Termination Analysis of Loops

Size: px

Start display at page:

Download "Termination Analysis of Loops"

Samuel Peters
5 years ago
Views:

1 Termination Analysis of Loops Zohar Manna with Aaron R. Bradley Computer Science Department Stanford University 1

2 Example: GCD Algorithm gcd(y 1, y 2 ) = gcd(y 1 y 2, y 2 ) if y 1 > y 2 gcd(y 1, y 2 y 1 ) if y 1 < y 2 y 1 if y 1 = y 2 Example: gcd(77, 112) = gcd(77, 35) = gcd(42, 35) = gcd(7, 35) = gcd(7, 28) = gcd(7, 21) = gcd(7, 14) = gcd(7, 7) = 7 2

3 Example: GCD Program int gcd(int y 1 > 0, int y 2 > 0) while y 1 y 2 do if y 1 > y 2 then y 1 := y 1 y 2 else y 2 := y 2 y 1 done return y 1 Abstract program: Θ : {y 1 1, y 2 1} τ 1 : {y 1 y 2 + 1} {y 1 = y 1 y 2, y 2 = y 2 } τ 2 : {y 2 y 1 + 1} {y 2 = y 2 y 1, y 1 = y 1 } for y 1, y 2 R 3

4 Example: Termination of GCD δ(y 1, y 2 ) = y 1 + y 2 Θ : {y 1 1, y 2 1} τ 1 : {y 1 y 2 + 1} {y 1 = y 1 y 2, y 2 = y 2 } τ 2 : {y 2 y 1 + 1} {y 2 = y 2 y 1, y 1 = y 1 } is a ranking function y 1 1 y 2 1 is a loop invariant δ is bounded from below: if τ 1 or τ 2 can be taken, δ(y 1, y 2 ) 0 δ decreases on each iteration: if τ 1 or τ 2 is taken, δ(y 1, y 2) δ(y 1, y 2 ) 1 Therefore, GCD terminates. Goal: Find ranking functions and supporting invariants automatically. 4

5 Ranking Functions 5

6 Loops Loop Abstraction: L : Θ, T over V: GCD variables V range over R {y 1, y 2 } initial condition Θ is assertion over V y 1 1 y 2 1 transitions τ T are assertions {τ 1, τ 2 } τ(v, V ) over V V Loop Validity: Assertion ϕ is valid over loop L L = ϕ if ϕ holds on all reachable states S L of L. values of (y 1, y 2 ) In practice, replace L = with loop invariants. y 1 1 y 2 1 6

7 Well-founded Relation (D, ): is well-founded if there is no infinite sequence d 1, d 2, d 3,... where d i D such that ( i) d i d i+1 (d 2 d 1 d 1 d 2 ) Examples: (Z +, <) (R +, ɛ ) for ɛ > 0 x ɛ y x y ɛ (L, ) for lists L l 1 l 2 l 1 < l 2 7

8 Ranking Function Consider loop L : Θ, T over V. δ : S L R is a ranking function of L if (Bounded) ( τ T ) (Ranking) ( ɛ > 0)( τ T ) L = τ(v, V ) δ(v) 0 L = τ(v, V ) δ(v ) δ(v) ɛ δ, ɛ induce a well-founded relation over S L : for s, t S L, Thus, L always terminates. s t δ(s) δ(t) ɛ 8

9 Example: GCD Prove δ(y 1, y 2 ) = y 1 + y 2 is a ranking function for GCD. Take loop invariant y 1 1 y 2 1. Choose ɛ = 1. Bounded τ 1 Ranking τ 1 y 2 1 }{{} y 1 y }{{} y 1 + y 2 0 invariant guard of τ 1 y 2 1 }{{} invariant (y 1 y 2 ) + (y 2 ) y 1 + y 2 }{{}}{{} 1 ɛ substitution by τ 1 9

10 Example: GCD Bounded τ 2 Ranking τ 2 y 1 1 }{{} y 2 y }{{} y 1 + y 2 0 invariant guard of τ 2 y 1 1 }{{} invariant (y 1 ) + (y 2 y 1 ) y 1 + y 2 }{{}}{{} 1 ɛ substitution by τ 2 Assertions are valid, so GCD always terminates. 10

11 Lexicographic Well-founded Relation Given well-founded relations over domains (D 1, 1 ), (D 2, 2 ),..., (D k, k ) define lexicographic well-founded relation over D = D 1 D 2 D k For d = d 1, d 2,..., d k, e = e 1, e 2,..., e k D d e ( i) [d i i e i ( j < i) d j = e j ] d 1,..., d i,..., d k = = i e 1,..., e i,..., e k 11

12 Lexicographic Ranking Function Consider loop L : Θ, T. Tuple of functions δ : δ 1, δ 2,..., δ k where δ i : S L R and map π : T {1,..., k} comprise a lexicographic ranking function for L if (Bounded) ( τ T ) (Ranking) ( ɛ > 0)( τ T ) L = τ(v, V ) δ π(τ) (V) 0 L = τ(v, V ) δ π(τ) (V ) δ π(τ) (V) ɛ (Nonincreasing) ( τ T ) L = ( j < π(τ))[τ(v, V ) δ j (V ) δ j (V)] 12

13 Induced Lexicographic Well-founded Relation δ, ɛ induce a lexicographic well-founded relation over S L : for s, t S L, s t ( i) [δ i (s) δ i (t) ɛ ( j < i) δ j (s) = δ j (t)] Thus, L always terminates. 13

14 Example: McCarthy 91 For n Z +, f(n) = f(f(n + 11)) if n 100 n 10 if n > 100 For every 1 n 92, f(n) = 91, if it terminates. We prove termination for all n Z +. Example: f(89) = f(f(100)) = f(f(f(111))) = f(f(101)) = f(91) = f(f(102)) = = 91 14

15 Example: Imperative McCarthy 91 int f(int x) int s = 1 while true do if x > 100 then if s = 1 then return x 10 else x := x 10 s := s 1 else x := x + 11 s := s + 1 done Abstract program: for x, s R Θ : {s = 1} τ 1 : {x 101, s 1} {x = x 10, s = s 1} τ 2 : {x 100} {x = x + 11, s = s + 1} 15

16 Example: McCarthy 91 Prove 10s x + 90 }{{}, }{{} x δ 1 δ 2 π(τ 1 ) = 2, π(τ 2 ) = 1 is a lexicographic ranking function for McCarthy 91. Take loop invariant s 1. Choose ɛ = 1. Show τ 1 δ 2 0 τ 2 δ 1 0 τ 1 δ 2 δ 2 ɛ τ 2 δ 1 δ 1 ɛ τ 1 δ 1 δ 1 16

17 Example: McCarthy 91 Bounded τ 1 : π(τ 1 ) = 2 Ranking τ 1 : π(τ 1 ) = 2 x 101 }{{} }{{} x 0 guard of τ 1 δ 2 x 101 (x 10) }{{}}{{}}{{} x }{{} 1 guard of τ δ 1 substitution into δ 2 by τ 2 ɛ 1 Nonincreasing τ 1 : 1 < π(τ 1 ) = 2 x (s 1) (x 10) s x + 90 }{{}}{{}}{{} guard of τ 1 substitution into δ 1 by τ δ

18 Example: McCarthy 91 Bounded τ 2 : π(τ 2 ) = 1 Ranking τ 2 : π(τ 2 ) = 1 s 1 x s x }{{}}{{}}{{} invariant guard of τ 2 δ 1 10(s + 1) (x + 11) s }{{}} {{ x + 90 } }{{} 1 substitution into δ 1 by τ δ 1 ɛ 2 Assertions are valid, so McCarthy 91 always terminates. 18

19 The Theoretical Landscape 19

20 Ranking Functions Theorem Every terminating loop has a ranking function. But in general, expressing a ranking function requires FOL with fixpoints, which is incomplete. Therefore, termination is not necessarily semi-decidable. In fact, we show that termination is not semi-decidable for a simple class of loops. 20

21 Interlude: Linear Loops Consider variables V = {x 1, x 2,..., x m }. homogenous vector: x = (x 1,..., x m, 1) T linear assertion: Ax 0 a 1,1 a 1,m a 1,m+1... a k,1 a k,m a k,m+1 x 1... x m i {1,...,k} (a i,1 x a i,m x m + a i,m+1 ) 0 21

22 Interlude: Linear Loops Consider variables V = {x 1, x 2,..., x m }. linear loop: L : Θ, T in which all assertions are linear let (xx ) = (x 1,..., x m, x 1,..., x m, 1) T initial condition: Θx 0 transitions: τ i (xx ) 0 22

23 Theoretical Limitation Consider loops of form: Θ : x i V V for x R n. Restricted subset of linear loops. x i = c i while g T x 0 do x := (A 1 A 2 A k ) }{{} x nondeterministic choice done Theorem Termination of such loops is not semi-decidable (not recursively enumerable). No complete method. 23

24 Synthesis Problem Identify class of loops Y and class of ranking functions Z such that synthesis of ranking functions of form Z is complete for Y. Examples: Linear ranking functions for linear loops. Lexicographic linear ranking functions for linear loops. 24

25 Recent Works Colón & Sipma 2001 Synthesis of linear ranking functions for linear loops. Colón & Sipma 2002 Extension to nested loops and multiple paths. Colón, Sankaranarayanan & Sipma 2003 Constraint-based linear invariant generation. Podelski & Rybalchenko 2004 Complete method for linear loops with one transition and no initial condition. Based on linear programming. Bradley, Manna & Sipma 2005 Polyranking-based analysis for polynomial loops with assignment. Bradley, Manna & Sipma 2005 Synthesis of lexicographic linear ranking functions with supporting invariants. 25

26 Synthesis of Linear Ranking Functions with Supporting Invariants 26

27 Linear Ranking Function Constraint-based approach: templates with unknown coefficients. Consider linear loop L : Θ, T. For r T x a template (r i are unknown coefficients), r T x is a linear ranking function if (Bounded) ( τ T ) L = τ(xx ) 0 r T x }{{} δ 0 (Ranking) ( ɛ > 0)( τ T ) L = τ(xx ) 0 r T x r T x ɛ 27

28 Lexicographic Linear Ranking Function Consider linear loop L : Θ, T. T x r T 1 x,..., r }{{} k and π : T {1,..., k} }{{} δ 1 δ k for unknown coefficients r ij and unknown π, is a k-component lexicographic linear ranking function if (Bounded) ( τ T ) (Ranking) ( ɛ > 0)( τ T ) L = τ(xx ) 0 r T π(τ) x 0 L = τ(xx ) 0 r T π(τ) x rt π(τ) x ɛ (Nonincreasing) ( τ T ) L = ( j < π(τ))[τ(xx ) 0 r T j x r T j x 0] 28

29 Linear Supporting Invariant Ranking functions often require supporting invariants. Consider linear loop L : Θ, T. For Ix 0 a template (I ij are unknown coefficients), Ix 0 is an l-conjunct linear invariant if (Initiation) Θx 0 Ix 0 (Consecution) ( τ T ) Inductive assertion invariant Ix 0 τ(xx ) 0 Ix 0 How do we find the unknown coefficients in the template? 29

30 Farkas Lemma (1894) System of linear inequalities over real variables x = {x 1,..., x n }: a 1,1 x a 1,n x n + b 1 0 S :... a m,1 x a m,n x n + b m 0 S entails linear inequality ψ : c 1 x c n x n + d 0 if and only if there exist real numbers λ 1,..., λ m 0 such that ( m m m ) c 1 = λ i a i,1 c n = λ i a i,n d λ i b i i=1 i=1 i=1 30

31 Synthesis Overview Consider loop L : Θ, T over V = {x 1, x 2,..., x m }. Templates: expression c T x, unknown coefficient vector c assertion Cx 0, unknown coefficient matrix C Given templates l-conjunct invariant template Ix 0 (I has l rows) k-component lexicographic ranking function templates {c 1 T x,..., c k T x} Apply Farkas Lemma rules to encode ranking function and supporting invariant conditions. Either use given π or synthesize it. 31

32 Farkas Lemma Rules: Invariant (Initiation) (Consecution) (Disabled) C i : D i : I : Θx 0 Ix 0 Ix 0 τ i (xx ) 0 Ix 0 Ix 0 τ i (xx ) false 32

33 Farkas Lemma Rules: Ranking Function (Bounded) B i : Ix 0 τ i (xx ) 0 c T x 0 (Ranking) R i : Ix 0 τ i (xx ) 0 c T x c T x ɛ 0 33

34 Example: R 1 for GCD τ 1 : {y 1 y 2 + 1} {y 1 = y 1 y 2, y 2 = y 2 } λ 1 i 1,1 y 1 + i 1,2 y 2 + i 1,3 0 λ 2 i 2,1 y 1 + i 2,2 y 2 + i 2,3 0 λ 3 y 1 y λ 4 y 1 y 2 y 1 = 0 λ 5 y 2 + y 2 = 0 c 1 y 1 + c 2 y 2 c 1 y 1 c 2 y 2 ɛ 0 λ 1 i 1,1 + λ 2 i 2,1 + λ 3 + λ 4 = c 1 λ 1 i 1,3 + λ 2 i 2,3 λ 3 ɛ λ 1 i 1,2 + λ 2 i 2,2 λ 3 λ 4 λ 5 = c 2 λ 1, λ 2, λ 3 0 λ 4 = c 1 ɛ > 0 λ 5 = c 2 Constraints are over {c 1, c 2, ɛ, λ 1,..., λ 5, i 1,1,..., i 2,3 }. 34

35 Generated Constraints Constraints are linear if no invariant template is given. Constraints are parametric linear otherwise. Linear, except for a few bilinear quadratic terms (a λ and a supporting invariant template coefficient, e.g., λ 1 i 1,1 ) Decidable [Tarski 1951] Generic solvers based on CAD [Collins 1975] (e.g., Mathematica, Redlog) Specialized solvers [Sankaranarayanan et al. 2004], [Bradley et al. 2005] 35

36 Synthesis: Soundness and Completeness Special Case Linear loop L : Θ, T has a linear ranking function supported by an l-conjunct linear invariant the constraint system generated by I (D i (C i B i R i )) is satisfiable. τ i T 36

37 Example: GCD Find Θ : {y 1 1, y 2 1} τ 1 : {y 1 y 2 + 1} {y 1 = y 1 y 2, y 2 = y 2 } τ 2 : {y 2 y 1 + 1} {y 2 = y 2 y 1, y 1 = y 1 } a linear ranking function c T x c 1 y 1 + c 2 y 2 + c 3 with a 2-conjunct supporting invariant Ix 0 y 1 y 2 i 1,1 i 1,2 i 1,3 i 2,1 i 2,2 i 2,

38 Example: GCD Invariant Initiation Consecution I : y 1 1 y 2 1 i 1,1 y 1 + i 1,2 y 2 + i 1,3 0 i 2,1 y 1 + i 2,2 y 2 + i 2,3 0 C 1 : i 1,1 y 1 + i 1,2 y 2 + i 1,3 0 i 2,1 y 1 + i 2,2 y 2 + i 2,3 0 y 1 y y 1 = y 1 y 2 y 2 = y 2 i 1,1 y 1 + i 1,2 y 2 + i 1,3 0 i 2,1 y 1 + i 2,2 y 2 + i 2,3 0 C 2 : i 1,1 y 1 + i 1,2 y 2 + i 1,3 0 i 2,1 y 1 + i 2,2 y 2 + i 2,3 0 y 2 y y 2 = y 2 y 1 y 1 = y 1 i 1,1 y 1 + i 1,2 y 2 + i 1,3 0 i 2,1 y 1 + i 2,2 y 2 + i 2,3 0 38

39 Example: GCD Ranking Function Bounded B 1 : i 1,1 y 1 + i 1,2 y 2 + i 1,3 0 i 2,1 y 1 + i 2,2 y 2 + i 2,3 0 y 1 y c 1 y 1 + c 2 y 2 + c 3 0 B 2 : i 1,1 y 1 + i 1,2 y 2 + i 1,3 0 i 2,1 y 1 + i 2,2 y 2 + i 2,3 0 y 2 y c 1 y 1 + c 2 y 2 + c 3 0 Ranking R 1 : R 2 : i 1,1 y 1 + i 1,2 y 2 + i 1,3 0 i 2,1 y 1 + i 2,2 y 2 + i 2,3 0 y 1 y y 1 = y 1 y 2 y 2 = y 2 c 1 y 1 + c 2 y 2 c 1 y 1 + c 2 y 2 + ɛ i 1,1 y 1 + i 1,2 y 2 + i 1,3 0 i 2,1 y 1 + i 2,2 y 2 + i 2,3 0 y 2 y y 2 = y 2 y 1 y 1 = y 1 c 1 y 1 + c 2 y 2 c 1 y 1 + c 2 y 2 + ɛ 39

40 Example: GCD Synthesis Θ : {y 1 1, y 2 1} τ 1 : {y 1 y 2 + 1} {y 1 = y 1 y 2, y 2 = y 2 } τ 2 : {y 2 y 1 + 1} {y 2 = y 2 y 1, y 1 = y 1 } Solving the constraint system induced by reveals ranking function I C 1 C 2 B 1 B 2 R 1 R 2 c 1 = c 2 = 1, c 3 = 0 y 1 + y 2 with ɛ = 1, supported by the invariants i 1,1 = 1, i 1,2 = 0, i 1,3 = 1 i 2,1 = 0, i 2,2 = 1, i 2,3 = 1 y 1 1 y 2 1 which proves that GCD always terminates. 40

41 Synthesis of Linear Lexicographic Ranking Functions with Supporting Invariants 41

42 Farkas Lemma Rules: Invariant (Initiation) (Consecution) (Disabled) C i : D i : I : Θx 0 Ix 0 Ix 0 τ i (xx ) 0 Ix 0 Ix 0 τ i (xx ) false 42

43 Farkas Lemma Rules: Ranking Function (Bounded) B ij : Ix 0 τ i (xx ) 0 c j T x 0 (Ranking) (Nonincreasing) R ij : N ij : Ix 0 τ i (xx ) 0 c T j x c T j x ɛ 0 Ix 0 τ i (xx ) 0 c T j x c T j x 0 43

44 Synthesis: Soundness and Completeness Theorem (General Case) Linear loop L : Θ, T has a k-lexicographic linear ranking function supported by an l-conjunct linear invariant the constraint system generated by I ( Di ( )) C i B i,π(i) R i,π(i) τ i T is satisfiable for some π : T {1,..., k}. τ i T, j<π(i) (D i N ij ) 44

45 Synthesizing Lexicographic Ranking Functions The theorem asks for a map π. Can we efficiently find the map? Overview: Initially propose one template component per transition {c 1 T x,..., c n T x} Inexpensive because template coefficients c i appear only linearly in generated constraints. Incrementally build linear order over T. Linear order gives π. Use intermediate partial orders to generate and solve constraint systems to guide search. 45

46 Simplified Farkas Lemma Rules One component per transition. (Bounded) B i : Ix 0 τ i (xx ) 0 c i T x 0 (Ranking) R i : Ix 0 τ i (xx ) 0 c i T x c i T x ɛ 0 46

47 Synthesizing Lexicographic Ranking Functions Incrementally build over T : 1. Guess τ i τ j :..., c i T x,..., c j T x, Generate constraint system and solve. I, C i, D i, B i, R i are fixed. τ i τ j induces N ji : τ j should not increase c i T x Satisfiable Continue search Unsatisfiable Try τ i τ j Satisfiable Continue search Unsatisfiable Backtrack 3. Finished when order is linear and generated constraint system is satisfiable. 47

48 One Constraint System per Component Given lexicographic template components {c T 1 x,..., c T n x} and partial order over T, solve n constraint systems induced by I τ i (D i C i ) } {{ } Invariant (D j (B j R j )) }{{} τ j ranked by c j T τ i s.t. τ j τ i (D i N ij ) }{{} τ i does not increase c j T if τ j τ i..., c T j x,..., c T i x,... τ j τ i for j {1,..., n}. 48

49 One Constraint System per Component Advantages: Multiple smaller constraint systems are easier to solve in practice. Invariant template may be instantiated differently for each constraint system. 49

50 Example: McCarthy 91 Θ : {s = 1} τ 1 : {x 101, s 0} {x = x 10, s = s 1} τ 2 : {x 101, s 2} {x = x 10, s = s 1} split of s 1 τ 3 : {x 100} {x = x + 11, s = s + 1} Find a 3-component lexicographic linear ranking function r T 1 x, r T 2 x, r T 3 x π : T {1, 2, 3} with a 1-conjunct supporting invariant Ix 0 50

51 Example: McCarthy 91 Iteration 1: One template per transition. {c T 1 x, c T 2 x, c T 3 x} No order assumed between transitions. Three sets of conditions: c T 1 x : I C 1 C 2 C 3 B 1 R 1 c T 2 x : I C 1 C 2 C 3 B 2 R 2 c T 3 x : I C 1 C 2 C 3 B 3 R 3 Induced constraint systems are satisfiable. 51

52 Example: McCarthy 91 Constraints on c 1 T x: Initiation Consecution I : s = 1 i 1 s + i 2 x + i 3 0 C 1 : C 2 : C 3 : i 1 s + i 2 x + i 3 0 x 101 s 2 x = x 10 s = s 1 i 1 s + i 2 x + i 3 0 i 1 s + i 2 x + i 3 0 x 101 s 0 x = x 10 s = s 1 i 1 s + i 2 x + i 3 0 i 1 s + i 2 x + i 3 0 x 100 x = x + 11 s = s + 1 i 1 s + i 2 x + i

53 Example: McCarthy 91 Bounded B 1 : i 1 s + i 2 x + i 3 0 x 101 s 0 c 1,1 s + c 1,2 x + c 1,3 0 Ranking R 1 : i 1 s + i 2 x + i 3 0 x 101 s 0 x = x 10 s = s 1 c 1,1 s + c 1,2 x c 1,1 s + c 1,2 x + ɛ 53

54 Example: McCarthy 91 Iteration 2: Guess τ 3 τ 2...., c 3 T x,..., c 2 T x,... τ 2 should not increase c T 3 x. Three sets of conditions: c T 1 x : I C 1 C 2 C 3 B 1 R 1 c T 2 x : I C 1 C 2 C 3 B 2 R 2 c T 3 x : I C 1 C 2 C 3 B 3 R 3 N 2,3 Induced constraint systems are satisfiable. 54

55 Example: McCarthy 91 Iteration 3: Guess τ 1 τ 3...., c 1 T x,..., c 3 T x,... τ 3 should not increase c T 1 x. Three sets of conditions: c T 1 x : I C 1 C 2 C 3 B 1 R 1 N 3,1 c T 2 x : I C 1 C 2 C 3 B 2 R 2 c T 3 x : I C 1 C 2 C 3 B 3 R 3 N 2,3 Induced constraint system for c T 1 x is unsatisfiable. 55

56 Example: McCarthy 91 Iteration 3: Try τ 3 τ 1 instead...., c T 3 x,..., c T 1 x,... τ 1 should not increase c T 3 x. Three sets of conditions: c T 1 x : I C 1 C 2 C 3 B 1 R 1 c T 2 x : I C 1 C 2 C 3 B 2 R 2 c T 3 x : I C 1 C 2 C 3 B 3 R 3 N 2,3 N 1,3 Induced constraint systems are satisfiable. 56

57 Example: McCarthy 91 Iteration 4: Guess τ 2 τ 1 (but τ 1 τ 2 works, too)...., c T 2 x,..., c T 1 x,... τ 1 should not increase c T 2 x. Three sets of conditions: c T 1 x : I C 1 C 2 C 3 B 1 R 1 c T 2 x : I C 1 C 2 C 3 B 2 R 2 N 1,2 c T 3 x : I C 1 C 2 C 3 B 3 R 3 N 2,3 N 1,3 Induced constraint systems are satisfiable. 57

58 Example: McCarthy 91 Iteration 4: is a linear order: c T 3 x, c T 2 x, c T 1 x τ 3 τ 2 τ 1 gives π: π(τ 1 ) = 3, π(τ 2 ) = 2, π(τ 3 ) = 1 58

59 Example: McCarthy 91 Θ : {s = 1} τ 1 : {x 101, s 0} {x = x 10, s = s 1} τ 2 : {x 101, s 2} {x = x 10, s = s 1} τ 3 : {x 100} {x = x + 11, s = s + 1} Solving the final constraint systems reveals ranking function 10s x + 90, x, x π(τ 1 ) = 3, π(τ 2 ) = 2, π(τ 3 ) = 1 supported by the invariant s 1 which proves that McCarthy 91 always terminates. 59

60 In Practice Name LOC L A P P/A P/L Sec meschach 28K % 83% 64 gnuplot 50K % 36% 88 gaim 57K % 8% 94 ffmpeg 108K % 78% 198 Prototype unsound abstraction of C loops, using cil. Why unsound? Overflows, unsigned, doubles abstracted as Rs, etc. Aliasing, globals changed by function calls, etc. In principle, can be sound an engineering task. Synthesis of lexicographic linear ranking functions. Lexicographic function needed for 10 loops. 60

61 Example of Failed Abstraction List * iter = items; while (iter!= NULL) {... iter = iter->next; } Proving termination requires: proving that items is noncircular (nontrivial); abstracting iteration to counting down (trivial). 61

62 Example of Failed Abstraction char * ptr = input; while (*ptr!= \0 ) {... ptr++; } Proving termination requires: proving that input is a well-formed C string (nontrivial). abstracting pointer arithmetic to counting down (trivial). 62

63 Reasons for Failed Proofs 1. Prototype abstracter! 2. Need for invariants. Examples: i = 2 * i; i = i + k; i 0 to deduce increase in i k > 0 to deduce increase in i 3. Need for summarizing embedded loops. Example: while (i < n) { while (...) { i++; } summarize with i i i++; } 4. Need for function invariants. Example: i = i + strlen(str); 5. Loop does not terminate. knowledge about str and strlen 63

64 Appendix 64

65 Expanding a Farkas Lemma Rule R ij : Ix 0 τ i (xx ) 0 c T j x c T j x ɛ 0 λ I Ix + i 0 λ G G i x + g i 0 λ U U i x + V i x + u i 0 c j T x c j T x ɛ 0 λ T I I + λt G G i + λ T U U i = c j λ T U V i = c j λ T I i + λt G g i + λ T U u i ɛ λ I, λ G, λ U 0 ɛ > 0 x = (x 1,..., x m, 1) T (xx ) = (x 1,..., x m, x 1,..., x m, 1) T Expand assertions: x = (x 1,..., x m ) T x = (x 1,..., x m) T I, i define Θ G i, g i, U i, V i, u i define τ i Constraints over {λ I, λ G, λ U, c j, ɛ} 65

66 Lexicographic Synthesis let lex L : Θ, T = let sat o = ( τ T )(satisfiable L τ o) in let rec search o = sat o and match choose o with None true (search (o (τ τ ))) Some (τ, τ ) or (search (o (τ τ))) in search {} 66

67 Lexicographic Synthesis Calling satisfiable L τ j o generates and solves a constraint system for L, τ, and o, in which N ij is imposed iff (τ j τ i ) o Solving partial constraint systems guides the construction of lexicographic ranking functions. 67

The Polyranking Principle

The Polyranking Principle Aaron R. Bradley, Zohar Manna, and Henny B. Sipma Computer Science Department Stanford University Stanford, CA 94305-9045 {arbrad,zm,sipma}@theory.stanford.edu Abstract. Although