Reflections on Termination of Linear Loops

This paper shows how techniques for linear dynamical systems can be used to reason about the behavior of general loops. We present two main results. First, we show that every loop that can be expressed as a transition formula in linear integer arithmetic has a best model as a deterministic affine transition system. Second, we show that for any linear dynamical system $f$ with integer eigenvalues and any integer arithmetic formula $G$, there is a linear integer arithmetic formula that holds exactly for the states of $f$ for which $G$ is eventually invariant. Combining the two, we develop a monotone conditional termination analysis for general loops.


Introduction
Linear and affine dynamical systems are a model of computation that is easy to analyze (relative to non-linear systems), making them useful across a broad array of applications. In the context of program analysis, affine dynamical systems correspond to loops of the form while (G(x)) do x := Ax + b ( †) where G is a formula, A is a matrix, x is a vector of program variables, and b is a constant vector. The termination problem for such loops has been shown to be decidable for several variations of this model [29,4,24,9,12]. However, few loops in real programs take this form, and so this work has not yet made an impact on practical termination analysis tools. This paper bridges the gap between theory and practice, showing how techniques for linear and affine dynamical systems can be used to reason about general programs. Example 1. We illustrate our methodology using the example program in Figure 1 (left). First, observe that although the body of this loop is not of the form ( †), the value of the sum x + y decreases by z each iteration, and z remains the same. Thus, we can approximate the loop by the linear dynamical system in Figure 1 (right), where the nature of the approximation is given by the linear map in the center of Figure 1 (i.e., the a coordinate corresponds to x + y, and the b coordinate to z). The linear map is a simulation, in the sense that it transforms the state space of the program into the state space of the linear dynamical system so that every step in the loop has a corresponding step in the linear dynamical system.
if ((x -y) % 2 == 0): 5 x := xz 6 else: Next, we compute the image of the guard of the loop (x ≥ 0 ∧ y ≥ 0) under the simulation, which yields a ≥ 0 (corresponding to the constraint x + y ≥ 0 over the original program variables). We can compute a closed form for this constraint holding on the kth iteration of the loop by exponentiating the dynamics matrix of the linear dynamical system, multiplying on the left by the row vector corresponding to the constraint, and on the right by the simulation: We then analyze the asymptotic behavior of the closed form: We conclude that z > 0 ∨ (x + y) < 0 is a sufficient condition for the loop to terminate. ⌟ The paper is organized as follows. To serve as the class of "linear models" of loops, we introduce deterministic affine transition systems (DATS), a computational model that generalizes affine dynamical systems. Section 3 shows that any loop expressed as a linear integer arithmetic formula has a DATS-reflection, which is a best representation of the behavior of the loop as a DATS. Moreover, this holds for a restricted class of DATS with rational eigenvalues. Section 4 shows that for a linear map f with integer eigenvalues and a linear integer arithmetic formula G, there is a linear integer arithmetic formula that holds exactly for those states x such that G(f k (x)) holds for all but finitely many k ∈ N. Section 5 brings the results together, showing that the analysis of a DATS with rational eigenvalues can be reduced to the analysis of a linear dynamical system with integer eigenvalues. The fact that DATS-reflections are best implies monotonicity of the analysis. Finally, in Section 6, we demonstrate experimentally that the analysis can be successfully applied to general programs, using the framework of algebraic termination analysis [33] to lift our loop analysis to a whole-program conditional termination analysis. Some proofs are omitted for space, but may be found in the appendix.

Preliminaries
This paper assumes familiarity with linear algebra -see for example [19]. We recall some basic definitions below.
In the following, a linear space refers to a finite-dimensional linear space over the field of rational numbers Q. For V a linear space and U ⊆ V , span(U ) is the linear space generated by U ; i.e., the smallest linear subspace of V that contains U . An affine subspace of a linear space V is the image of a linear subspace of V under a translation (i.e., a set of the form {v + v 0 : v ∈ U } for some linear subspace U ⊆ V and some v 0 ∈ V ). For any scalar a ∈ Q, and any linear space V , we use a to denote the linear map a : V → V that maps v → av (in particular, 1 is the identity). A linear functional on a linear space V is a linear map V → Q; the set of all linear functionals on V forms a linear space called the dual space of V , denoted V ⋆ . A linear map f : Let V be a linear space. A linear map f : V → V is associated with a characteristic polynomial p f (x), which is defined to be the determinant of (xI − A f ), where A f is a matrix representation of f with respect to some basis (the choice of which is irrelevant). Define the spectrum (set of eigenvalues) of f to be the set of (possibly complex) roots of its characteristic polynomial, spec(f ) {λ ∈ C : p f (λ) = 0}. We say that f has rational spectrum if spec(f ) ⊆ Q; equivalently (by the spectral theorem -see e.g. [19,Ch. 6,Theorem 7]): -There is a basis {x 1 , ..., x n } for V consisting of generalized (right) eigenvectors, satisfying (f − λ i ) ri (x i ) = 0 for some λ i ∈ spec(f ) and some r i ≥ 1 (r i is called the rank of x i ) -There is a basis {g 1 , ..., g n } for V ⋆ consisting of generalized left eigenvectors, satisfying g i • (f − λ i ) ri = 0 for some λ i ∈ spec(f ) and some r i ≥ 1 It is possible to determine whether a linear map has rational spectrum (and compute the basis of eigenvectors for V and V ⋆ ) in polynomial time by computing its characteristic polynomial [15], factoring it [22], and checking whether each factor is linear. The syntax of linear integer arithmetic (LIA) is given as follows: Let X ⊆ Variable be a set of variables. A valuation over X is a map v : X → Z. If F is a formula whose free variables range over X and v is a valuation over X, then we say that v satisfies F (written v |= F ) if the formula F is true when interpreted over the standard model of the integers, using v to interpret the free variables. We write F |= G if every valuation that satisfies F also satisfies G.

Transition systems
A transition system T is a pair T = S T , R T where S T is a set of states and R T ⊆ S T × S T is a transition relation. Within this paper, we shall assume that the state space of any transition system is a finite-dimensional linear space (over Q). We write x → T x ′ to denote that the pair x, x ′ belongs to R T . We define the domain of a transition system T , dom(T ) {x ∈ S T : ∃x ′ .x → T x ′ }, to be the set of states that have a T -successor. We define the ω-domain dom ω (T ) of T to be the set of states from which there exist infinite T -computations: A transition formula F (X, X ′ ) is an LIA formula whose free variables range over a designated finite set of variables X and a set of "primed copies" X ′ = {x ′ : x ∈ X}. For example, a transition formula that represents the body of the loop in Figure 1 is We use TF to denote the set of transition formulas. A transition formula F (X, X ′ ) defines a transition system where the state space is the set of functions X → Q, and where v → F v ′ if and only if both (1) v and v ′ map each x ∈ X to an integer and (2) denotes the valuation that maps each x ∈ X to v(x) and each x ′ ∈ S ′ to v ′ (x). Defining the state space of F to be X → Q rather than X → Z is a technical convenience (X → Q ≃ Q |X| is a linear space), but does not materially affect the results of this paper since only (integral) valuations are involved in transitions.
Let T = S T , R T be a transition system. We say that T is: For example, the transition system T with transition relation  is deterministic and affine, but not linear or total. The transition system U with transition relation x y is total, linear (and affine), but not deterministic. The classical notion of a linear dynamical system-a transition system where the state evolves according to a linear map-corresponds to a total, deterministic, linear transition system. Similarly, an affine dynamical system is a transition system that is total, deterministic, and affine. For any map s : X → Y , and any relation R ⊆ X × X, define the image of R under s to be the relation s Let T = S T , R T and U = S U , R U be transition systems. We say that a linear map s : S T → S U is a linear simulation from T to U , and write s : Observe that the following are equivalent: (1) s is a simulation, (2) An example of a simulation between a transition formula and a linear dynamical system is given in Figure 1. In fact, there are many linear dynamical systems that over-approximate this loop; however, the simulation and linear dynamical system given in Figure 1 is its best abstraction.
To formalize the meaning of best abstractions, it is convenient to use the language of category theory [17]. Any class of transition systems defines a category, where the objects are transitions systems of that class, and the arrows are linear simulations between them. We use boldface letters (Linear, Affine, Deterministic, Total) to denote categories of transition systems (e.g., DATS denotes the category of Deterministic Affine Transition Systems).
If T is a transition system and C is a category of transition systems, a Cabstraction of T is a pair U, s consisting of a transition system U belonging to C and a linear simulation s : T → U . A C-reflection of T is a C-abstraction that satisfies a universal property among C-abstractions of T : for any C-abstraction V, t of T there exists a unique simulation t : U → V such that t • s = t; i.e., the following diagram commutes: If D is a category of transition systems and C is a subcategory such that every transition system in D has a C-reflection, we say that C is a reflective subcategory of D.
Our ultimate goal is to bring techniques from linear dynamical systems to bear on transition formulas. Figure 1 gives an example of a program and its linear dynamical system reflection. Unfortunately, such reflections do not exist for all transition formulas, which motivates our investigation of alternative models.
Proof. Let F be the 1-dimensional transition formula x ′ = x ∧ x = 0. For a contradiction, suppose that A, s is a TDATS-reflection of F . Since F contains the origin, then so must the transition relation of A, and so A is linear. Next, consider that for any λ ∈ Q, we have the simulation id : F → A λ , where id is the identity function and A λ = Q, x → λx . Since A, s is a reflection of F , for any λ, there is some t λ such that t λ : A → A λ and id = t λ • s. Since t λ is a simulation, we have λt λ = A λ • t λ = t λ • A. Since id = t λ • s, we must have t λ non-zero, and so t λ is a left eigenvector of A with eigenvalue λ. Since this holds for all λ, A must have infinitely many eigenvalues, a contradiction.

Linear abstractions of transition formulas
Proposition 1 shows that not every transition formula has a total deterministic affine reflection. In the following we show that totality is the only barrier: every transition formula has a (computable) DATS-reflection. Moreover, we show that every transition formula has a rational spectrum DATS (Q-DATS)-reflection, a restricted class of DATS that generalizes affine maps x → Ax + b where A has rational eigenvalues. The restriction on eigenvalues makes it easier to reason about the termination behavior of Q-DATS.
In the remainder of this section, we show that every transition formula has a Q-DATS-reflection by establishing a chain of reflective subcategories: The fact that Q-DATS is a reflective subcategory of TF then follows from the fact that a reflective subcategory of a reflective subcategory is reflective.

Affine abstractions of transition formulas
Let F (X, X ′ ) be a transition formula. The affine hull of F , denoted aff(F ), is the smallest affine set aff that contains all of the models of F . Reps et al. give an algorithm that can be used to compute aff(F ), by using an SMT solver to sample a set of generators [26].
Lemma 1. Let F (X, X ′ ) be a transition formula. The affine hull of F (considered as a transition system) is the best affine abstraction of F (where the simulation from F to aff(F ) is the identity).
Example 2. Consider the example program in Figure 1. Letting F denote the transition formula corresponding to the program, aff(F ) can be represented as the solutions to the constraints Notice that aff(F ) is 4-dimensional and has a transition relation defined by 3 constraints, and thus is not deterministic. The next step is to find a suitable projection onto a lower-dimensional space so that the resulting transition system is deterministic. ⌟

Reflections via the dual space
This section presents a key technical tool that will be used in the next two subsections to prove the existence of reflections. For any transition system T , an abstraction U, s of T consisting of a transition system U and a simulation s : S T → S U induces a subspace of S ⋆ T , which is the range of the dual map s ⋆ (i.e., the set of all linear functionals on S T of the form g • s where g ∈ S ⋆ U ). The essential idea is we can apply this in reverse: any subspace Λ of S ⋆ T induces a transition system U and a simulation s : T → U that satisfies a universal property among all abstractions V, v of T where the range of v ⋆ is contained in Λ. We will now formalize this idea.
Let T be a transition system, and let Λ be a subspace of S ⋆ T . Define α Λ (T ) to be the pair α Λ (T ) U, s consisting of a transition system U and a linear simulation s : Lemma 2 (Dual space simulation). Let T be a transition system, let Λ be a subspace of S ⋆ T , and let U, s = α Λ (T ). Suppose that Z is a transition system and z : T → Z is a simulation such that the range of z ⋆ is contained in Λ. Then there exists a unique simulation z : U → Z such that z • s = z.
Proof. The high-level intuition is that since the range of z ⋆ is contained in Λ, we may consider it to be a map z ⋆ : S ⋆ Z → Λ; dualizing again, we get a map z ⋆⋆ : Λ ⋆ → S ⋆⋆ Z , whose domain is S U and codomain is (isomorphic to) S Z . More formally, let j : S Z → S ⋆⋆ Z be the natural isomorphism between S Z and S ⋆⋆ Z defined by j(y) λg : S ⋆ Z .g(y). Define z : ) .
First we show that z • s = z. Let x ∈ S Z . Then we have , and so z(s(x)) → Z z(s(x ′ )), and we may conclude that z(y) → Z z(y ′ ).
Finally, observe that s is surjective, and therefore the solution to the equation z • s = z is unique.
We conclude this section by illustrating how to compute the function α for affine transition systems. Suppose that T is an affine transition system of dimension n. We can represent states in S T by vectors in Q n , and the transition relation R T by a finite set of transitions B ⊆ Q n × Q n that generates R T (i.e., R T = aff(B)). Suppose that Λ is an m-dimensional subspace of S ⋆ T ; elements of S ⋆ T can be represented by n-dimensional row vectors, and Λ can be represented by a basis f ⊺ 1 , . . . , f ⊺ m . We can compute a representation of U, s = α Λ (T ) as follows. The elements of S U = Λ ⋆ can be represented by m-dimensional vectors (with respect to the basis g 1 , . . . , g m such that g i is the linear map that sends f ⊺ j to 1 if i = j and to 0 otherwise). The simulation s can be represented by the m × n matrix where the ith row is f ⊺ i . Finally, the transition relation R U can be represented by a set of generators { s(x), s(x ′ ) : x, x ′ ∈ B}.

Determinization
In this section, we show that any transition system operating over a finitedimensional vector space has a best deterministic abstraction, and give an algorithm for computing the best deterministic affine abstraction (or determinization) of an affine transition system.
Towards an application of Lemma 2, we seek to characterize the determinization of a transition system by a space of functionals on its state space. For any linear space V and space of functionals Λ on V , define an equivalence relation For any T and Λ, define Det(T, Λ) {f : T is (Λ, {f })-deterministic} to be the greatest set of functionals such that T is (Λ, Det(T, Λ))-deterministic.

Lemma 3 (Determinization). For any transition system
If a transition system T is affine, then its determinization can be computed in polynomial time. Fixing a basis for the state space S T (of some dimension n), we can represent the transition relation of T in the form R T = { x, x ′ : Ax ′ = Bx+ c} where A, B ∈ Q m×n and c ∈ Q m (for some m). We can represent functionals on S T by n-dimensional vectors, where the vector v ∈ Q n corresponds to the functional that maps u → v ⊺ u. A linear space of functionals Λ can be represented by a system of linear equations are those that can be written as a linear combination of the rows of A such that the corresponding linear combination of the rows of B belongs to Λ; i.e., A representation of Det(T, Λ) can be computed in polynomial time using Gaussian elimination. Since the lattice of linear subspaces of S ⋆ T has height n, the greatest fixpoint of Det(T, −) can be computed in polynomial time.
Example 3. Continuing the example from Figure 1 and Example 2, we consider the determinization of the affine transition system in Eq (2). The rows of the matrix on the left-hand side correspond to generators for Det(aff(F ), Q 4 ⋆ ): which is the greatest fixpoint Det(aff(F )). Intuitively: after one step of aff(F ), the values of w, x + y, and z are affine functions of the input; after two steps x + y and z are affine functions of the input but w is not, since the value of w on the second step depends upon the value of x in the first, and x is not an affine function of the input.
This yields the deterministic reflection D, d (also pictured in Figure 1) where

Rational-spectrum reflections of DATS
In this section, we define rational-spectrum DATS and show that every DATS has a rational-spectrum-reflection. In the following, it is convenient to work with transition systems that are linear rather than affine. We will prove that every deterministic linear transition system has a best abstraction with rational spectrum. The result extends to the affine case through the use of homogenization: i.e., we embed a (non-empty) affine transition system into a linear transition system with one additional dimension, such that if we fix that dimension to be 1 then we recover the affine transition system. If the transition relation of a DATS is represented in the form Ax ′ = Bx + c, then its homogenization is simply For a DATS T , we use homog(T ) to denote the pair L, h , consisting the DLTS L resulting from homogenization and the affine simulation h : T → L that maps each x ∈ S T to x 1 (i.e., the affine simulation h formalizes the idea that if we fix the extra dimension y to be 1, we recover the original DATS T ). Let T be a deterministic linear transition system. Since our goal is to analyze the asymptotic behavior of T , and all long-running behaviors of T reside entirely within dom ω (T ), we are interested in the structure of dom ω (T ) and T 's behavior on this set. First, we observe that dom ω (T ) is a linear subspace of S T and is computable. For any k, let T k denote the linear transition system whose transition relation is the k-fold composition of the transition relation of R. Consider the descending sequence of linear spaces (i.e., the set of states from which there are T computations of length 1, length 2, length 3, . . . ). Since the space S T is finite dimensional, this sequence must stabilize at some k. Since the states in dom(T k ) have T -computations of any length and T is deterministic, we have that dom(T k ) is precisely dom ω (T ).
Since T is total on dom ω (T ) and the successor of a state in dom ω (T ) must also belong to dom ω (T ), T defines a linear map T | ω : dom ω (T ) → dom ω (T ). In this way, we can essentially reduce asymptotic analysis of DATS to asymptotic analysis of linear dynamical systems. The asymptotic analysis of linear dynamical systems developed in Sections 4 and 5 requires rational eigenvalues; thus we are interested in DATS T such that T | ω has rational eigenvalues. With this in mind, we define spec(T ) = spec(T | ω ), and say that T has rational spectrum if spec(T ) ⊆ Q. Define Q-DLTS to be the subcategory of DLTS with rational spectrum, and Q-DATS to be the subcategory of DATS whose homogenization lies in Q-DLTS.
The bottom-most equation corresponds to a constraint that only vectors where the x and y coordinates are equal have successors, so we have: Supposing that the x and y coordinates are equal in some pre-state, they are equal in the post-state exactly when z = 0, so we have It is easy to check that dom(T 3 ) = dom(T 2 ), and therefore dom ω (T ) = dom(T 2 ). The vector 1 1 0 ⊺ is a basis for dom ω (T ), and the matrix representation of T | ω with respect to this basis is 2 (i.e., 1 1 0 ⊺ → T 2 2 0 ⊺ ). Thus we can see spec(T ) = {2}, and T is a Q-DLTS. ⌟ Towards an application of Lemma 2, define the generalized rational eigenspace of a DLTS T to be Lemma 4. Let T be a DLTS, and define Q, q α E Q (T ) (T ). Then for any Q-DLTS U and any simulation s : T → U , there is a unique simulation s : While α E Q (T ) (T ) satisfies a universal property for Q-DLTS, it does not necessary belong to Q-DLTS itself because it need not be deterministic. However, by iterative interleaving of Lemma 4 and determinization as shown in Algorithm 1, we arrive at a Q-DLTS-reflection. Example 8 in the appendix demonstrates how we calculate a Q-DLTS-reflection of a particular DLTS. Finally, by homogenization and Theorem 1, we conclude with the desired result:

Asymptotic Analysis of Linear Dynamical Systems
This section is concerned with analyzing the behavior of loops of the form where the G(x) is an LIA formula and A is a matrix with integer spectrum. Our goal is to capture the asymptotic behavior of iterating the map A on an initial state x 0 with respect to the formula G. Specifically, we show that Theorem 2. For any LIA formula G and any matrix A with integer spectrum, there is a periodic sequence of LIA formulas H 0 , H 1 , H 2 , . . . such that for any initial state x 0 ∈ Q n , there exists K such that for any k > K, G(A k x 0 ) holds if and only if H k (x 0 ) does. We call the periodic sequence (H 0 , H 1 , . . . , H P ) ω the characteristic sequence of the guard formula G with respect to dynamics matrix A, and denote it by χ (G, A). Note that G(A k x 0 ) holds for all but finitely many k exactly when P i=0 H i (x 0 ) holds.

Recall that an infinite sequence
In the remainder of this section, we show how to compute characteristic sequences. Let G be an LIA formula and let A be a matrix with integer spectrum. To begin, we compute a quantifier-formula G ′ that is equivalent to G (using, for example, Cooper's algorithm [7]). We define χ(G ′ , A) by recursion on the structure of G ′ . For the logical connectives ∧, ∨, and ¬, characteristic sequences are defined pointwise: It remains to show how χ acts on atomic formulas, which take the form of inequalities t 1 ≤ t 2 and divisibility constraints n | t. An important fact that we employ in both cases is that for any linear term c ⊺ x over the variables x, we can compute a closed form for c ⊺ A k (x) by symbolically exponentiating A. Since (by assumption) A has integer eigenvalues, this closed form has the form 1 Q (p(x, k)) where Q ∈ N and p is an integer exponential-polynomial term, which takes the form where λ i ∈ spec(A), d i ∈ N, and a i ∈ Z n . 1 Characteristic sequences for inequalities Our method for computing characteristic sequences for inequalities is a variation of Tiwari's method for deciding termination of linear loops with real eigenvalues [29]. First, suppose that p(x, k) is an integer exponential-polynomial of the form in Eq. (3) such that each λ i is a positive integer. Further suppose that the summands are ordered by asymptotic growth, with the dominant term appearing earliest in the list; i.e., for i < j we have either λ i > λ j , or λ i = λ j and d i > d j . If we imagine that the variables x are fixed to some x 0 ∈ Z n , then we see that p(x 0 , k) is either identically zero or has finitely many zeros, and therefore its sign is eventually stable. Furthermore, the sign of p(x 0 , k) as k tends to ∞ is simply the sign of its dominant term -that is, the sign of a ⊺ i x 0 for the least i such that a ⊺ i x 0 is non-zero. Thus, we may define a function DTA that maps any exponential-polynomial term p(x, k) (with positive integral λ i ) to an LIA formula such that for any x 0 ∈ Z n , x 0 |= DTA(p) holds if and only if p(x 0 , k) is eventually non-negative (p(x 0 , k) ≥ 0 for all but finitely many k ∈ N). DTA is defined as follows: Finally, we define the characteristic sequence of an inequality atom as follows. An inequality t 1 ≤ t 2 over the variables x can be written as c ⊺ x + d ≥ 0 for c ∈ Z n and d ∈ Z. Let 1 Qeven p even (x, k) and 1 Q odd p odd (x, k) be the closed forms of c ⊺ A 2k (x) and c ⊺ A 2k+1 (x), respectively; by splitting into "even" and "odd" x for all k greater than rank of the highest-rank generalized eigenvector of 0, but since we are only interested in the asymptotic behavior of A we can disregard the first steps of the computation.
cases, we ensure that the exponential-polynomial terms p even (x, k) and p odd (x, k) have only positive λ i and thus are amenable to the dominant term analysis DTA described above. Then we define: Example 5. Consider the matrix A and its exponential A k below: First we compute the characteristic sequence χ(x ≥ 0, A). Applying the dominant term analysis of the closed form of x yields Since the closed form involves only positive exponential terms, we need not split into an even and odd case, and we simply have: Next we compute the characteristic sequence χ(a − b ≥ 0, A), which does require a case split. Applying dominant term analysis of the closed form of (a − b) yields

and thus we have
Characteristic sequences for divisibility atoms Last we show how to define χ for divisibility atoms n | t. Write the term t as c ⊺ x + d and let the closed form of The formula n | c ⊺ A k (x) + d is equivalent to Qn | λ k 1 k d1 a ⊺ 1 x +· · · + λ k m k dm a ⊺ m x + Qd. For any i, the sequence λ k i k di mod Qn ∞ k=0 is ultimately periodic, since (1) k mod Qn ∞ k=0 = (0, 1, . . . , Qn − 1) ω , (2) λ k i mod Qn ∞ k=0 is ultimately periodic (with period and transient length bounded above by Qn) 2 , and (3) ultimately periodic sequences are closed under pointwise product. It follows that for each i, there is a periodic sequence of integers z i,k ∞ k=0 that agrees with λ k i k di mod Qn ∞ k=0 on all but finitely many terms. Finally, we take χ(n | t, A) Qn | z 1,k a ⊺ 1 x + · · · + z m,k a ⊺ m x + Qd ∞ k=0 . Example 6. Consider matrix A and the closed form of its exponents below We show the characteristic sequences for some divisibility atoms w.r.t A:

A conditional termination analysis for programs
This section demonstrates how the results from Sections 3 and 4 can be combined to yield a conditional termination analysis that applies to general programs.
Integer-spectrum restriction for Q-DLTS Section 3 gives a way to compute a Q-DATS-reflection of any transition formula. Yet the analysis we developed in Section 4 only applies to linear dynamical systems with integer spectrum. We now show how to bridge the gap. Let V be a Q-DATS. As discussed in Section 3.4, we may homogenize V to obtain a Q-DLTS T . Define Z(T ) to be the space spanned by the generalized (right) eigenvectors of T | ω that correspond to integer eigenvalues: Since Z(T ) is invariant under T | ω and thus T , T defines a linear map T | Z : Z(T ) → Z(T ), and by construction T | Z has integer spectrum. The following lemma justifies the restriction of our attention to the subspace Z(T ).
Lemma 5. Let F be a transition formula, let V, s be a Q-DATS-reflection of F , and let T, h = homog(V ). For any state v ∈ dom ω (F ), we have h(s(v)) ∈ Z(T ).
Example 7. Figure 2 shows a loop that computes the number of trailing 0's in the binary representation of integer x and its corresponding transition formula. The homogenization of the Q-DATS-reflection of F is the Q-DLTS T , where: The ω-domain of T is the whole state space Q 3 . Since the eigenvector 1 0 0 ⊺ of the transition matrix corresponds to a non-integer eigenvalue 1 2 , the x-coordinate of states in Z(T ) must be 0; i.e., Z(T ) = {(x, c, y) : x = 0}. We conclude that x = 0 is a sufficient condition for the loop to terminate. ⌟ The mortal precondition operator Algorithm 2 shows how to compute a mortal precondition for an LIA transition formula F (x, x ′ ) (i.e., a sufficient condition for which F terminates). The algorithm operates as follows. First, we compute a Q-DATS-reflection of F , and homogenize to get a Q-DLTS T and an affine simulation t : F → T . Let p denote an (arbitrary) projection from S T onto Z(T ) (so p is a simulation from T to T | Z ). We then compute an LIA formula G which represents the states w of T Z(T ) such that there is some v ∈ dom(F ) such that t(v) ∈ Z(T ) and p(t(v)) = w. Letting (H 0 , ..., H P ) ω be the characteristic sequence χ(G, T | Z ), we have that for any v ∈ dom ω (F ), t(v) must belong to Z(T ) and p(t(v)) satisfies each H i , so we define Within the context of the algorithm, we suppose that states of F are represented by n-dimensional vectors, states of T are represented as m-dimensional vectors, and state of T | Z are represented as q-dimensional vectors. The affine simulation t is represented in the form x → Ax + b, where A ∈ Z m×n and b ∈ Z m , the projection p as a Z q×m matrix, and the linear map T | Z as a Q q×q matrix. The fact that p and t have all integer (rather than rational) entries is without loss of generality, since any simulation can be scaled by the least common denominator of its entries.
Theorem 3 (Soundness). For any transition formula F , for any state s such that s ∈ mp(F ), we have s / ∈ dom ω (F ).
Proof. Let T , t, p, C, G, and H 0 , . . . , H P be as in Algorithm 2. We prove the contrapositive: we assume v ∈ dom ω (F ) and prove v / ∈ mp(F ), or equivalently v |= H i (p(t(x))) for each i and t(v) ∈ Z(T ). We have t(v) ∈ Z(T ) by Lemma 5, so it remains only to show that v |= H i (p(t(x))) for each i. Since )∧Ct(x) = 0 holds for all j. By Theorem 2, H i (p(t(x))) holds for all H i .
Monotonicity is a desirable property for termination analysis: it guarantees that more information into the analysis always leads to better results. In our context, monotonicity also guarantees that if we cannot prove termination using the mp operator that we defined, then any linear abstraction of the loop does not terminate.

Evaluation
Section 5 shows how to compute mortal preconditions for transition formulas. Using the framework of algebraic termination analysis [33], we can "lift" the analysis to compute mortal preconditions for whole programs. The essential idea is to compute summaries for loops and procedures in "bottom-up" fashion, apply the mortal precondition operator from Section 5 to each loop body summary, and then propagate the mortal preconditions for the loops back to the entry of the program (see [33] for more details). We can verify that a program terminates by using an SMT solver to check that its mortal precondition is valid.  We have implemented our conditional termination analysis (BLACT, Best Linear Abstraction for Conditional Termination). We compare the performance of our analysis against 2LS [5], Ultimate Automizer [10] and CPAchecker [23], the top three competitors in the termination category of Competition on Software Verification (SV-COMP) 2020. We also compare with ComPACT [33], which uses the same algebraic termination analysis framework as BLACT, but uses a different method to compute conditional termination arguments for individual loops.
Experiments are run on a virtual machine with Ubuntu 18.04, with a singlecore Intel Core i5-7267U @ 3.10GHz CPU and 3 GB of RAM. All tools were run with a time limit of 10 minutes. CPAChecker was run with a heap memory limit of 2500 MB.
Benchmarks We tested on a suite of 263 programs divided into 4 categories. The termination and recursive suites contain small programs with challenging termination arguments, while the polybench suite contains larger real-world programs that have relatively simple termination arguments. The termination category consists of the non-recursive, terminating benchmarks from SV-COMP 2020 in the Termination-MainControlFlow suite. The recursive category consists of the recursive, terminating benchmarks from the recursive directory and Termination-MainControlFlow. Note that 2LS does not handle recursive programs, so we exclude it from the recursive category. Finally, we created a new test suite linear consisting of terminating programs whose termination can be proved by computing best linear abstractions and analyzing the asymptotic behavior of these linear abstractions. This suite includes: all examples of loops with multi-phase ranking functions from [1], loops with disjunctive or modular arithmetic guards, loops that model integer division and remainder calculation, etc.
How does BLACT compare with the state-of-the-art? The comparison of BLACT against existing termination analysis tools across all test suites is shown in Figure 3. BLACT uses substantially less time than 2LS, UAutomizer, and CPAChecker. BLACT is able to prove fewer benchmarks on the termination and recursive suites-these benchmarks are designed to have difficult termination arguments, which most tools approach by using a portfolio of different termination techniques (e.g., UAutomizer synthesizes linear, nested, multi-phase, lexicographic and piecewise ranking functions). We investigate the use of BLACT in a portfolio solver in the following. BLACT solves all tasks within the polybench suite, which contains larger numerical programs that have simple termination arguments. 2LS, UAutomizer, and CPAChecker are unable to solve any, as they run out of time or memory. Nested loops are a problematic pattern that appears in these tasks, e.g., for (int j = 0; j < 4096; j += step) // no modifications to i, j, or step For such loops, BLACT is guaranteed to synthesize a conditional termination argument that is at least as weak as step > 0 (regardless of the contents of the inner loop) by monotonicity and the fact that the loop body formula entails i < 4096 ∧ i ′ = i + step ∧ step ′ = step. UAutomizer, CPAChecker, and 2LS cannot make such theoretical guarantees. The performance of 2LS, UAutomizer, and CPAChecker on the linear suite demonstrate that BLACT is capable of proving termination of programs that lie outside the boundaries of any other tool.
Can BLACT improve a portfolio solver? We compare BLACT and ComPACT in Figure 4. ComPACT implements several termination techniques, and BLACT can be added as a plug-in. Adding BLACT to the existing portfolio of methods implemented in ComPACT, we can solve 10 additional tasks while adding negligible runtime overhead. In fact, adding BLACT to the portfolio decreases the amount of time it takes for ComPACT to complete the linear suite. Note that the combined tool also yields the most powerful tool among all those we tested, for all except the termination category.

Related work
Termination analysis of linear loops The universal termination problem for linear loops (or total deterministic affine transition systems, in the terminology of Section 4) was posed by Tiwari [29]. The case of linear loops over the reals was resolved by Tiwari [29], over the rationals by Braverman [4], and finally over the integers by Hosseini et al. [14]. In principle, we can combine any of these techniques with our algorithm for computing DATS-reflections of transition formulas to yield a sound (but incomplete) termination analysis. The significance of computing a DATS-reflection (rather than just "some" abstraction) is that is provides an algorithmic completeness result: if it is possible to prove termination of a loop by exhibiting a terminating linear dynamical system that simulates it, the algorithm will prove termination.
The method introduced in Section 4 to compute characteristic sequences of inequalities is based on the method that Tiwari used to prove decidability of the universal termination problem for linear loops with (positive) real spectra [29]. Tiwari's condition of having real spectra is strictly more general than the integer spectra used by our procedure; requiring that the spectrum be integer allows us express the DTA procedure in linear integer arithmetic rather than real arithmetic. Similar procedures appear also in [18,12]. We note in particular that our results in Sections 4 and 5 subsume Frohn and Giesl's decision procedure for universal termination for upper-triangular linear loops [12]; since every rational upper-triangular linear loop has a rational spectrum (and is therefore a Q-DATS), the mortal precondition computed for any rational upper-triangular linear loop is valid iff the loop is universally terminating.
Linear abstractions The formulation of "best abstractions" using reflective subcategories is based on the framework developed in [17]. A variation of this method was used by Kincaid and Silverman in the context of invariant generation by finding (weak) reflections of linear rational arithmetic formulas in the category of rational vector addition systems [27]. This paper is the first to apply the idea to termination analysis.
Kincaid et al. give a method for extracting polynomial recurrence (in)equations that are entailed by a transition formula [16]. The algorithm can also be applied to compute a TDATS-abstraction of a transition formula. The procedure does not guarantee that the TDATS-abstraction is a reflection (best abstraction); Proposition 1 demonstrates that no such procedure exists. In this paper, we generalize the model to allow non-total transition systems, and show that best abstractions do exist. The techniques from Section 3 can be used for invariant generation, improving upon the methods of [16]. Kincaid et al. show that the category of linear dynamical systems with periodic rational spectrum is a reflective subcategory of the category of linear dynamical systems [18]. A complex number n is periodic rational if n p is rational for some p ∈ N + . Combining this result with the technique from Section 3 yields the result that the category of DATS with periodic rational spectrum is a reflective subcategory of TF. The decision procedure from Section 4 extends easily to the periodic rational case, which results in a strictly more powerful decision procedure.
Termination analysis Termination analysis, and in particular conditional termination analysis, has been widely studied. Work on the subject can be divided into practical termination analyses that work on real programs (but offer few theoretical guarantees) [6,8,30,31,32,20,11,13,2], and work on simplified model (such as linear, octagonal, and polyhedral loops) with strong guarantees (but cannot be applied directly to real programs) [25,3,21,1,29,14,4]. This paper aims to help bridge the gap between the two, by showing how to apply analyses for linear loops to general programs, while preserving some of their good theoretical properties, in particular monotonicity. A Proofs Lemma 1. Let F (X, X ′ ) be a transition formula. The affine hull of F (considered as a transition system) is the best affine abstraction of F (where the simulation from F to aff(F ) is the identity).
Proof (Lemma 1). Define A to be the transition system whose transition relation is the affine hull of the transition relation of F . Clearly, the identity function is a simulation from F to A since R F ⊆ R A = aff(F ). Suppose that U is an affine transition system and that s : F → U is a linear simulation. Then s is also a linear simulation from A to U , since s −1 [R U ] is affine and contains R F (and therefore contains aff(F )).

Lemma 4.
Let T be a DLTS, and define Q, q α E Q (T ) (T ). Then for any Q-DLTS U and any simulation s : T → U , there is a unique simulation s : Proof (Lemma 4). By Lemma 2 it is sufficient to show that for any f ∈ S ⋆ U , we have f • s ∈ E Q (T ). Suppose that U has dimension n, and dom ω (U ) has dimension m. Since the set of functionals f satisfying f • s ∈ E Q (T ) is linear, it is sufficient to construct a basis f 1 , . . . , f n for S ⋆ U and show that f i • s ∈ E Q (T ) for each i.
By the spectral theorem [19,Ch. 6,Theorem 7] and the assumption that U has all rational spectrum, there is a basis for dom ω (U ) ⋆ consisting functionals h 1 , . . . , h m that for each i there is some λ i ∈ Q and r i ≥ 1 such that h i • (U | ω − λ i ) ri = 0. For each i, let f i ∈ S ⋆ U be an (arbitrary) extension of h i to S U . Let f m+1 , . . . , f n ∈ S ⋆ U be a basis for the space of functionals that vanish on dom ω (U ). Claim that f 1 , . . . , f n is linearly independent (and is therefore a basis for S ′ U ). Suppose that a 1 f 1 + · · · + a n f n = 0; we must show a i = 0 for each i. For all x ∈ dom ω (U ) we must have 0 = (a 1 f 1 + · · · + a n f n )(x) Assumption = (a 1 f 1 + · · · + a m f m )(x) f m+1 , . . . , f n vanish on dom ω (U ) = (a 1 h m + · · · + a m h m )(x) h i and f i coincide on dom ω (U ) and thus a 1 = · · · = a m = 0, since h 1 , . . . , h m are linearly independent. Since a m+1 f m+1 + · · · + a n f n = 0 and f m+1 , . . . , f n are linearly independent, we must have a m+1 = · · · = a n = 0. Since s : T → U is a simulation, s must map elements of dom ω (T ) to elements of dom ω (U ); we use s| ω : dom ω (T ) → dom ω (U ) to denote the restriction of s to dom ω (T ). We have that s| ω is a simulation from T | ω to U | ω , which can be expressed by the equation s| ω • T | ω = U | ω • s| ω . From the construction of the basis f 1 , . . . , f n , we have that f i • (U | ω − λ i ) ri = 0 (for i > m, since f i vanishes on dom ω (U ) we may take λ i 0 and r i 1). Pre-composing with s| ω , we have Theorem 1. For any deterministic linear transition system, Algorithm 1 computes a Q-DLTS-reflection.
Proof (Theorem 1). Let T be a DLTS. Clearly, if Algorithm 1 terminates, then it returns a Q-DLTS abstraction of T . Since each iteration of the loop decreases the dimension the state space S U , the algorithm must terminate. It remains to show that the abstraction is a reflection.
Suppose that there exists a linear simulation v from T to an arbitrary Q-DLTS V . We show the loop maintains the invariant that there is a unique simulation v : U → V such that v = v • s. The invariant trivially holds when entering the loop. To show that it is maintained by the loop, we suppose that there exists a unique simulation v : U → V such that v = v • s, and show that there exists a unique simulation v ′ : Since v is a simulation from U to V , by Lemma 4, there exists a unique simulation q from Q to V such that v = q • q. Since V is deterministic and U ′ , d is a deterministic reflection of Q, there exists a unique simulation v ′ from U ′ to V such that q = v ′ • d. We may then verify the desired result: Finally, observe that d • q • s is the composition of surjective maps and therefore surjective. It follows that v ′ is the unique solution to the above equation.
Lemma 5. Let F be a transition formula, let V, s be a Q-DATS-reflection of F , and let T, h = homog(V ). For any state v ∈ dom ω (F ), we have h(s(v)) ∈ Z(T ).

Proof (Lemma 5).
Define t h • s; observe that t is a simulation from F to T .
By the spectral theorem, there is a basis b 1 , . . . , b n for dom ω (T ) such that for each i there is some λ i ∈ Q and some r i ∈ N ≥1 such that (T | ω −λ i ) ri (b i ) = 0. We now argue that without loss of generality, we can further suppose that for all v ∈ dom ω (F ) such that t(v) ∈ dom ω (T ), there exist integers a 1 , . . . , a n such that t(v) = a 1 b 1 + · · ·+ a n b n . First, extend the basis b 1 , . . . , b n to a basis b 1 , . . . , b m for the whole space S T . Let {v x } x∈X denote the standard basis for S F = X → Q, where where v x maps x to 1 and all variables other than x to 0. Since b 1 , . . . , b m are rational vectors, there exist rationals z 1 , . . . , z m such that for each v j , t(v j ) is an integral linear combination of z 1 b 1 , . . . , z m b m ; z 1 b 1 , . . . , z m b n is a basis for dom ω (T ) with the desired property. To verify that for each v ∈ dom ω (F ), t(v) is an integral combination of z 1 b 1 , . . . , z m b m , observe that since v ∈ dom ω (F ), v is an integral valuation and so v is an integral combination of {v x } x∈X , and therefore t(v) is an integral combination of b 1 , . . . , b m . Since t(v) ∈ dom ω (T ), the coefficients of b n+1 , . . . , b m are zero.
Since for each i we have (T | ω −λ i ) ri (b i ) = 0, we have for any k and any i such , v is a generalized eigenvector of lower rank). This can be shown by induction on k.
The base case k = 0 is trivial. For the inductive step, suppose and we may verify Suppose v 0 ∈ dom ω (F ). Then there exists an infinite trajectory and so there is an infinite trajectory Since for all k we have t(v k ) ∈ dom ω (T ), there exists integers c k,1 , ..., c k,n such that t(v k ) = c k,1 b 1 + · · · + c k,n b n . Since T | ω is the restriction of T to dom ω (T ) and T | ω is linear, we have Suppose for a contradiction that there is some i with c 0,i = 0 and λ i is not an integer. Without loss of generality, further suppose that b i has the greatest rank r i among all such indices. We will show that c k,i = λ k i c 0,i for all k, which is a contradiction since each c k,i is an integer and λ i is not an integer.
By the above, for each b j we have T | k ω (b j ) = λ k j b j +v j for some v j satisfying (T | ω − λ j ) ri−1 (v j ) = 0, and we have Since r i is maximal, every v j is orthogonal to b i (w.r.t. the basis b 1 , . . . , b n ), and so c k,i is simply λ k i c 0,i .

A.1 Homogenization
Section 3.4 gives a simple construction of the homogenization of a DATS over a state space of the form Q n . We now give a general definition (for arbitrary linear spaces) that is more convenient for our technical development. Suppose that T is a non-empty affine transition system, and let x 0 → T x ′ 0 ∈ R T be an arbitrary transition (the choice is irrelevant). Define H(T ) to be the transition system where Proof (Corollary 1). Let T be a deterministic affine transition system. If R T is empty, then it is a Q-DATS and we are done. Suppose R T is non-empty. By Lemma 1, H(T ) has a Q-DLTS-reflection, say T , s . The intuition behind the argument is that we may "dehomogenize"T and s to obtain a Q-DATSreflection Z, z of T . In the following, for any product space A× B, we use π 1 and π 2 to denote the first and second projection (π 1 (a, b) a, π 2 (a, b) b). Let K be the linear transition system where S K = Q and R K = { s, s : s ∈ Q}; intuitively K captures the dynamics of the constant dimension introduced by the homogenization process. Clearly π 2 : H(T ) → K is a simulation, and K has rational spectrum. Since T , s is a Q-DLTS-reflection of H(T ), there is a unique simulation π 2 :T → K such that π 2 • s = π 2 . Define Z to be the affine transition system where Observe that for any x ∈ S T , we have π 2 (s(x, 0)) = π 2 (x, 0) = 0, and so the function z defined by z(x) s(x, 0) maps S T to S Z . In fact, z is a simulation from T to Z: Def'n of z Next we show that H(Z) is isomorphic toT , and therefore has rational spectrum. Define a bijective linear map e : S H(Z) → ST by e(x, c) x + cs(0, 1). We Unfolding the definitions of H(Z) and Z, we have Since by assumption Since RT is closed under linear combinations, we may add the transition in Eq. (5) to the transition Eq. (6) scaled by a factor of (c − 1) to see that Finally, we show that Z, z is a Q-DATS-reflection of T . Suppose that Y ∈ Q-DATS and y : T → Y is a simulation. Then we have a simulation . We now show that y = y • z and that y is a simulation from Z to Y (uniqueness follows from the fact that z is surjective).

A.2 Computation of Q-DLTS-reflections
We give an example for the computation of a Q-DLTS-reflection of a given DLTS. Q is deterministic and has rational spectrum, so Q, q is a Q-DLTS-reflection of T . ⌟

A.3 Monotonicity
We study properties of states that belongs to mp(F ), which are later used to prove the monotonicity theorem (Theorem 4). First we define a set of initial states of a Q-DLTS T such that the trajectories emanating from these states always lie within I(T ), and for states that are far enough, they satisfy LIA formula G.
We then point out that the set of states returned by Algorithm 2 is characterized by SAT ∞ . Lemma 6. Let T be a Q-DLTS such that S T = Q n . Suppose we compute its integer-spectrum restriction, where M T is the matrix representation of T | I(T ) , and P T is the matrix representation of some linear projection of S T onto I(T ) (w.l.o.g. we assume P T has integer entries). Let D T be a matrix such that D T y = 0 iff y ∈ I(T ). Let G(x) be any LIA formula over x, and G ′ (w) = ∃x.G(x) ∧ D T x = 0 ∧ w = P T x. Let (H 0 (w), . . . , H p (w)) ω = χ(G ′ (w), M T ). Then the following are equivalent: 1. H 0 (P T y) ∧ · · · ∧ H p (P T y) ∧ D T y = 0 holds, and 2. y ∈ SAT ∞ (T, G(x)).
Proof. First, we prove that if y satisfies i H i (P T y) and D T y = 0, then y ∈ SAT ∞ (T, G(x)). Since D T y = 0, we have y ∈ I(T ). Since I(T ) is a subspace of dom ω (T ), there is an infinite trajectory y → T y 1 → T y 2 → T . . .. Since M T is a representation of T | I(T ) and P T is a representation of a projection from S T onto I(T ), for any k we have that M k T P T y = P T y k . By Theorem 2 and the assumption that i H i (P T y) holds, there exists K such that ∀k ≥ K, G ′ (P y k ) holds. It follows that for k ≥ K, there is some z k such that G(z k ) ∧ D T z k = 0 ∧ P T y k = P T z k holds. Since D T z = 0, we have z ∈ I(T ). Since P T is injective on I(T ), and P T x k = P T y k , we must have x k = y k , and thus G(y k ) holds for all k ≥ K, and finally y ∈ SAT ∞ (T, G(x)).
Next, we prove that given y ∈ SAT ∞ (T, G(y)), it must satisfy i H i (P T y) and D T y = 0. Since y ∈ I(T ), we have D T y = 0. Since y ∈ SAT ∞ (T, G(y)), there is an infinite trajectory y → T y 1 → T y 2 → T . . . and a K ∈ N such that G(y k ) holds for all k ≥ K. Letting w k = P T y k for all k, we have that for all k ≥ K G(y k ) ∧ D T y k = 0 ∧ w k = P T y k , and thus G ′ (w k ) holds. Since M k T P T y = P T y k = w k for all k, we have i H i (P T y) by Theorem 2.