to B, \(T_\omega \) corresponds to the matrix
and so we have \(\textit{spec}(T) = \left\{ 2,i,i \right\} \). We may calculate \(E_\mathbb {Q}(T)\) by finding (generalized) left eigenvectors with eigenvalue 2, the only rational number in \(\textit{spec}(T)\):
Finally, we have \(\left\langle Q,q \right\rangle = \alpha _{E_{\mathbb {Q}}(T)}(T)\), where
Q is deterministic and has rational spectrum, so \(\left\langle Q,q \right\rangle \) is a \(\mathbb {Q}\text {}\mathbf {DLTS}{}\)reflection of T.
Theorem 1
For any deterministic linear transition system, Algorithm 1 computes a \(\mathbb {Q}\text {}\mathbf {DLTS}{}\)reflection.
Finally, by homogenization and Theorem 1, we conclude with the desired result:
Corollary 1
\(\mathbb {Q}\text {}\mathbf {DATS}{}\) is a reflective subcategory of \(\mathbf {DATS}{}\).
4 Asymptotic Analysis of Linear Dynamical Systems
This section is concerned with analyzing the behavior of loops of the form
where the \(G(\mathbf {x})\) is an LIA formula and A is a matrix with integer spectrum. Our goal is to capture the asymptotic behavior of iterating the map A on an initial state \(\mathbf {x}_0\) with respect to the formula G. Specifically, we show that
Theorem 2
For any LIA formula G and any matrix A with integer spectrum, there is a periodic sequence of LIA formulas \(H_0, H_1,H_2,\dots \) such that for any initial state \(\mathbf {x}_0 \in \mathbb {Q}^n\), there exists K such that for any \(k > K\), \(G(A^k \mathbf {x}_0)\) holds if and only if \(H_k(\mathbf {x}_0)\) does.
Recall that an infinite sequence \(H_0, H_1, H_2, \ldots \) is periodic if it is of the form
We call the periodic sequence \((H_0, H_1, \dots , H_P)^\omega \) the characteristic sequence of the guard formula G with respect to dynamics matrix A, and denote it by \(\chi (G, A)\). Note that \(G(A^k\mathbf {x}_0)\) holds for all but finitely many k exactly when \(\bigwedge _{i=0}^P H_i(\mathbf {x}_0)\) holds.
In the remainder of this section, we show how to compute characteristic sequences. Let G be an LIA formula and let A be a matrix with integer spectrum. To begin, we compute a quantifierformula \(G'\) that is equivalent to G (using, for example, Cooper’s algorithm [7]). We define \(\chi (G',A)\) by recursion on the structure of \(G'\). For the logical connectives \(\wedge \), \(\vee \), and \(\lnot \), characteristic sequences are defined pointwise:
It remains to show how \(\chi \) acts on atomic formulas, which take the form of inequalities \(t_1 \le t_2\) and divisibility constraints \(n \mid t\). An important fact that we employ in both cases is that for any linear term \(\mathbf {c}^\intercal \mathbf {x}\) over the variables \(\mathbf {x}\), we can compute a closed form for \(\mathbf {c}^\intercal A^k(\mathbf {x})\) by symbolically exponentiating A. Since (by assumption) A has integer eigenvalues, this closed form has the form \(\frac{1}{Q}(p(\mathbf {x},k))\) where \(Q \in \mathbb {N}\) and p is an integer exponentialpolynomial term, which takes the form
where \(\lambda _i \in \textit{spec}(A)\), \(d_i \in \mathbb {N}\), and \(\mathbf {a}_i \in \mathbb {Z}^n\).^{Footnote 1}
Characteristic Sequences for Inequalities. Our method for computing characteristic sequences for inequalities is a variation of Tiwari’s method for deciding termination of linear loops with real eigenvalues [29].
First, suppose that \(\mathbf {p}(\mathbf {x},k)\) is an integer exponentialpolynomial of the form in Eq. (3) such that each \(\lambda _i\) is a positive integer. Further suppose that the summands are ordered by asymptotic growth, with the dominant term appearing earliest in the list; i.e., for \(i < j\) we have either \(\lambda _i > \lambda _j\), or \(\lambda _i = \lambda _j\) and \(d_i > d_j\). If we imagine that the variables \(\mathbf {x}\) are fixed to some \(\mathbf {x}_0 \in \mathbb {Z}^n\), then we see that \(p(\mathbf {x}_0,k)\) is either identically zero or has finitely many zeros, and therefore its sign is eventually stable. Furthermore, the sign of \(p(\mathbf {x}_0,k)\) as k tends to \(\infty \) is simply the sign of its dominant term – that is, the sign of \(\mathbf {a}_i^\intercal \mathbf {x}_0\) for the least i such that \(\mathbf {a}_i^\intercal \mathbf {x}_0\) is nonzero. Thus, we may define a function \(\textsf {DTA}\) that maps any exponentialpolynomial term \(p(\mathbf {x},k)\) (with positive integral \(\lambda _i\)) to an LIA formula such that for any \(\mathbf {x}_0 \in \mathbb {Z}^n\), \(\mathbf {x}_0 \models \textsf {DTA}(p)\) holds if and only if \(\mathbf {p}(\mathbf {x}_0,k)\) is eventually nonnegative (\(\mathbf {p}(\mathbf {x}_0,k) \ge 0\) for all but finitely many \(k \in \mathbb {N}\)). \(\textsf {DTA}\) is defined as follows:
Finally, we define the characteristic sequence of an inequality atom as follows. An inequality \(t_1 \le t_2\) over the variables \(\mathbf {x}\) can be written as \(\mathbf {c}^\intercal \mathbf {x} + d \ge 0\) for \(\mathbf {c} \in \mathbb {Z}^n\) and \(d \in \mathbb {Z}\). Let \(\frac{1}{Q_{\textit{even}}}p_{\textit{even}}(\mathbf {x},k)\) and \(\frac{1}{Q_{\textit{odd}}}p_{\textit{odd}}(\mathbf {x},k)\) be the closed forms of \(\mathbf {c}^\intercal A^{2k}(\mathbf {x})\) and \(\mathbf {c}^\intercal A^{2k + 1}(\mathbf {x})\), respectively; by splitting into “even” and “odd” cases, we ensure that the exponentialpolynomial terms \(p_{\textit{even}}(\mathbf {x},k)\) and \(p_{\textit{odd}}(\mathbf {x},k)\) have only positive \(\lambda _i\) and thus are amenable to the dominant term analysis \(\textsf {DTA}\) described above. Then we define:
Example 6
Consider the matrix A and its exponential \(A^k\) below:
First we compute the characteristic sequence \(\chi (x \ge 0,A)\). Applying the dominant term analysis of the closed form of x yields
Since the closed form involves only positive exponential terms, we need not split into an even and odd case, and we simply have:
Next we compute the characteristic sequence \(\chi (ab \ge 0, A)\), which does require a case split. Applying dominant term analysis of the closed form of \((ab)\) yields
and thus we have
Characteristic Sequences for Divisibility Atoms. Last we show how to define \(\chi \) for divisibility atoms \(n \mid t\). Write the term t as \(\mathbf {c}^\intercal \mathbf {x}+d\) and let the closed form of \(\mathbf {c}^\intercal A^k(\mathbf {x})\) be
The formula \(n \mid \mathbf {c}^\intercal A^k(\mathbf {x})+d\) is equivalent to \(Qn \mid \lambda _1^kk^{d_1} \mathbf {a}_1^\intercal \mathbf {x} + \cdots + \lambda _m^kk^{d_m}\mathbf {a}_m^\intercal \mathbf {x} + Qd\). For any i, the sequence \(\langle \lambda _i^kk^{d_i} \bmod Qn\rangle _{k=0}^\infty \) is ultimately periodic, since (1) \(\langle k \bmod Qn \rangle _{k=0}^\infty = (0, 1, \dots , Qn 1)^\omega \), (2) \(\langle \lambda _i^k \mod Qn \rangle _{k=0}^\infty \) is ultimately periodic (with period and transient length bounded above by Qn)^{Footnote 2}, and (3) ultimately periodic sequences are closed under pointwise product. It follows that for each i, there is a periodic sequence of integers \(\left\langle z_{i,k} \right\rangle _{k=0}^\infty \) that agrees with \(\langle \lambda _i^kk^{d_i} \bmod Qn\rangle _{k=0}^\infty \) on all but finitely many terms. Finally, we take
Example 7
Consider matrix A and the closed form of its exponents below
We show the characteristic sequences for some divisibility atoms w.r.t A:
5 A Conditional Termination Analysis for Programs
This section demonstrates how the results from Sects. 3 and 4 can be combined to yield a conditional termination analysis that applies to general programs.
IntegerSpectrum Restriction for \(\mathbb {Q}\text {}\mathbf {DLTS}{}\). Section 3 gives a way to compute a \(\mathbb {Q}\text {}\mathbf {DATS}{}\)reflection of any transition formula. Yet the analysis we developed in Sect. 4 only applies to linear dynamical systems with integer spectrum. We now show how to bridge the gap. Let V be a \(\mathbb {Q}\text {}\mathbf {DATS}{}\). As discussed in Sect. 3.4, we may homogenize V to obtain a \(\mathbb {Q}\text {}\mathbf {DLTS}\) T. Define \(\mathbb {Z}(T)\) to be the space spanned by the generalized (right) eigenvectors of \(T_\omega \) that correspond to integer eigenvalues:
Since \(\mathbb {Z}(T)\) is invariant under \(T_\omega \) and thus T, T defines a linear map \(T_{\mathbb {Z}} : \mathbb {Z}(T) \rightarrow \mathbb {Z}(T)\), and by construction \(T_{\mathbb {Z}}\) has integer spectrum. The following lemma justifies the restriction of our attention to the subspace \(\mathbb {Z}(T)\).
Lemma 5
Let F be a transition formula, let \(\left\langle V, s \right\rangle \) be a \(\mathbb {Q}\text {}\mathbf {DATS}{}\)reflection of F, and let \(\left\langle T,h \right\rangle = \textsf {homog}(V)\). For any state \(v \in \text {dom}^\omega (F)\), we have \(h(s(v)) \in \mathbb {Z}(T)\).
Example 8
The following loop computes the number of trailing 0’s in the binary representation of integer x and its corresponding transition formula:
The homogenization of the \(\mathbb {Q}\text {}\mathbf {DATS}{}\)reflection of F is the \(\mathbb {Q}\text {}\mathbf {DLTS}{}\) T, where:
The \(\omega \)domain of T is the whole state space \(\mathbb {Q}^3\). Since the eigenvector \(\begin{bmatrix} 1&0&0 \end{bmatrix}^\intercal \) of the transition matrix corresponds to a noninteger eigenvalue \(\frac{1}{2}\), the xcoordinate of states in \(\mathbb {Z}(T)\) must be 0; i.e., \(\mathbb {Z}(T) = \{ (x, c, y): x = 0 \}\). We conclude that \(x \ne 0\) is a sufficient condition for the loop to terminate.
The Mortal Precondition Operator. Algorithm 2 shows how to compute a mortal precondition for an LIA transition formula \(F(\mathbf {x},\mathbf {x}')\) (i.e., a sufficient condition for which F terminates). The algorithm operates as follows. First, we compute a \(\mathbb {Q}\text {}\mathbf {DATS}{}\)reflection of F, and homogenize to get a \(\mathbb {Q}\text {}\mathbf {DLTS}{}\) T and an affine simulation \(t : F \rightarrow T\). Let p denote an (arbitrary) projection from \(S_T\) onto \(\mathbb {Z}(T)\) (so p is a simulation from T to \(T_{\mathbb {Z}}\)). We then compute an LIA formula G which represents the states \(\mathbf {w}\) of \(T_{\mathbb {Z}}\) such that there is some \(v \in \text {dom}(F)\) such that \(t(v) \in \mathbb {Z}(T)\) and \(p(t(v)) = \mathbf {w}\). Letting \((H_0,...,H_P)^\omega \) be the characteristic sequence \(\chi (G, T_{\mathbb {Z}})\), we have that for any \(v \in \text {dom}^\omega (F)\), t(v) must belong to \(\mathbb {Z}(T)\) and p(t(v)) satisfies each \(H_i\), so we define
Within the context of the algorithm, we suppose that states of F are represented by ndimensional vectors, states of T are represented as mdimensional vectors, and state of \(T_{\mathbb {Z}}\) are represented as qdimensional vectors. The affine simulation t is represented in the form \(\mathbf {x} \mapsto A\mathbf {x} + \mathbf {b}\), where \(A \in \mathbb {Z}^{m \times n}\) and \(\mathbf {b} \in \mathbb {Z}^m\), the projection p as a \(\mathbb {Z}^{q \times m}\) matrix, and the linear map \(T_{\mathbb {Z}}\) as a \(\mathbb {Q}^{q \times q}\) matrix. The fact that p and t have all integer (rather than rational) entries is without loss of generality, since any simulation can be scaled by the least common denominator of its entries.
Theorem 3
(Soundness). For any transition formula F, for any state s such that , we have \(s \notin \text {dom}^\omega (F)\).
Proof
Let T, t, p, C, G, and \(H_0,\dots ,H_P\) be as in Algorithm 2. We prove the contrapositive: we assume \(v \in \text {dom}^\omega (F)\) and prove \(v \notin mp(F)\), or equivalently \(v \models H_i(p (t( \mathbf {x})))\) for each i and \(t(v) \in \mathbb {Z}(T)\). We have \(t(v) \in \mathbb {Z}(T)\) by Lemma 5, so it remains only to show that \(v \models H_i(p (t( \mathbf {x})))\) for each i.
Since \(v \in \text {dom}^\omega (F)\), there exists an infinite trajectory of F starting from v: \(v \rightarrow _F v_1 \rightarrow _F v_2 \rightarrow _F \ldots \). For any j, let \(\mathbf {w}_j = T_{\mathbb {Z}}^j(p(t(v)))\). Since \(p \circ t\) is an (affine) simulation, we have \(\mathbf {w}_j = p(t(v_j))\) for all j. It follows that for any j, we have \([v_j,v_{j+1}] \models F(\mathbf {x},\mathbf {x}') \wedge \mathbf {w}_j = p(t(\mathbf {x}_j)) \wedge Ct(\mathbf {x}_j) = 0\), and so \(G(\mathbf {w}_j) = \exists \mathbf {x},\mathbf {x}'. F(\mathbf {x},\mathbf {x}') \wedge \mathbf {w}_j = p(t(\mathbf {x})) \wedge Ct(\mathbf {x}) = 0\) holds for all j. By Theorem 2, \(H_i(p(t( \mathbf {x})))\) holds for all \(H_i\).
The proof of soundness requires only that we can compute \(\mathbb {Q}\text {}\mathbf {DATS}{}\)abstractions of transition formulas. The following is the culmination of our development of \(\mathbb {Q}\text {}\mathbf {DATS}{}\)reflections:
Theorem 4
(Monotonicity). For any transition formulas \(F_1\) and \(F_2\) such that \(F_1 \models F_2\), we have .
The desire for monotonicity is inspired by the principle that changes to a program should have a predictable impact on its analysis [34]. Monotonicity guarantees that more information into the analysis always leads to better results—for example, if a user annotates a procedure with preconditions or adds loop invariants into the program, our termination analysis can only produce weaker (that is, better) preconditions for termination. Moreover, in the context of this work, monotonicity also guarantees that if we cannot prove termination using the operator that we defined, then any linear abstraction of the loop has reachable nonterminating states.
6 Evaluation
Section 5 shows how to compute mortal preconditions for transition formulas. Using the framework of algebraic termination analysis [34], we can “lift” the analysis to compute mortal preconditions for whole programs. The essential idea is to compute summaries for loops and procedures in “bottomup” fashion, apply the mortal precondition operator from Sect. 5 to each loop body summary, and then propagate the mortal preconditions for the loops back to the entry of the program (see [34] for more details). We can verify that a program terminates by using an SMT solver to check that its mortal precondition is valid.
We have implemented Algorithm 2 as a mortal precondition operator (“mortal precondition via Linear Reflections”) in ComPACT, a tool that implements the termination analysis framework presented in [34]. We compare the performance of our analysis against 2LS [5], Ultimate Automizer [10] and CPAchecker [23], the top three competitors in the termination category of Competition on Software Verification (SVCOMP) 2020.
Experiments are run on a virtual machine with Ubuntu 18.04, with a singlecore Intel Core i79750H @ 2.60 GHz CPU and 8 GB of RAM. All tools were run with a time limit of 10 min.
Benchmarks. We tested on a suite of 263 programs divided into 4 categories. The termination and recursive suites contain small programs with challenging termination arguments, while the polybench suite contains larger realworld programs that have relatively simple termination arguments. The termination category consists of the nonrecursive, terminating benchmarks from SVCOMP 2020 in the TerminationMainControlFlow suite. The recursive category consists of the recursive, terminating benchmarks from the recursive directory and TerminationMainControlFlow. Note that 2LS does not handle recursive programs, so we exclude it from the recursive category. Finally, we created a new test suite linear consisting of programs with terminating linear abstractions. This suite is designed to exercise the capabilities of the , and includes all examples from BenAmram and Genaim’s article [1] on multiphase ranking functions, loops with disjunctive and/or modular arithmetic guards, and loops that model integer division and remainder calculation.
How Does Our Analysis Compare with the StateoftheArt? The comparison of ComPACT using the operator against stateoftheart termination analysis tools is shown in Table 1. ComPACT with is competitive with (but not dominating) leading tools in terms of number of tasks solved across the suite, and uses substantially less time. The analysis is least successful on the termination and recursive suites, which are designed to have difficult termination arguments. Most competitive tools use a portfolio of different termination techniques to approach such problems (e.g., Ultimate Automizer synthesizes linear, nested, multiphase, lexicographic and piecewise ranking functions); we investigate the use of in a portfolio solver in the following.
ComPACT with solves all tasks in the polybench suite, which contains numerical programs that have simple termination arguments, but which are larger than the SVCOMP tasks. 2LS, Ultimate Automizer, and CPAChecker exhaust time or memory limits on all tasks. Nested loops are a problematic pattern that appears in these programs, e.g.,
For such loops, is guaranteed to synthesize a conditional termination argument that is at least as weak as (regardless of the contents of the inner loop) by monotonicity and the fact that the loop body formula entails . Ultimate Automizer, CPAChecker, and 2LS cannot make such theoretical guarantees.
The linear suite demonstrates that is capable of proving termination of programs that lie outside the boundaries of the other tools.
Can Our Analysis Improve a Portfolio Solver? We compare and ComPACT in Table 2. The columns correspond to running ComPACT with the following options: excluding the portfolio from [34] (), including the portfolio but excluding (ComPACT), and including the portfolio and (ComPACT+). ComPACT+ can solve 11 additional tasks over ComPACT while adding negligible runtime overhead. In fact, adding to the portfolio decreases the amount of time it takes for ComPACT to complete all benchmark suites. Note that the combined tool is successful on the most termination tasks among all the tools we tested, both overall and for each individual suite except the termination category.
7 Related Work
Termination Analysis of Linear Loops. The universal termination problem for linear loops (or total deterministic affine transition systems, in the terminology of Sect. 4) was posed by Tiwari [29]. The case of linear loops over the reals was resolved by Tiwari [29], over the rationals by Braverman [4], and finally over the integers by Hosseini et al. [14]. In principle, we can combine any of these techniques with our algorithm for computing \(\mathbf {DATS}{}\)reflections of transition formulas to yield a sound (but incomplete) termination analysis. The significance of computing a \(\mathbf {DATS}{}\)reflection (rather than just “some” abstraction) is that is provides an algorithmic completeness result: if it is possible to prove termination of a loop by exhibiting a terminating linear dynamical system that simulates it, the algorithm will prove termination.
The method introduced in Sect. 4 to compute characteristic sequences of inequalities is based on the method that Tiwari used to prove decidability of the universal termination problem for linear loops with (positive) real spectra [29]. Tiwari’s condition of having real spectra is strictly more general than the integer spectra used by our procedure; requiring that the spectrum be integer allows us express the \(\mathbf {DTA}\) procedure in linear integer arithmetic rather than real arithmetic. Similar procedures appear also in [12, 18]. We note in particular that our results in Sects. 4 and 5 subsume Frohn and Giesl’s decision procedure for universal termination for uppertriangular linear loops [12]; since every rational uppertriangular linear loop has a rational spectrum (and is therefore a \(\mathbb {Q}\text {}\mathbf {DATS}{}\)), the mortal precondition computed for any rational uppertriangular linear loop is valid iff the loop is universally terminating.
Linear Abstractions. The formulation of “best abstractions” using reflective subcategories is based on the framework developed in [17]. A variation of this method was used in the context of invariant generation, based on computing (weak) reflections of linear rational arithmetic formulas in the category of rational vector addition systems [27]. This paper is the first to apply the idea to termination analysis.
A method for extracting polynomial recurrence (in)equations that are entailed by a transition formula appears in [16]. The algorithm can also be applied to compute a \(\mathbf {TDATS}\)abstraction of a transition formula. The procedure does not guarantee that the \(\mathbf {TDATS}\)abstraction is a reflection (best abstraction); Proposition 1 demonstrates that no such procedure exists. In this paper, we generalize the model to allow nontotal transition systems, and show that best abstractions do exist. The techniques from Sect. 3 can be used for invariant generation, improving upon the methods of [16].
Kincaid et al. show that the category of linear dynamical systems with periodic rational spectrum is a reflective subcategory of the category of linear dynamical systems [18]. A complex number n is periodic rational if \(n^p\) is rational for some \(p \in \mathbb {Z}^{>0}\). Combining this result with the technique from Sect. 3 yields the result that the category of \(\mathbf {DATS}\) with periodic rational spectrum is a reflective subcategory of \(\mathbf {TF}\). The decision procedure from Sect. 4 extends easily to the periodic rational case, which results in a strictly more powerful decision procedure.
Termination Analysis. Termination analysis, and in particular conditional termination analysis, has been widely studied. Work on the subject can be divided into practical termination analyses that work on real programs (but offer few theoretical guarantees) [2, 6, 8, 11, 13, 20, 30,31,32], and work on simplified model (such as linear, octagonal, and polyhedral loops) with strong guarantees (but cannot be applied directly to real programs) [1, 3, 4, 14, 21, 25, 29]. This paper aims to help bridge the gap between the two, by showing how to apply analyses for linear loops to general programs, while preserving some of their desirable theoretical properties, in particular monotonicity.
Notes
 1.
Technically, we have \(\frac{1}{Q}(\lambda _1^kk^{d_1}\mathbf {a}_1^\intercal + \cdots + \lambda _m^kk^{d_m}\mathbf {a}_m^\intercal ) = \mathbf {c}^\intercal A^{k}\mathbf {x}\) for all k greater than rank of the highestrank generalized eigenvector of 0, but since we are only interested in the asymptotic behavior of A we can disregard the first steps of the computation.
 2.
An infinite sequence \(s_0, s_1, s_2, \ldots \) is ultimately periodic, if there exists N such that \(s_{N}, s_{N+1}, s_{N+2}, \ldots \) is a periodic sequence. We call N the transient length of this sequence.
References
BenAmram, A.M., Genaim, S.: On multiphaselinear ranking functions. In: Majumdar, R., Kunčak, V. (eds.) CAV 2017. LNCS, vol. 10427, pp. 601–620. Springer, Cham (2017). https://doi.org/10.1007/9783319633909_32
Borralleras, C., Brockschmidt, M., Larraz, D., Oliveras, A., RodríguezCarbonell, E., Rubio, A.: Proving termination through conditional termination. In: Legay, A., Margaria, T. (eds.) TACAS 2017. LNCS, vol. 10205, pp. 99–117. Springer, Heidelberg (2017). https://doi.org/10.1007/9783662545775_6
Bradley, A.R., Manna, Z., Sipma, H.B.: Linear ranking with reachability. In: Etessami, K., Rajamani, S.K. (eds.) CAV 2005. LNCS, vol. 3576, pp. 491–504. Springer, Heidelberg (2005). https://doi.org/10.1007/11513988_48
Braverman, M.: Termination of integer linear programs. In: Ball, T., Jones, R.B. (eds.) CAV 2006. LNCS, vol. 4144, pp. 372–385. Springer, Heidelberg (2006). https://doi.org/10.1007/11817963_34
Chen, H., David, C., Kroening, D., Schrammel, P., Wachter, B.: Bitprecise proceduremodular termination analysis. ACM Trans. Program. Lang. Syst. 40(1), 1:1–1:38 (2018). https://doi.org/10.1145/3121136
Cook, B., Gulwani, S., LevAmi, T., Rybalchenko, A., Sagiv, M.: Proving conditional termination. In: Gupta, A., Malik, S. (eds.) CAV 2008. LNCS, vol. 5123, pp. 328–340. Springer, Heidelberg (2008). https://doi.org/10.1007/9783540705451_32
Cooper, D.C.: Theorem proving in arithmetic without multiplication. Mach. Intell. 7(91–99), 300 (1972)
Cousot, P., Cousot, R.: An abstract interpretation framework for termination. In: Proceedings of the 39th Annual ACM SIGPLANSIGACT Symposium on Principles of Programming Languages, POPL 2012, pp. 245–258. Association for Computing Machinery, New York (2012). https://doi.org/10.1145/2103656.2103687
Cyphert, J., Breck, J., Kincaid, Z., Reps, T.: Refinement of path expressions for static analysis. Proc. ACM Program. Lang. 3(POPL) (2019). https://doi.org/10.1145/3290358
Dietsch, D., Heizmann, M., Nutz, A., Schätzle, C., Schüssele, F.: Ultimate taipan with symbolic interpretation and fluid abstractions. In: TACAS 2020. LNCS, vol. 12079, pp. 418–422. Springer, Cham (2020). https://doi.org/10.1007/9783030452377_32
D’Silva, V., Urban, C.: Conflictdriven conditional termination. In: Kroening, D., Păsăreanu, C.S. (eds.) CAV 2015. LNCS, vol. 9207, pp. 271–286. Springer, Cham (2015). https://doi.org/10.1007/9783319216683_16
Frohn, F., Giesl, J.: Termination of triangular integer loops is decidable. In: Dillig, I., Tasiran, S. (eds.) CAV 2019. LNCS, vol. 11562, pp. 426–444. Springer, Cham (2019). https://doi.org/10.1007/9783030255435_24
Ganty, P., Genaim, S.: Proving termination starting from the end. In: Sharygina, N., Veith, H. (eds.) CAV 2013. LNCS, vol. 8044, pp. 397–412. Springer, Heidelberg (2013). https://doi.org/10.1007/9783642397998_27
Hosseini, M., Ouaknine, J., Worrell, J.: Termination of linear loops over the integers. In: Baier, C., Chatzigiannakis, I., Flocchini, P., Leonardi, S. (eds.) ICALP. LIPIcs, vol. 132, pp. 118:1–118:13. Schloss Dagstuhl  LeibnizZentrum für Informatik (2019). https://doi.org/10.4230/LIPIcs.ICALP.2019.118
KellerGehrig, W.: Fast algorithms for the characteristic polynomial. Theor. Comput. Sci. 36(2–3), 309–317 (1985)
Kincaid, Z., Cyphert, J., Breck, J., Reps, T.: Nonlinear reasoning for invariant synthesis. PACMPL 2(POPL), 54:1–54:33 (2018)
Kincaid, Z.: Numerical invariants via abstract machines. In: Podelski, A. (ed.) SAS 2018. LNCS, vol. 11002, pp. 24–42. Springer, Cham (2018). https://doi.org/10.1007/9783319997254_3
Kincaid, Z., Breck, J., Cyphert, J., Reps, T.: Closed forms for numerical loops. Proc. ACM Program. Lang. 3(POPL) (2019). https://doi.org/10.1145/3290368
Lax, P.D.: Linear Algebra and Its Applications, 2 edn. WileyInterscience (2007)
Le, T.C., Qin, S., Chin, W.N.: Termination and nontermination specification inference. In: PLDI, PLDI 2015, pp. 489–498. Association for Computing Machinery, New York (2015). https://doi.org/10.1145/2737924.2737993
Leike, J., Heizmann, M.: Ranking templates for linear loops. In: TACAS, pp. 172–186 (2014)
Lenstra, A.K., Lenstra, H.W., Lovász, L.: Factoring polynomials with rational coefficients. Math. Ann. 261(4), 515–534 (1982)
Ott, S.: Implementing a termination analysis using configurable program analysis. Master’s thesis, University of Passau (2016)
Ouaknine, J., Pinto, J.S., Worrell, J.: On termination of integer linear loops. In: SODA, pp. 957–969 (2015)
Podelski, A., Rybalchenko, A.: A complete method for the synthesis of linear ranking functions. In: VMCAI, pp. 239–251 (2004)
Reps, T., Sagiv, M., Yorsh, G.: Symbolic implementation of the best transformer. In: Steffen, B., Levi, G. (eds.) VMCAI 2004. LNCS, vol. 2937, pp. 252–266. Springer, Heidelberg (2004). https://doi.org/10.1007/9783540246220_21
Silverman, J., Kincaid, Z.: Loop summarization with rational vector addition systems. In: Dillig, I., Tasiran, S. (eds.) CAV 2019. LNCS, vol. 11562, pp. 97–115. Springer, Cham (2019). https://doi.org/10.1007/9783030255435_7
Tarski, A.: A latticetheoretical fixpoint theorem and its applications. Pac. J. Math. 5(2), 285–309 (1955)
Tiwari, A.: Termination of linear programs. In: Alur, R., Peled, D.A. (eds.) CAV 2004. LNCS, vol. 3114, pp. 70–82. Springer, Heidelberg (2004). https://doi.org/10.1007/9783540278139_6
Urban, C.: The abstract domain of segmented ranking functions. In: Logozzo, F., Fähndrich, M. (eds.) SAS, pp. 43–62 (2013)
Urban, C., Miné, A.: An abstract domain to infer ordinalvalued ranking functions. In: Shao, Z. (ed.) ESOP 2014. LNCS, vol. 8410, pp. 412–431. Springer, Heidelberg (2014). https://doi.org/10.1007/9783642548338_22
Urban, C., Miné, A.: A decision tree abstract domain for proving conditional termination. In: MüllerOlm, M., Seidl, H. (eds.) SAS 2014. LNCS, vol. 8723, pp. 302–318. Springer, Cham (2014). https://doi.org/10.1007/9783319109367_19
Zhu, S., Kincaid, Z.: Reflections on termination of linear loops (2021). https://arxiv.org/abs/2105.13941
Zhu, S., Kincaid, Z.: Termination analysis without the tears (2021)
Acknowledgments
This work was supported in part by the NSF under grant number 1942537 and by ONR under grant N000141912318. Opinions, findings, conclusions, or recommendations expressed herein are those of the authors and do not necessarily reflect the views of the sponsoring agencies.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.
The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.
Copyright information
© 2021 The Author(s)
About this paper
Cite this paper
Zhu, S., Kincaid, Z. (2021). Reflections on Termination of Linear Loops. In: Silva, A., Leino, K.R.M. (eds) Computer Aided Verification. CAV 2021. Lecture Notes in Computer Science(), vol 12760. Springer, Cham. https://doi.org/10.1007/9783030816889_3
Download citation
DOI: https://doi.org/10.1007/9783030816889_3
Published:
Publisher Name: Springer, Cham
Print ISBN: 9783030816872
Online ISBN: 9783030816889
eBook Packages: Computer ScienceComputer Science (R0)