Keywords

1 Introduction

Ranking function synthesis refers to the problem of finding a well-founded metric that decreases at each iteration of a loop. It is a critical subroutine in modern termination analyzers like Terminator [12], Ultimate Automizer [16], and ComPACT [26]. One could synthesize ranking functions via a template, i.e., fixing a particular form of ranking functions to be considered while leaving parameters as free variables, and encoding the conditions for the function to rank the given loop as a logical formula, thereby reducing the synthesis problem to a constraint-solving problem. Provided that the resulting constraint-solving problem is decidable, this method yields a complete procedure for synthesizing ranking functions that match the template. In particular, the template-based method is the basis of complete synthesis of ranking functions for linear and lexicographic linear ranking functions for loops whose bodies and guards can be expressed in linear real or integer arithmetic [3, 23]. A limitation of the approach is that it is only complete with respect to template languages that can be defined by finitely many parameters (e.g., we may define a template for all linear terms or degree-2 polynomials, but not polynomials of unbounded degree).Footnote 1

In this paper, we study the problem of synthesizing polynomial ranking functions for nonlinear loops. There are two apparent obstacles. The first obstacle results from the difficulty of reasoning about nonlinear arithmetic. Nonlinear integer arithmetic is undecidable, and so even checking whether a given function ranks a loop is undecidable, let alone synthesizing one. While nonlinear real arithmetic is decidable, it has high complexityā€“prior work has explored incomplete constraint-solving approaches to avoid the cost of decision procedures for real arithmetic [1, 13], but this sacrifices the completeness property typically enjoyed by template-based methods. The second obstacle is that the set of all polynomials cannot be described as a template language with finitely many parameters, thus precluding complete ranking function synthesis based on the template method.

To tackle the undecidability problem, we adopt a weak theory of nonlinear arithmetic \(\textbf{LIRR}\) that is decidable [18]. For the infinite template problem, we first compute the finite set of polynomials that are entailed to be bounded modulo \(\textbf{LIRR}\) by the loop, and use them to define a template language with finitely many parameters to describe ā€œcandidate termsā€ for ranking functions. We then show that synthesis of ranking functions consisting of non-negative linear combinations of these candidate terms can be reduced to a constraint-solving problem in linear arithmetic. The adoption of \(\textbf{LIRR}\) ensures that we do not lose completeness in any of the above steps, i.e., any ranking function modulo \(\textbf{LIRR}\) can be written as a nonnegative combination of the ā€œcandidate termsā€ in the template. We thus have a procedure for synthesizing polynomial ranking functions that is sound for the reals, and complete in the sense that if a polynomial ranking function exists for a formula (modulo \(\textbf{LIRR}\)), then the analysis will find it. Furthermore, we extend this analysis to one that is sound for the integers and complete relative to lexicographic polynomial ranking functions (modulo \(\textbf{LIRR}\)).

Using the framework of algebraic termination analysis [26], we extend our termination analysis on loops (represents as formulas) to whole programs (including nested loops, recursive procedures, etc.). The completeness of the proposed procedures leads to monotone end-to-end termination analyses for whole programs. Informally, monotonicity guarantees that if the analysis can prove termination of a program P and P is transformed to a program \(P'\) in a way that provides more information about its behavior (e.g., by decorating the program with invariants discovered by an abstract interpreter) then the analysis is certain to prove termination of \(P'\) as well.

Our experimental evaluation establishes that the procedure based on polynomial ranking function and lexicographic polynomial ranking function synthesis with the background theory of \(\textbf{LIRR}\) is competitive for SV-COMP termination benchmarks, especially for the nonlinear programs.

2 Background

Linear Algebra and Polyhedral Theory

In the following, we use linear space to mean a linear space over the field of rationals \(\mathbb {Q}\). Let L be a linear space. A set \(C \subseteq L\) is convex if for every \(p, q \in C\) and every \(\lambda \in [0, 1]\), we have \(\lambda p + (1-\lambda ) q \in C\). We use \(\textit{conv}\left( S\right) \) to denote the convex hull of a set \(S \subseteq L\), which is the smallest convex set that contains S. A set Q is a polytope if it is the convex hull of a finite set. A set \(C \subseteq L\) is a (convex) cone if it contains 0 and is closed under addition and multiplication by \(\mathbb {Q}^{\ge 0}\) (nonnegative rationals). For a set \(G \subseteq L\), its conical hull is the smallest cone that contains G, defined as \(\textit{cone}(G) = \left\{ \lambda _1 g_1 + \dots + \lambda _m g_m: \lambda _i \in \mathbb {Q}^{\ge 0}, g_i \in G \right\} \). Given any \(A, B \subseteq L\), we use \(A+B \triangleq \left\{ a + b : a \in A, b \in B \right\} \) to denote their Minkowski sum.

A set \(P \subseteq L\) is a polyhedron if \(P = \textit{cone}(R) + \textit{conv}\left( V\right) \), where R,Ā V are finite sets in L, and use the notation \(P = \textit{V-rep}(R, V)\). Convex polyhedra are effectively closed under intersection; that is, there is a procedure \(\texttt {intersect}\)Ā  such that for any finite \(R_1,V_1,R_2,V_2 \subseteq L\) we have

$$ \textit{V-rep}(\texttt {intersect}\,(R_1,V_1,R_2,V_2)) = \textit{V-rep}(R_1,V_1) \cap \textit{V-rep}(R_2,V_2) \ . $$

The Ring of Rational Polynomials

For a finite set of variables X, we use \(\mathbb {Q}[X]\) to denote the ring of polynomials over X with rational coefficients, and \(\mathbb {Q}[X]^1\) to denote the set of linear polynomials over X. A set \(I \subseteq \mathbb {Q}[X]\) is an ideal if it contains zero, is closed under addition, and for every \(p \in \mathbb {Q}[X]\) and \(q \in I\) we have \(pq \in I\). For a finite set \(G = \left\{ g_1,\dots ,g_n \right\} \subseteq \mathbb {Q}[X]\), we use \(\left\langle G \right\rangle \triangleq \left\{ p_1g_1 + \cdots + p_ng_n : p_1,\dots ,p_n \in \mathbb {Q}[X] \right\} \) to denote the ideal generated by the elements in G. By Hilbertā€™s basis theorem, we have that every ideal in \(\mathbb {Q}[X]\) can be written as \(\left\langle G \right\rangle \) for some finite set G. Equivalently, for any ascending chain of ideals \(I_1 \subseteq I_2 \subseteq \dots \) in \(\mathbb {Q}[X]\), there exists an index j such that \(I_j = I_k\) for all \(k \ge j\).

Note that \(\mathbb {Q}[X]\) is a linear space over \(\mathbb {Q}\), and so cones, polytopes, and polyhedra consisting of polynomials are defined as above. We say that a cone \(C \subseteq \mathbb {Q}[X]\) is algebraic if it is the Minkowski sum of an ideal and a finitely-generated convex cone [18]. For finite sets of polynomials \(Z,P \subseteq \mathbb {Q}[X]\), we use

figure a

to denote the algebraic cone generated by Z and P; we call Z and P the ā€œzerosā€ and ā€œpositivesā€ of the cone, respectively. When the set of variables is clear, we often omit the subscript and just write \(\textit{alg.cone}\,(Z, P)\).

For any algebraic cone \(C \subseteq \mathbb {Q}[X]\), the set of linear polynomials in C forms a convex polyhedron. We use \(\texttt {linearize}\,\) to denote the operation that computes this setā€”that is, for any finite \(Z,P \subseteq \mathbb {Q}[X]\), we have

$$\begin{aligned} \textit{V-rep}(\texttt {linearize}\,(Z,P)) = \textit{alg.cone}\,(Z,P) \cap \mathbb {Q}[X]^1 \ . \end{aligned}$$

There is a procedure \(\texttt {inverse-hom}\,\) for computing the inverse image of an algebraic cone under a ring homomorphism ([18],Ā Theorem 9). More precisely, let be an algebraic cone, Y be a set of variables, and \(f:\mathbb {Q}[Y] \rightarrow \mathbb {Q}[X]\) be a ring homomorphism, then

figure c

In this paper it will be useful to define a common generalization algebraic cones and convex polyhedra, which we call a algebraic polyhedra. We say that a set of polynomials \(R \subseteq \mathbb {Q}[X]\) is an algebraic polyhedron if it is the Minkowski sum of an algebraic cone and a convex polytopeFootnote 2. An algebraic polyhedron can be represented by a triple \(\left\langle Z,P,V \right\rangle \) where Z,Ā P,Ā V are finite sets of polynomials; such a triple represents the algebraic polyhedron

$$\begin{aligned} \textit{alg.polyhedron}\,(Z, P, V) \triangleq \textit{alg.cone}\,(Z, P) + \textit{conv}\left( V\right) \ . \end{aligned}$$

The Arithmetic Theory LIRR and Consequence Finding

We use the following syntax for formulas:

$$\begin{aligned} F,G \in {\textbf {Formula}} &::= p \le q \mid p = q \mid \textit{Int}(p) \mid F \wedge G \mid F \vee G \mid \lnot F \end{aligned}$$

where p and q denote polynomials with rational coefficients over some set of variable symbols. We regard the reals \(\mathbb {R}\) as the standard interpretation of this language, with \(\textit{Int}\) identifying the subset of integers \(\mathbb {Z} \subset \mathbb {R}\).

Kincaid et al. [18] defined another class of interpretations for the above language of formulas called linear integer/real rings. A linear integer/real ring is a commutative ring equipped with an order and an integer predicate which obeys certain axioms of the theories of linear real and linear integer arithmetic. The standard interpretation \(\mathbb {R}\) is an example of a linear integer/real ring. A ā€œnonstandardā€ example is the ring \(\mathbb {Q}[x]\), where \(p \le q\) iff p precedes q lexicographically (e.g., \(-x^3 < x < x^2 - x < x^2 < x^2 + x \)) and \(\textit{Int}(p)\) holds iff pā€™s coefficients are integers.

The fact that the theory \(\textbf{LIRR}\) of linear integer/real rings (refer to [18] for an axiomatization) admits such nonstandard (and inequivalent) models means that the theory is incomplete. Nevertheless it has desirable algorithmic properties that we will make use of in our ranking function synthesis procedures. We discuss the limitations brought by \(\textbf{LIRR}\) in Example 3.

Since the reals \(\mathbb {R}\) is a model for \(\textbf{LIRR}\), if we have \(F \models _{\textbf{LIRR}}G\), we also have \(F \models _{\mathbb {R}} G\). However, in this paper we are mostly concerned with entailment modulo \( \textbf{LIRR}\) rather than the standard model, thus we abbreviate \(F \models _{\textbf{LIRR}}G\) to \( F \models G \) by default.

For a formula F and a set of variables X, we use

$$\begin{aligned} \textbf{C}_{X}\!\left( F\right) \triangleq \left\{ p \in \mathbb {Q}[X] : F \models p \ge 0 \right\} \end{aligned}$$

to denote the nonnegative cone of F (over X). For example, given \(X = \left\{ x, y \right\} \)

$$ \textbf{C}_{X}\!\left( x = 2 \wedge y \le 1\right) = \textit{alg.cone}\,(\left\{ x - 2 \right\} , \left\{ 1, 1 - y \right\} ) \ . $$

\(\textbf{C}_{X}\!\left( F\right) \) is an algebraic cone, and there is an algorithm for computing it (Algorithm 2 of [18]), which we denote by \(\texttt {consequence}\,(F, X)\). We furthermore have that if \(\left\langle Z,P \right\rangle = \texttt {consequence}\,(F, X)\), then \(\left\langle Z \right\rangle = \left\{ z \in \mathbb {Q}[X] : F \models z = 0 \right\} \).

Transition Systems and Transition Formulas

For a set of variables X, we use \(X' \triangleq \left\{ x' : x \in X \right\} \) denote a set of ā€œprimed copiesā€. For a polynomial \(p \in \mathbb {Q}[X]\), we use \(p'\) to denote the polynomial in \(\mathbb {Q}[X']\) obtained by replacing each variable x with its primed copy \(x'\). A transition formula over a set of variables X is a formula F whose free variables range over X and \(X'\). We use \(\textbf{TF}(X)\) to denote the set of all transition formulas over X. For a transition formula \(F \in \textbf{TF}(X)\) and real valuation \(v,v' \in \mathbb {R}^X\), we use \(v \rightarrow _F v'\) to denote that \(\mathbb {R},[v,v'] \models F\), where \(\mathbb {R}\) denotes the standard model and \([v,v']\) denotes the valuation that maps each \(x \in X\) to v(x) and each \(x' \in X'\) to \(v'(x)\). A real execution of a transition formula F is an infinite sequence \(v_0, v_1, \dots \in \mathbb {R}^X\) such that for each i, we have \(v_i \rightarrow _F v_{i+1}\); we say that \(v_0,v_1,\dots \) is an integer execution if additionally each \(v_i \in \mathbb {Z}^X\). We say that Fterminates over \(\mathbb {R}\) if it has no real executions, and F terminates over \(\mathbb {Z}\) if it has no integer executions.

Ranking Functions

Let \(F \in \textbf{TF}(X)\) be a transition formula. We say that \(r \in \mathbb {Q}[X]\) is a polynomial ranking function (\(\textbf{PRF}\)) for F (modulo \(\textbf{LIRR}\)) if \(F \models 0 \le r\) and \(F \models r' \le r - 1\). The set of all polynomial ranking functions of F (modulo \(\textbf{LIRR}\)) is denoted \(\textbf{PRF}(F)\).

Lemma 1

If \(\textbf{PRF}(F) \ne \emptyset \), then F terminates over \(\mathbb {R}\).

Proof

If \(r \in \textbf{PRF}(F)\), then \(\left\lfloor r(X)\right\rfloor \) is a ranking function mapping \(\mathbb {R}^X\) into \(\mathbb {Z}\) that is well-ordered by a relation \(\preceq \), defined as \(x \preceq y\) iff \(x \ge 0 \wedge x \le y\), where \(\le \) is the usual order on the integers.Ā Ā Ā \(\square \)

We now consider lexicographic termination arguments. We define a quasi-polynomial ranking function (\( \textbf{QPRF}\)) for a transition formula \(F \in \textbf{TF}(X)\) (modulo \(\textbf{LIRR}\)) to be a polynomial \(r \in \mathbb {Q}[X]\) such that

$$ F \models r - r' \ge 0 \wedge r \ge 0 \ . $$

We say that a sequence of polynomials \(r_1,\dots , r_n \in \mathbb {Q}[X]\) is a dimension-n weak lexicographic polynomial ranking function (\(\textbf{WLPRF}\)) for F (modulo \(\textbf{LIRR}\)) if

$$\begin{aligned} &r_1 \in \textbf{QPRF}(F) \\ &r_2 \in \textbf{QPRF}(F \wedge r_1'=r_1) \\ &\vdots \\ &r_n \in \textbf{QPRF}\left( F \wedge \bigwedge _{i=1}^{n-1} r_i' = r_i\right) \\ &F \wedge \bigwedge _{i=1}^{n} r_i' = r_i \models \textit{false}\ . \end{aligned}$$

Lemma 3 sketches the proof that the existence of \(\textbf{WLPRF}\) proves termination of F over \(\mathbb {Z}\).

Lemma 2

Let \(F \in \textbf{TF}(X)\) be a transition formula. If \(r \in \mathbb {Q}[X]\) is a quasi-ranking function for F, i.e., \(F \models r' \le r \wedge r \ge 0\), and furthermore \(F \wedge r' = r \) terminates over the integers, then so does F.

Proof

Since quasi-ranking functions are closed under scaling by nonnegative scalars, we may assume that r has integer coefficients without loss of generality. Suppose for a contradiction that F has an infinite integer execution \(x_0, x_1, \dots \). Since \(r(x_i) \ge r(x_{i+1})\) for all i, and the range of r is restricted to \(\mathbb {Z}^{\ge 0}\), there exists some n such that \(r(x_{n}) = r(x_{n+1}) = \dots \). But this is impossible since \(F \wedge r' = r\) terminates over the integers.Ā Ā Ā \(\square \)

Lemma 3

If a transition formula F admits a \( \textbf{WLPRF}\) (modulo the theory \(\textbf{LIRR}\)), then F terminates over \( \mathbb {Z} \).

Proof

We prove this by induction on the dimension n of \( \textbf{WLPRF}\) of F. The base case holds vacuously when \(n = 0\) since F is unsatisfiable, and the inductive case holds by Lemma 2.Ā Ā Ā \(\square \)

Note that Lemma 3 holds only for integer executions. Ben-Amram and Genaim [3] showed that existence of a weak lexicographic linear ranking function (LLRF) for a topologically closed linear formula implies existence of an LLRF for loop with real variables, but the argument fails for nonlinear formulas (even modulo \(\textbf{LIRR}\)). Consider the following \( \textbf{LIRR}\) transition formula over reals n,Ā z

$$ F \triangleq z \ge 0 \wedge n \ge 2 \wedge n' = 2 n \wedge z \ge z' \wedge nz' = nz - 1\ . $$

Then \( F \models z \ge 0 \wedge z \ge z' \), and also \( F \wedge z = z' \models \textit{false}\). Thus z does decrease at every iteration of F and its value is bounded from below. However, F does not terminate since the rate at which z decreases diminishes too quickly.

3 Polynomial Ranking forĀ \(\textbf{LIRR}\) Transition Formulas

In this section, we consider the problem of synthesizing polynomial ranking functions for transition formulas modulo \(\textbf{LIRR}\). Observe that for a transition formula \(F \in \textbf{TF}(X)\), the polynomial ranking functions \(\textbf{PRF}(F)\) of F can be decomposed as \(\textbf{PRF}(F) = \textit{Bounded}(F) \cap \textit{Decreasing}(F)\) where \(\textit{Bounded}(F)\) are the bounded and decreasing polynomials of F, respectively:

$$\begin{aligned} \textit{Bounded}(F) &\triangleq \left\{ p \in \mathbb {Q}[X] : F \models p \ge 0 \right\} \\ \textit{Decreasing}(F) &\triangleq \left\{ p \in \mathbb {Q}[X] : F \models p' \le p - 1 \right\} \end{aligned}$$

Thus, one approach to computing \(\textbf{PRF}(F)\) is to compute the sets of bounded and decreasing polynomials, and then take the intersection.

First, we observe that we can use this strategy to synthesize linear ranking functions using the primitives defined in Sect.Ā 2Footnote 3.

  • The convex polyhedron of degree-1 polynomials of \(\textit{Bounded}(F)\) can be computed as \(\texttt {linearize}(\texttt {consequence}(F,X))\),

  • The convex polyhedron of degree-1 polynomials of \(\textit{Decreasing}(F)\) can be computed as follows. Define \(f : \mathbb {Q}[X] \rightarrow \mathbb {Q}[X \cup X']\) to be the homomorphism mapping \(x \mapsto x-x'\), and observe that

    $$ \textit{Decreasing}(F) \cap \mathbb {Q}[X]^1 = \left\{ p \in \mathbb {Q}[X]^1 : F \models f(p) - 1 \ge 0 \right\} $$

    We proceed by first computing the polyhedron

    $$\begin{aligned} Q \triangleq \left\{ p + a : p \in \mathbb {Q}[X]^1, a \in \mathbb {Q}. F \models f(p) + a \ge 0 \right\} \end{aligned}$$

    as \(\texttt {linearize}(\texttt {inverse-hom}(\texttt {consequence}(F,X \cup X'), f))\). Then we intersect Q with the hyperplane consisting of linear polynomials with constant coefficient -1, and then take the Minkowski sum with the singleton \(\left\{ 1 \right\} \) to get \(\textit{Decreasing}(F) \cap \mathbb {Q}[X]^1\).

The essential difficulty of adapting this strategy to find polynomial ranking functions of unbounded degree is that the function \(g : \mathbb {Q}[X] \rightarrow \mathbb {Q}[X \cup X']\) mapping \(p \mapsto p'-p\) is not a homomorphism (the function f defined above agrees with g on linear polynomials, but not on polynomials of greater degree).

Our method proceeds as follows. As we will later see in AlgorithmĀ 2, we can adapt the above strategy to compute the intersection of \(\textbf{PRF}(F)\) with some ā€œtemplate languageā€ \(\left\{ a_1p_1 + \dots + a_np_n : a_1,\dots ,a_n \in \mathbb {Q} \right\} \) for fixed polynomials \(p_1,\dots ,p_n\). Our insight is to use the cone generators of \(\textit{Bounded}(F)\) to define \(p_1,\dots ,p_n\). This yields a ranking function synthesis procedure that, in general, is sound but incomplete; however, it is complete under the assumption that F is zero-stable. In Sect.Ā 3.1 we define zero-stability and show that assuming zero-stability is essentially without loss of generality, and in Sect.Ā 3 we define a procedure for computing \(\textbf{PRF}(F)\) for zero-stable F.

3.1 Zero-Stable Transition Formulas

Consider a transition formula F defined as

$$\begin{aligned} F \triangleq x = 0 \wedge y \ge 0 \wedge (x')^2 = y - y' - 1 \ . \end{aligned}$$

Observe that \(F \models x = 0\). F has a PRF \(x^2 + y\), but itā€™s hard to find in the sense that itā€™s not a linear combination of the generators of \(\textit{Bounded}(F)\) (x, \(-x\), and y). But when \(x' \ne 0\), the loop terminates immediately. Thus we can consider the restriction \(F \wedge x' = 0\), which admits the linear ranking function y. The zero-stable restriction process we introduce below formalizes this process.

We define a transition formula \( F \in \textbf{TF}(X) \) to be zero-stable if for all polynomials \( p \in \mathbb {Q}[X] \) such that \( F \models p = 0 \), it is the case that \( F \models p' = 0 \). We give an algorithm for computing the weakest zero-stable transition formula that entails the original formula in AlgorithmĀ 1, and we note that the algorithm preserves termination behavior (Lemma 4).

Algorithm 1
figure d

The zero-stable restriction of a transition formula.

Full size image

Lemma 4

Let F be an \(\textbf{LIRR}\) transition formula, and

$$ \hat{F} \triangleq \texttt {zero-stable-restrict}\,(F) \ . $$
  1. 1.

    AlgorithmĀ 1 computes the weakest zero-stable formula that entails F.

  2. 2.

    F terminates iff \( \hat{F} \) terminates.

Proof

Let \(F^{(k)}\) and \(Z^{(k)}\) denote the value of F and Z after the k-th iteration of the loop in AlgorithmĀ 1, respectively.

We first prove 1. Clearly, if AlgorithmĀ 1 terminates at some iteration n, then \(\hat{F} = F^{(n)}\) is zero stable and entails F. It remains to show that (a) \(F^{(n)}\) is the weakest such formula, and (b) the algorithm terminates.

  1. (a)

    We show by induction that for any zero-stable formula G that entails F, it is the case that \(G \models F^{(k)}\) for all k. The base case holds by assumption, since \(G \models F = F^{(0)}\). Now suppose that \(G \models F^{(k)}\), and we wish to show that \(G \models F^{(k+1)}\). Since for each \(z \in Z^{(k)}\) we have \(G \models F^{(k)} \models z = 0\), and G is zero-stable, we know \(G \models z' = 0\). It follows \(G \models (F^{(k)} \wedge \bigwedge _{z \in Z^{(k)}} z' = 0) = F^{(k+1)}\).

  2. (b)

    We show that AlgorithmĀ 1 terminates. Suppose that it does not. Then \(\left\langle Z^{(0)} \right\rangle \subsetneq \left\langle Z^{(1)} \right\rangle \subsetneq \cdots \) forms an infinite strictly ascending chain of ideals of \(\mathbb {Q}[X]\), contradicting Hilbertā€™s basis theorem.

For 2, if F terminates then \(\hat{F}\) clearly also terminates since \(\hat{F} \models F\). To show that if \(\hat{F}\) terminates then F must also terminate, we prove by induction that for any \(k \ge 0\), \( F^{(k+1)} \) terminates implies that \( F^{(k)} \) terminates. We show this by arguing that any real execution of \( F^{(k)} \) is also one of \( F^{(k+1)} \). Let \(v_0, v_1, \dots \) be an execution of \(F^{(k)}\). It is sufficient to show that \(v_{i} \rightarrow _{F^{(k+1)}} v_{i+1}\) for all i. Since \(v_{i+1} \rightarrow _{F^{(k)}} v_{i+2}\), we must have \(z(v_{i+1}) = 0\) for all \(z \in Z^{(k)}\), and so since \(F^{(k+1)} = F^{(k)} \wedge \bigwedge _{z \in Z^{(k)}} z' = 0\) we have \(v_{i} \rightarrow _{F^{(k+1)}} v_{i+1}\). Ā Ā Ā \(\square \)

Example 1

Consider running AlgorithmĀ 1 on a transition formula F

$$ F: x = 0 \wedge y \ge 0 \wedge y' = -(x')^2 + y - 1 + z' \wedge z = x' \ . $$

In the first iteration of the loop, we discover a zero consequence x of F: \(F \models x = 0\), and we then constrain the transition formula to be \(F \wedge x' = 0\). Now since \(F \models z = x'\), we get a new zero consequence z: \(F \wedge x' = 0 \models z = 0 \). We thus further constrain the transition formula to be \(F \wedge x' = 0 \wedge z' = 0 \). After adding these constraints, we can no longer find new zero consequences, and the resulting transition formula

$$\begin{aligned} F \wedge x' = 0 \wedge z' = 0 \equiv x = z = x' = z' = 0 \wedge y' = y - 1 \wedge y \ge 0 \end{aligned}$$

is zero-stable.

3.2 Complete Polynomial Ranking Function Synthesis

Assuming that a transition formula is zero-stable allows us to ignore polynomials in the ideal \(\left\langle Z \right\rangle = \left\{ p \in \mathbb {Q}[X] : F \models p = 0 \right\} \) when synthesizing polynomial ranking functions, in the following sense. Suppose there exists \(r \in \textbf{PRF}(F)\) a polynomial ranking function for F, where \(\left\langle Z,P \right\rangle = \texttt {consequence}\,(F, X)\). We can write r as \(r = z+p\) with \(z \in \left\langle Z \right\rangle \) and \(p \in \textit{cone}(P)\). Since F is zero-stable, we have \(F \models p' \le p - 1\), thus some polynomial in \(\textit{cone}(P)\) is decreasing. Thus, it is sufficient to search for decreasing polynomials in \(\textit{cone}(P)\). AlgorithmĀ 2 computes the complete set of \(\textbf{PRF}\) for zero-stable transition formulas, which is illustrated in the example below.

Algorithm 2
figure e

Computing \( \textbf{PRF}\) for zero-stable transition formulas. We use notation \( p[y \mapsto z_y: y \in S] \) to denote substitution of all variables \( y \in S \) with \( z_y \) in a polynomial p.

Full size image

Example 2

Consider running AlgorithmĀ 2 on a (zero-stable) transition formula

$$\begin{aligned} F: &\quad \, nx \ge 0 \wedge n \ge 0 \wedge n' = n \wedge x \ge 0 \wedge z \ge 1\\ &\wedge ((z' = z - 1 \wedge x' = x ) \vee (x' = x - 1 \wedge z' = z + n - 1) ) \ . \end{aligned}$$

The bounded polynomials of F (Line 1) is the algebraic cone defined by \(Z = \left\{ \emptyset \right\} \) and \(P = \left\{ nx, x, n, z -1, 1 \right\} \). Let \(Y = \left\{ t_{nx}, t_x, t_n, t_{z-1}, t_1 \right\} \) be a fresh set of variables, let f be the ring homomorphism such that

$$\begin{aligned} f(t_{nx}) &= nx - n'x' \\ f(t_x) &= x - x' \\ f(t_n) &= n - n' \\ f(t_{z-1}) &= (z-1) - (z'-1) = z - z' \\ f(t_1) &= 1 - 1 = 0 \end{aligned}$$

After Line 5, we obtain the polyhedron of linear polynomials in the inverse image of the nonnegative cone of F under f, which is defined by the rays \(R' = \left\{ t_n,-t_n,t_1,-t_1, t_{nx}+t_{z-1}-1, 1-t_{nx}-t_{z-1} \right\} \) and one vertex \(V'=\left\{ 0 \right\} \). The subset of \(\textit{V-rep}(R',V')\) of polynomials with nonnegative coefficients for variables and constant coefficient -1 (Line 7), is the polyhedron defined by rays \(R_Y = \left\{ t_{nx}, t_x, t_n, t_1 \right\} \), and vertices \(V_Y = \left\{ t_{nx} + t_{z-1} - 1 \right\} \). Finally, the algorithm returns the algebraic polyhedron with zeros \(Z = \emptyset \), positives \(R = \left\{ nx, x, n, 1 \right\} \), and vertices \(V = \left\{ nx + z \right\} \). Thus F has a non-empty set of polynomial ranking function modulo \(\textbf{LIRR}\) (e.g., it contains \(nx+z\)), and so we may conclude that F terminates over the reals.

We are then ready to prove the correctness of AlgorithmĀ 2.

Theorem 1

(Soundness and completeness of AlgorithmĀ 2). For any zero-stable transition formula F

$$ \textbf{PRF}(F) = \textit{alg.polyhedron}\,(\texttt {prf-zero-inv}\,(F))\ . $$

Proof

Let \(Z, P, Y, f, R', V', R_L, V_L, R_Y, V_Y, R, V \) be as in AlgorithmĀ 2. Let \(s: \mathbb {Q}[Y] \rightarrow \mathbb {Q}[X]\) be the homomorphism mapping \(y_p \mapsto p\) (corresponding to the substitution on lines 8-9). Observe that for any linear combination of the Y variables \(q = \sum _{p \in P} a_p y_p\), we have

$$\begin{aligned} f(q) = \sum _{p \in P} a_p f(y_p) = \sum _{p \in P} a_p (p - p') = \left( \sum _{p \in P} a_p p\right) - \left( \sum _{p \in P} a_p p'\right) = s(q) - s(q)'\ . \end{aligned}$$

By definition (line 5), we have \(\textit{V-rep}(R_Y, V_Y) = \left\{ q \in \mathbb {Q}[Y]^1 : F \models f(q) \ge 0 \right\} \) and (line 6) \(\textit{V-rep}(R_L,V_L) = \textit{cone}(Y) + \left\{ -1 \right\} \). It follows that the intersection of these two polyhedra (line 7) is

$$\begin{aligned} \textit{V-rep}(R_Y,V_Y) = \left\{ q - 1 : q \in \textit{cone}(Y), F \models s(q) - s(q)' - 1 \ge 0 \right\} \ . \end{aligned}$$

Then by the construction of R and V (lines 7-8) we have

$$\begin{aligned} \textit{V-rep}(R,V) = \left\{ s(q) : q \in \textit{cone}(Y), F \models s(q) - s(q)' - 1 \ge 0 \right\} \ . \end{aligned}$$

Letting \(K = \textit{V-rep}(R,V)\), we must show that \(\textbf{PRF}(F) = \left\langle Z \right\rangle + K\). We prove inclusion in both directions.

\(\subseteq \):

Let \(r \in \textbf{PRF}(F)\). Then we have \(F \models r \ge 0\) and \(F \models r - r' - 1 \ge 0\). Since \(F \models r \ge 0\) and \(\textit{alg.cone}\,(Z,P) = \textbf{C}_{X}\!\left( F\right) \), we have we have \(r = z + p\) for some \(z \in \left\langle Z \right\rangle \) and \(p \in \textit{cone}(P)\). To show \(r = z + p \in \left\langle Z \right\rangle + K\), it is sufficient to show \(p \in K\). Write p as \(\left( \sum _{t \in P} c_t t\right) \) for some \(\left\{ c_t \right\} _{t \in P} \subseteq \mathbb {Q}^{\ge 0}\). Let \(q = \left( \sum _{t \in P} c_t y_t\right) \). Then we have \(s(q) = p\) and \(q \in \textit{cone}(Y)\), so it is sufficient to show that \(F \models s(q) - s(q') - 1 \ge 0\), or equivalently \(F \models p - p' - 1\). Since \(F \models z = 0\) and F is zero-invariant, we have \(z' = 0\). Since \(F \models r - r' - 1 \ge 0\) by assumption, we have \(F \models (z + p) - (z' + p') - 1 \ge 0\) and so \(F \models p - p' - 1 \ge 0\).

\(\supseteq \):

Let \(r \in \left\langle Z \right\rangle + K\). Then we may write r as \(z+k\) for some \(z \in \left\langle Z \right\rangle \) and \(k \in K\). By the definition of K, we have \(k = s(q)\) for some \(q \in \textit{cone}(Y)\) such that \(F \models s(q) - s(q)' - 1 \ge 0 \equiv k - k' - 1 \ge 0\). Since \(q \in \textit{cone}(Y)\) we have \(k = s(q) \in \textit{cone}(P)\) and so \(F \models k \ge 0\) and thus \(F \models z + k \ge 0\), so r is bounded. Since \(F \models k - k' - 1 \ge 0\), \(F \models z = 0\), and F is zero-stable, we have \(F \models (k+z) - (k'-z') - 1\), so r is decreasing. Since r is bounded and decreasing, \(r \in \textbf{PRF}(F)\). Ā Ā Ā \(\square \)

Example 3

Even though AlgorithmĀ 2 is complete for synthesizing \(\textbf{PRF}\)s modulo \(\textbf{LIRR}\), it does not find all \(\textbf{PRF}\)s with respect to the standard model. Consider

$$ F \triangleq x \ge 1 \wedge y \ge 1 \wedge ((x' = 2x \wedge y' = y/2 - 1) \vee (x' = x/2 - 1 \wedge y' = 2y)) $$

which admits the \(\textbf{PRF}\) xy since \(F \models _{\mathbb {R}} xy \ge 1 \wedge x'y' \le xy - 1\). However the algorithm will not find this \(\textbf{PRF}\) since we cannot derive \(F \models _{\textbf{LIRR}} xy \ge 1\) due to the fact that \(\textbf{LIRR}\) lacks axioms governing the relationship between multiplication and the order relation [18].

3.3 Proving Termination Through Polynomial Ranking Functions

This section shows how to combine the previous two subsections into a end-to-end termination analysis, which is (1) complete in the sense that it succeeds whenever the input formula has a polynomial ranking function, and (2) monotone in the sense that if \(F \models G\) and the analysis finds a termination argument for G, then it can also find one for F.

Our analysis is presented in AlgorithmĀ 3, which operates by first computing a zero-stable formula and then invoking AlgorithmĀ 2 to check if it has at least one polynomial ranking function.

Algorithm 3
figure f

Proving termination through zero-stable restriction and \( \textbf{PRF}\) synthesis.

Full size image

Theorem 2

(Completeness). If F has a polynomial ranking function (modulo \(\textbf{LIRR}\)), then AlgorithmĀ 3 returns \(\textit{true}\) on F.

Proof

Suppose F has r as a \( \textbf{PRF}\). Since \(\hat{F}=\texttt {zero-stable-restrict}\,(F)\) entails F (Lemma 4), r is also a \( \textbf{PRF}\) of \( \hat{F} \). Letting \(\left\langle Z, P, V \right\rangle = \texttt {prf-zero-inv}\,(\hat{F}) \), we have \(r \in \textit{alg.polyhedron}\,(Z,P,V)\) by Theorem 1, and so V is non-empty, and AlgorithmĀ 3 returns true. Ā Ā Ā \(\square \)

Example 4

The reverse of Theorem 2 does not hold. Due to zero-stable restriction, AlgorithmĀ 2 can even prove termination of loops that do not admit \(\textbf{PRF}\)s even in the standard model. For example, it can prove termination of \(F \triangleq x = 0 \wedge x' \ne 0\) since its zero-stable restriction is unsatisfiable. To see that F does not admit any \(\textbf{PRF}\), suppose for a contradiction that it has r as a \(\textbf{PRF}\). But this is impossible since there exists \(x'\) such that \(r(x') > r(0) - 1\) due to the continuity of r.

The completeness of the ranking function synthesis procedures leads to several desirable properties of behavior of the resulting termination analysis, one of which is monotonicity, i.e., if the analysis succeeds on a transition formula G, then it is guaranteed to succeed on a stronger one F. Further, monotone termination analysis on loops can be lifted to monotone whole-program analysis by the framework presented by Zhu et al. [26].

Corollary 1

(Monotonicity). If \(F \models G\) and \(\texttt {terminate-PRF}\)Ā (G) returns \(\textit{true}\), then \(\texttt {terminate-PRF}\)Ā (F) returns \(\textit{true}\).

4 Lexicographic Polynomial Ranking forĀ Integer Transitions

In this section, we show how to synthesize lexicographic polynomial ranking functions. The strategy (inspired by [3]) is based on the connection between \(\textbf{WLPRF}\) and quasi-ranking functions. We can describe the set of quasi-ranking functions as the intersection of the sets of bounded and non-increasing polynomials of F:

$$\begin{aligned} \textbf{QPRF}(F) = \textit{Bounded}(F) \cap \textit{Noninc}(F) \end{aligned}$$

where

$$\begin{aligned} \textit{Bounded}(F) &\triangleq \left\{ p \in \mathbb {Q}[X] : F \models p \ge 0 \right\} \\ \textit{Noninc}(F) &\triangleq \left\{ p \in \mathbb {Q}[X] : F \models p \ge p' \right\} \ . \end{aligned}$$

In the following, we first show how to synthesize \(\textbf{QPRF}\)s (Sect.Ā 4.1), using which we are able to synthesize \(\textbf{WLPRF}\)s (Sect.Ā 4.2) to prove termination. Similar to Sect.Ā 3, we need to compute zero-stable restriction of transition formulas to make sure that the set of ranking arguments found is complete.

4.1 Synthesizing Polynomial Quasi-Ranking Functions

AlgorithmĀ 4 finds all \( \textbf{QPRF}\)s for a zero-stable transition formula F, using a variation of our strategy for finding \(\textbf{PRF}\)s.

Algorithm 4
figure g

Computing \( \textbf{QPRF}\) for zero-stable transitions.

Full size image

Theorem 3

(Soundness and completeness of AlgorithmĀ 4). Suppose F is a zero-stable transition formula. Then

$$ \textbf{QPRF}(F) = \textit{alg.cone}\,(\texttt {qprf-zero-stable}\,(F)) \ . $$

Proof

Let \(Z, P, Y, f, R, V, P_X\) be as in AlgorithmĀ 4. Let \(s: \mathbb {Q}[Y] \rightarrow \mathbb {Q}[X]\) be the homomorphism mapping \(y_p \mapsto p\) (corresponding to the substitution on line 6), and observe that for any linear combination of the Y variables \(q = \sum _{p \in P} a_p y_p\), we have \(f(q) = s(q) - s(q)'\) (as in TheoremĀ 1). By construction (lines 5-8) we have

$$\begin{aligned} \textit{cone}(P_X) = \left\{ s(q) : q \in \textit{cone}(Y), F \models f(q) \ge 0 \right\} \ , \end{aligned}$$

which by the above observation can be written equivalently as

$$\begin{aligned} \textit{cone}(P_X) = \left\{ s(q) : q \in \textit{cone}(Y), F \models s(q) - s(q)' \ge 0 \right\} \ . \end{aligned}$$

Since \(\left\{ s(q) : q \in \textit{cone}(Y) \right\} \) is precisely \(\textit{cone}(P)\), we have

$$\begin{aligned} \textit{cone}(P_X) = \left\{ p \in \textit{cone}(P): F \models p - p' \ge 0 \right\} \end{aligned}$$

We must show that \(\textbf{QPRF}(F) = \left\langle Z \right\rangle + \textit{cone}(P_X)\). We prove inclusion in both directions.

\(\subseteq \):

Let \(r \in \textbf{QPRF}(F)\). Since \(F \models r \ge 0\) and \(\textit{alg.cone}\,(Z,P) = \textbf{C}_{X}\!\left( F\right) \), we must have \(r = z + p\) for some \(z \in \left\langle Z \right\rangle \) and \(p \in \textit{cone}(P)\). It is sufficient to show that \(p \in \textit{cone}(P_X)\). Since F is zero-stable and \(F \models z = 0\), we have \(F \models z - z' = 0\) and so we must have \(F \models p - p' \ge 0\). It follows from the above that \(p \in \textit{cone}(P_X)\).

\(\supseteq \):

Since \(\textbf{QPRF}(F)\) is a cone it is closed under addition, so it is sufficient to prove that \(\left\langle Z \right\rangle \subseteq \textbf{QPRF}(F)\) and \(\textit{cone}(P_X) \subseteq \textbf{QPRF}(F)\). Since F is zero-stable, we have \(\left\langle Z \right\rangle = \left\{ z \in \mathbb {Q}[X] : F \models z = 0 \right\} \subseteq \textbf{QPRF}(F)\). Since \(\textit{cone}(P_X) = \left\{ p \in \textit{cone}(P): F \models p - p' \ge 0 \right\} \), we have that each \(p \in \textit{cone}(P)\) is both bounded (\(p \in \textit{cone}(P)\)) and non-increasing (\(F \models p - p' \ge 0\)), and thus belongs to \(\textbf{QPRF}(F)\). Ā Ā Ā \(\square \)

Ā Ā Ā \(\square \)

4.2 Lexicographic Polynomial Ranking Functions

Given AlgorithmĀ 1 for computing zero-stable restrictions and AlgorithmĀ 4 for finding \( \textbf{QPRF}\)s, we present AlgorithmĀ 5 for proving termination by finding \(\textbf{WLPRF}\)s.

Algorithm 5
figure h

Proving termination by synthesizing lexicographic polynomial ranking functions.

Full size image

Ignoring the effects of zero-stable restriction, AlgorithmĀ 5 iteratively computes a sequence of algebraic cones that represent all \(\textbf{QPRF}\)s, and finally checks if all transitions in F have been ranked.

Example 5

Consider the transition formula

$$\begin{aligned} F: x - xy \ge 0 \wedge y \ge 0 \wedge ((x' = x \wedge y' = y - 1) \vee (y \ge 1 \wedge x' = x - 1 \wedge y' = y)) \end{aligned}$$

(which has a dimension-2 \(\textbf{WLPRF}\) \(\left\langle y, x-xy \right\rangle \)). The following table depicts the execution of AlgorithmĀ 5, displaying a (simplified) transition formula F, zero polynomials Z, and positive polynomials P after each iteration of the loop, culminating in \(F=\textit{false}\), which indicates that F terminates.

Ā 

F

Z

P

Before

\(\begin{aligned} &\quad \, x - xy \ge 0 \wedge y \ge 0\\ &\wedge ((x' = x \wedge y' = y - 1)\\ &\quad \, \vee (y \ge 1 \wedge x' = x - 1 \wedge y' = y)) \end{aligned}\)

\(\emptyset \)

-

Iter 1

\(\begin{aligned} &\quad \, x - xy \ge 0 \wedge y \ge 0\\ &\wedge (y\ge 1 \wedge x' = x - 1 \wedge y' = y)) \end{aligned}\)

\(\emptyset \)

\(\left\{ y \right\} \)

Iter 2

\(\textit{false}\)

\(\emptyset \)

\(\left\{ y, x-xy \right\} \)

Theorem 4

(Correctness of AlgorithmĀ 5). AlgorithmĀ 5 is a terminating procedure, and for any transition formula F for which \(\texttt {terminate-lprf}\,(F) = \textit{true}\), we have that F terminates over the integers.

Proof

Let \( F^{(k)}, Z^{(k)}, P^{(k)} \) denote the values of F, Z, and P at the beginning of k-th iteration of the loop in AlgorithmĀ 5. We first prove termination of the algorithm. Suppose the loop does not terminate, then \(\left\langle Z^{(k+1)} \right\rangle \supsetneq \left\langle Z^{(k)} \right\rangle \) for all iterations k. We have thus obtained an infinite and strictly ascending chain of ideals in the polynomial ring \( \mathbb {Q}[X \cup X'] \), contradicting Hilbertā€™s basis theorem.

Now we show that if AlgorithmĀ 5 returns \(\textit{true}\), all integer executions of F terminate. We prove this by induction on n, the number of times the loop runs in AlgorithmĀ 5. The base case holds when \(n = 1\) since the zero-stable restriction of F being unsatisfiable modulo \(\textbf{LIRR}\) implies that F terminates. Suppose that the proposition is true for \(n \ge 1\) and we want to prove the case of \((n+1)\). Consider the first iteration of the loop in AlgorithmĀ 5. For convenience, we use F to denote \(F^{(1)}\), \(\hat{F}\) to denote the zero-stable restriction of F, and \(F'\) to denote \(F \wedge \bigwedge _{z \in Z^{(1)}} z' = z \wedge \bigwedge _{p \in P^{(1)}} p' = p\). By the inductive hypothesis, \(F'\) terminates. Suppose for a contradiction that F does not terminate. By Lemma 4 we know \(\hat{F}\) also does not terminate. Define \(r = \sum _{p \in P^{(1)}} p\), then \(r \in \textbf{QPRF}(\hat{F})\) due to Theorem 3. By Lemma 2, \(\hat{F} \wedge r' = r\) has an infinite integer execution \(x_0, x_1, \dots \) since \(\hat{F}\) has one. Let \(i \in \mathbb {N}\) be arbitrary. Since \(x_i \rightarrow _{\hat{F} \wedge r' = r} x_{i+1}\), we know that \( \sum _{p \in P^{(1)}} p(x_{i+1}) - p(x_i) = 0\). This is a sum of nonpositive terms because \(p(x_{i+1}) \le p(x_i)\) holds for any \(p \in P^{(1)}\) due to \(p \in \textbf{QPRF}(\hat{F})\). Thus for all \(p \in P^{(1)}\), it holds that \(p(x_{i+1}) = p(x_i)\). Since \(\hat{F}\) is zero-stable, we have that \(z(x_{i+1}) = z(x_i) = 0\) for all \(z \in Z^{(1)}\). Thus we have \(x_i \rightarrow _{F'} x_{i+1}\) and subsequently \(x_0, x_1, \dots \) is an infinite integer execution of \(F'\), contradicting the inductive hypothesis that \(F'\) terminates. Ā Ā Ā \(\square \)

The following theorem states that even though we operate modulo \(\textbf{LIRR}\), we have a guarantee on the capability of the ranking functions synthesized that it is no less powerful than LLRF modulo the standard linear integer arithmetic, under mild assumptions.

Theorem 5

(Subsumption of LLRFs). If \(F \in \textbf{TF}(X)\) is a negation-free formula involving only linear polynomials and F has an LLRF modulo linear integer arithmetic (\({\textbf {LIA}}\)), then \(F \wedge \bigwedge _{x \in (X \cup X')} \textit{Int}\,(x)\) has a \(\textbf{WLPRF}\) modulo \(\textbf{LIRR}\).

Proof

We first prove a lemma as follows. Let F(Y) be a ground, negation-free, \({\textbf {LIA}}\) transition formula over variable set Y. Then for any affine term r over Y, if \(F \models _{{\textbf {LIA}}} r \ge 0\) then \(F \wedge \bigwedge _{y \in Y} \textit{Int}\,(y) \models _{\textbf{LIRR}}r \ge 0\). (The proof is similar to Theorem 8 in [18]. Without loss of generality we assume F is a conjunctive formula. Suppose \(F \models _{{\textbf {LIA}}} r \ge 0\). By [11, 24] there is a cutting-plane proof of \(r \ge 0\) from F. Since each inference rule in a cutting-plane proof is valid \(\textbf{LIRR}\), we have that \(F \wedge \bigwedge _{y \in Y} \textit{Int}\,(y) \models _{\textbf{LIRR}}r \ge 0\).)

Suppose that \({\textbf {LIA}}\) formula F admits an LLRF \(r_1, \dots , r_n\) of dimension n, then \(F \models _{{\textbf {LIA}}} r_i \ge 0\) for each i (bounded), \(F \wedge \bigwedge _{j=1}^{i-1} r_j' = r_j \models _{{\textbf {LIA}}} r_i' \le r_i\) for each i (decreasing), and \(F \wedge \bigwedge _{j=1}^n r_j' = r_j \models _{{\textbf {LIA}}} \textit{false}\) (coverage). Since the left hand side of all the implications listed above contains ground linear formulas without negation and the right hand side all contains linear inequalities (with \(\textit{false}\) being interpreted as \(0 \le -1\)), these implications also hold modulo \(\textbf{LIRR}\) by the lemma. Therefore, \(r_1, \dots , r_n\) is a \(\textbf{WLPRF}\) of F. Ā Ā Ā \(\square \)

AlgorithmĀ 5 is also complete w.r.t. the existence of \(\textbf{WLPRF}\)s, since it finds a \(\textbf{WLPRF}\) if there exists one for the transition formula. Moreover, it is optimal in terms of the dimension of the \(\textbf{WLPRF}\) found.

Theorem 6

(Completeness of AlgorithmĀ 5 w.r.t. \(\textbf{WLPRF}\)). If a transition formula F admits a \( \textbf{WLPRF}\) of dimension N, then \(\texttt {termination-lprf}\,(F)\) returns \(\textit{true}\) and AlgorithmĀ 5 terminates in no more than N iterations.

Proof

Suppose that \( r_1, \dots , r_N \) is a \(\textbf{WLPRF}\) for F. Let \(F^{(k)}\) denote the value of F after the kth iteration of the while loop in AlgorithmĀ 5, with the convention that if the loop exits after m iterations then \(F^{(m)} = F^{(m+1)} = \cdots \). For any k, let

We prove that \(r_i \in \textit{alg.cone}\,(Z^{(i)},P^{(i)})\) for all i, by induction on i. For the base case, \(r_1\) is a quasi ranking function for F and so also a quasi ranking function for the zero-stable restriction F, and thus \(r_1 \in \textit{alg.cone}\,(Z^{(1)},P^{(1)})\). For the inductive step, we have \(r_j \in \textit{alg.cone}\,(Z^{(j)},P^{(j)})\) for all \(j \le i\), and we must prove \(r_{i+1} \in \textit{alg.cone}\,(Z^{(i+1)},P^{(i+1)})\). By the inductive hypothesis, we have \(r_1,\dots ,r_i \in \textit{alg.cone}\,(Z^{(i)},P^{(i)})\). It follows that \(F^{(i+1)} \models F^{(i)} \wedge \bigwedge _{j=1}^i r_j' - r_j\), so by the (Decreasing) condition of \(\textbf{WLPRF}\), \(r_{i+1}\) is a quasi ranking function of \(F^{(i)}\). It follows that \(r_{i+1}\) is a quasi ranking function of , and thus \(r_{i+1}\) belongs to \(\textit{alg.cone}\,(Z^{(i+1)},P^{(i+1)})\).

By the (Coverage) condition of \(\textbf{WLPRF}\), we have that \(F \wedge \bigwedge _{j=1}^N r_j' = r_j\) is unsatisfiable. Since for each j we have

$$\begin{aligned} r_j \in \textit{alg.cone}\,(Z^{(j)},P^{(j)}) \subseteq \textit{alg.cone}\,(Z^{(N)},P^{(N)}) \end{aligned}$$

we must have that \(F^{(N)}\) is unsatisfiable, and so \(F^{(N)} \models 1 = 0\), and thus \(\texttt {termination-lprf}\,(F)\) returns \(\textit{true}\). Ā Ā Ā \(\square \)

Corollary 2

(Monotonicity of AlgorithmĀ 5). Let F and G be transition formulas with \( F \models G \). If \( \texttt {termination-lprf}\,(G) = \textit{true}\), then it is guaranteed that \( \texttt {termination-lprf}\,(F) = \textit{true}\).

5 Evaluation

We consider two key research questions in the experimental evaluation. First, how does the proposed technique perform in proving termination of linear or nonlinear programs comparing to existing tools, in terms of running time and the number of tasks solved. We thus compare the proposed techniques with other sound and static provers for termination. In particular, we compare against Ultimate Automizer [15, 16] and 2LS [9], which are the top two sound tools in the Termination category in the 12th Competition on software verification (SV-COMP 2023). We also report a qualitative comparison with the dynamic tool DynamiTe [19]. Second, we have shown in Theorem 5 that LPRF subsumes LLRF synthesis for proving termination under certain assumptions, but we would like to understand the performance overhead of our more general procedure. We compare with the LLRF synthesis procedure implemented in ComPACT [26].

Implementation. We implement polynomial ranking functions synthesis (Sect.Ā 3) and lexicographic polynomial ranking function synthesis (Sect.Ā 4) as two mortal precondition operators (i.e., an operator that takes in a transition formula representing a single loop and outputs sufficient terminating conditions for that loop) in the ComPACT termination analysis framework [26], also utilizing the \(\textbf{LIRR}\) solver, consequence finding, inverse homomorphism, and nonlinear invariant generation procedures from Kincaid et al. [18]. Given any loop, we first try synthesizing polynomial ranking functions, and only attempt to synthesize lexicographic polynomial ranking function upon failure. Our implementation is denoted by ā€œLPRFā€ in the tables. We have also combined our technique with phase analysis, a technique for improving termination analyzers by analyzing phase transition structures implemented in ComPACT [26].

Environment. We ran all experiments in a virtual machine with Lubuntu 22.04 LTS (kernel version 5.12) with a CPU of Intel Core i7-9750H @ 2.60Ā GHz and 8 GB of memory. The SV-COMP 2023 binaries of Ultimate Automizer v0.2.2-2329fc70 and 2LS version 0.9.6-svcomp23 are used in the experiments. All tools were run under a time limit of 2Ā min.

Benchmarks. We collected tasks from the SV-COMP 2023 Termination benchmarks. Since the focus of the proposed technique is to prove termination of nonlinear programs, we divide the tasks into two suites according to whether they require nonlinear reasoning. The linear suite consists of terminating and nonrecursive integer programs from the Termination-MainControlFlow subcategory in the SV-COMP, excluding the termination-nla folder. The nonlinear suite contains terminating programs without overflowFootnote 4 in the termination-nla folder. This suite was originally presented in [19] and contains only integer programs.

Table 1. Experimental results on termination verification benchmarks comparing our technique (LPRF) with lexicographic linear ranking function (LLRF) synthesis, both techniques with phase analysis (+\(\Phi \)), as well as ComPACT, Ultimate Automizer, and 2LS. The #c row counts the number of solved tasks, t reports total running time in seconds, excluding timeouts (# timeouts in parentheses).
Full size table
Fig. 1.
figure 1

Linear benchmarks.

Full size image
Fig. 2.
figure 2

Nonlinear benchmarks. 2LS cannot solve any task in the suite and is thus omitted in the plot.

Full size image

Comparing Against Sound and Static Analyses. The results of running all experiments are presented in TableĀ 1. For the nonlinear suite, our proposed techniques for synthesizing polynomial ranking functions and lexicographic ranking arguments perform significantly better than the current static analysis tools in terms of both number of tasks proved and running speed. Our technique subsumes linear lexicographic ranking function synthesis for a large class of integer variable programs, and thus remains competitive for the linear suite. We see that there is a moderate slowdown comparing to linear lexicographic ranking function synthesis implemented in ComPACT. As a top competitor in the SV-COMP, Ultimate Automizer proves the most tasks in the linear suite, while requiring more time to run compared to our techniques (see the cactus plots Figs.Ā 1 and 2).

Comparing Against DynamiTe. The DynamiTe paper [19] presents a dynamic technique that can guess and verify linear or quadratic ranking functions for nonlinear programs and proposes a benchmark suite termination-nla for termination of nonlinear programs. Due to hardware constraints, we could not reproduce the original evaluations for DynamiTe in our evaluation environment. Instead, we perform a comparison with the results reported in the paper. Since our tool is automated and sound but can only prove termination, we only count the terminating programs for which DynamiTe can automatically validate the discovered ranking functions. In the termination-nla suite, DynamiTe can learn the ranking function for most tasks (23 out of 26) but can only automatically validate 7 of them, whereas our static analysis technique LPRF is able to automatically prove 17. This observation demonstrates that verifying a given ranking function modulo nonlinear integer arithmetic is not only difficult in theory but remains challenging for modern arithmetic theory solvers. This provides additional motivation for the introduction of the weak arithmetic theory \(\textbf{LIRR}\) in this work.

6 Related Work

Ranking Function Synthesis. For linear loops, there are complete procedures for synthesizing particular classes of ranking functions such as linear [3, 23], lexicographic linear [3, 4], multi-phase [2], and nested [20]. For nonlinear loops, it is usually necessary to start with a template, e.g., polyranking functions based on a finite tree of differences between terms [5], or limiting the degree of the polynomial ranking functions to be considered [7, 19]. Other procedures for synthesizing (bounded-degree) polynomial ranking functions rely on semidefinite programming [13] and cylindrical algebraic decomposition [10], but we have not found implementations for these techniques to compare with experimentally. Chatterjee et al. [8] synthesizes polynomial ranking supermartingales for probabilistic programs through Positivestellensatz, which bears some resemblance to our approach based on \(\textbf{LIRR}\) consequence finding. One key advantage of our work comparing to previous work is the completeness and monotonicity guarantee.

Decision Procedures for Termination. The decision problem for termination of linear loops was introduced by Tiwari [25]. General procedures for loops over the reals was developed by Tiwari [25], over the rationals by Braverman [6], and over the integers by Hosseini et al. [17]. Time complexity for linear and lexicographic linear ranking function synthesis has also been studied [3]. For nonlinear loops, it has been shown that termination of certain restricted classes of single-path polynomial loops over the reals are decidable, e.g., when the guard is compact and connected [21], when the loop is triangular weakly nonlinear [14], when the guard is compact semi-algebraic and the body contains continuous semi-algebraic updates [22]. Additionally, Neumann et al. [22] presents a non-constructive method for reasoning about termination via polynomial ranking functions of unbounded degree. The authors have not found any work that handles polynomial loops over integers without assuming real relaxations.