Termination Analysis of Loops Zohar Manna with Aaron R. Bradley - PowerPoint PPT Presentation

Termination Analysis of Loops Zohar Manna with Aaron R. Bradley Computer Science Department Stanford University 1

Example: GCD Algorithm  gcd ( y 1 − y 2 , y 2 ) if y 1 > y 2    gcd ( y 1 , y 2 ) = gcd ( y 1 , y 2 − y 1 ) if y 1 < y 2    y 1 if y 1 = y 2 Example: gcd (77 , 112) = gcd (77 , 35) = gcd (42 , 35) = gcd (7 , 35) = gcd (7 , 28) = gcd (7 , 21) = gcd (7 , 14) = gcd (7 , 7) = 7 2

Example: GCD Program int gcd ( int y 1 > 0 , int y 2 > 0) while y 1 � = y 2 do if y 1 > y 2 then y 1 := y 1 − y 2 else y 2 := y 2 − y 1 done return y 1 Abstract program : Θ : { y 1 ≥ 1 , y 2 ≥ 1 } { y 1 ≥ y 2 + 1 } ⇒ { y ′ 1 = y 1 − y 2 , y ′ τ 1 : 2 = y 2 } { y 2 ≥ y 1 + 1 } ⇒ { y ′ 2 = y 2 − y 1 , y ′ τ 2 : 1 = y 1 } for y 1 , y 2 ∈ R 3

Example: Termination of GCD Θ : { y 1 ≥ 1 , y 2 ≥ 1 } { y 1 ≥ y 2 + 1 } ⇒ { y ′ 1 = y 1 − y 2 , y ′ τ 1 : 2 = y 2 } { y 2 ≥ y 1 + 1 } ⇒ { y ′ 2 = y 2 − y 1 , y ′ τ 2 : 1 = y 1 } δ ( y 1 , y 2 ) = y 1 + y 2 is a ranking function y 1 ≥ 1 ∧ y 2 ≥ 1 is a loop invariant • δ is bounded from below : if τ 1 or τ 2 can be taken, δ ( y 1 , y 2 ) ≥ 0 • δ decreases on each iteration: if τ 1 or τ 2 is taken, δ ( y ′ 1 , y ′ 2 ) ≤ δ ( y 1 , y 2 ) − 1 Therefore, GCD terminates. Goal : Find ranking functions and supporting invariants automatically. 4

Ranking Functions 5

Loops Loop Abstraction : GCD L : �V , Θ , T � : • variables V range over R { y 1 , y 2 } • initial condition Θ is assertion over V y 1 ≥ 1 ∧ y 2 ≥ 1 • transitions τ ∈ T are assertions { τ 1 , τ 2 } τ ( V , V ′ ) over V ∪ V ′ Loop Validity : Assertion ϕ is valid over loop L L | = ϕ if ϕ holds on all reachable states S L of L . values of ( y 1 , y 2 ) In practice, replace “ L | =” with loop invariants . y 1 ≥ 1 ∧ y 2 ≥ 1 6

Well-founded Relation ( D, ≺ ): ≺ is well-founded if there is no infinite sequence d 1 , d 2 , d 3 , . . . where d i ∈ D such that ( ∀ i ) d i ≻ d i +1 ( d 2 ≺ d 1 ⇔ d 1 ≻ d 2 ) Examples: • ( Z + , < ) • ( R + , ≺ ǫ ) for ǫ > 0 x ≺ ǫ y ⇔ x ≤ y − ǫ • ( L , ≺ ) for lists L ℓ 1 ≺ ℓ 2 ⇔ | ℓ 1 | < | ℓ 2 | 7

Ranking Function Consider loop L : �V , Θ , T � . δ : S L → R is a ranking function of L if (Bounded) ( ∀ τ ∈ T ) τ ( V , V ′ ) → δ ( V ) ≥ 0 L | = (Ranking) ( ∃ ǫ > 0)( ∀ τ ∈ T ) τ ( V , V ′ ) → δ ( V ′ ) ≤ δ ( V ) − ǫ L | = δ , ǫ induce a well-founded relation over S L : for s, t ∈ S L , s ≺ t ⇔ δ ( s ) ≤ δ ( t ) − ǫ Thus, L always terminates. 8

Example: GCD Prove δ ( y 1 , y 2 ) = y 1 + y 2 is a ranking function for GCD. • Take loop invariant y 1 ≥ 1 ∧ y 2 ≥ 1. • Choose ǫ = 1. Bounded τ 1 y 2 ≥ 1 ∧ y 1 ≥ y 2 + 1 → y 1 + y 2 ≥ 0 � �� � � �� � invariant guard of τ 1 Ranking τ 1 y 2 ≥ 1 → ( y 1 − y 2 ) + ( y 2 ) ≤ y 1 + y 2 − 1 ���� � �� � � �� � ǫ invariant substitution by τ 1 9

Example: GCD Bounded τ 2 y 1 ≥ 1 ∧ y 2 ≥ y 1 + 1 → y 1 + y 2 ≥ 0 � �� � � �� � invariant guard of τ 2 Ranking τ 2 y 1 ≥ 1 → ( y 1 ) + ( y 2 − y 1 ) ≤ y 1 + y 2 − 1 ���� � �� � � �� � ǫ invariant substitution by τ 2 Assertions are valid, so GCD always terminates. 10

Lexicographic Well-founded Relation Given well-founded relations over domains ( D 1 , ≺ 1 ) , ( D 2 , ≺ 2 ) , . . . , ( D k , ≺ k ) define lexicographic well-founded relation ≺ over D = D 1 × D 2 × · · · × D k For d = � d 1 , d 2 , . . . , d k � , e = � e 1 , e 2 , . . . , e k � ∈ D d ≺ e ⇔ ( ∃ i ) [ d i ≺ i e i ∧ ( ∀ j < i ) d j = e j ] � � d 1 , . . . , d i , . . . , d k = = ≺ i � � e 1 , . . . , e i , . . . , e k 11

Lexicographic Ranking Function Consider loop L : �V , Θ , T � . Tuple of functions δ : � δ 1 , δ 2 , . . . , δ k � where δ i : S L → R is a lexicographic ranking function for L if there is a map π : T → { 1 , . . . , k } s.t. (Bounded) ( ∀ τ ∈ T ) τ ( V , V ′ ) → δ π ( τ ) ( V ) ≥ 0 L | = (Ranking) ( ∃ ǫ > 0)( ∀ τ ∈ T ) τ ( V , V ′ ) → δ π ( τ ) ( V ′ ) ≤ δ π ( τ ) ( V ) − ǫ L | = (Nonincreasing) ( ∀ τ ∈ T ) ( ∀ j < π ( τ ))[ τ ( V , V ′ ) → δ j ( V ′ ) ≤ δ j ( V )] L | = 12

Induced Lexicographic Well-founded Relation δ , ǫ induce a lexicographic well-founded relation over S L : for s, t ∈ S L , s ≺ t ⇒ ( ∃ i ) [ δ i ( s ) ≤ δ i ( t ) − ǫ ∧ ( ∀ j < i ) δ j ( s ) ≤ δ j ( t )] Also, for any τ ∈ T , if τ ( t, s ), then s ≺ t Thus, L always terminates. 13

Example: McCarthy 91 For n ∈ Z + ,  f ( f ( n + 11)) if n ≤ 100  f ( n ) = n − 10 if n > 100  For every 1 ≤ n ≤ 92, f ( n ) = 91, if it terminates. We prove termination for all n ∈ Z + . Example: f (89) = f ( f (100)) = f ( f ( f (111))) = f ( f (101)) = f (91) = f ( f (102)) = · · · = 91 14

Example: Imperative McCarthy 91 int f ( int x ) int s = 1 while true do if x > 100 then if s = 1 then return x − 10 else x := x − 10 s := s − 1 else x := x + 11 s := s + 1 done Abstract program : Θ : { s = 1 } { x ≥ 101 , s � = 1 } ⇒ { x ′ = x − 10 , s ′ = s − 1 } τ 1 : { x ≤ 100 } ⇒ { x ′ = x + 11 , s ′ = s + 1 } τ 2 : for x, s ∈ R 15

Example: McCarthy 91 Prove � 10 s − x + 90 , x � ���� � �� � δ 2 δ 1 is a lexicographic ranking function for McCarthy 91, with π ( τ 1 ) = 2 , π ( τ 2 ) = 1 • Take loop invariant s ≥ 1. • Choose ǫ = 1. Show τ 1 → δ 2 ≥ 0 τ 2 → δ 1 ≥ 0 τ 1 → δ ′ τ 2 → δ ′ 2 ≤ δ 2 − ǫ 1 ≤ δ 1 − ǫ τ 1 → δ ′ 1 ≤ δ 1 16

Example: McCarthy 91 Bounded τ 1 : π ( τ 1 ) = 2 x ≥ 101 → ≥ 0 x ���� � �� � δ 2 guard of τ 1 Ranking τ 1 : π ( τ 1 ) = 2 x ≥ 101 → ( x − 10) ≤ x − 1 ���� ���� � �� � � �� � ǫ δ 2 guard of τ 1 substitution into δ 2 by τ 1 Nonincreasing τ 1 : 1 < π ( τ 1 ) = 2 x ≥ 101 → 10( s − 1) − ( x − 10) + 90 ≤ 10 s − x + 90 � �� � � �� � � �� � guard of τ 1 δ 1 substitution into δ 1 by τ 1 17

Example: McCarthy 91 Bounded τ 2 : π ( τ 2 ) = 1 s ≥ 1 ∧ x ≤ 100 → 10 s − x + 90 ≥ 0 � �� � � �� � � �� � invariant δ 1 guard of τ 2 Ranking τ 2 : π ( τ 2 ) = 1 10( s + 1) − ( x + 11) + 90 ≤ 10 s − x + 90 − 1 ���� � �� � � �� � ǫ δ 1 substitution into δ 1 by τ 2 Assertions are valid, so McCarthy 91 always terminates. 18

The Theoretical Landscape 19

Ranking Functions Theorem Every terminating loop has a ranking function. But in general, expressing a ranking function requires FOL with fixpoints , which is incomplete . Therefore, termination is not necessarily semi-decidable. In fact, termination is not semi-decidable for a simple class of loops. 20

Interlude: Linear Loops Consider variables V = { x 1 , x 2 , . . . , x m } . homogenous vector : x = ( x 1 , . . . , x m , 1) T linear assertion : � ( a i, 1 x 1 + · · · + a i,m x m + a i,m +1 ≥ 0) i ∈{ 1 ,...,k }     0 x 1   · · · a 1 , 1 a 1 ,m a 1 ,m +1     . .     . .   . . .     .   ≥     .         0 x m     a k, 1 · · · a k,m a k,m +1     1 0 Ax ≥ 0 21

Interlude: Linear Loops Consider variables V = { x 1 , x 2 , . . . , x m } . linear loop : L : �V , Θ , T � in which all assertions are linear • initial condition: Θ x ≥ 0 • transitions: τ i ( xx ′ ) ≥ 0 where ( xx ′ ) = ( x 1 , . . . , x m , x ′ 1 , . . . , x ′ m , 1) T 22

Theoretical Limitation Consider loops of form: � Θ : x i = c i x i ∈V⊆V while g T x ≥ 0 do x := ( A 1 | A 2 | · · · | A k ) x � �� � nondeterministic choice done for x ∈ R n , k ≥ 1. Restricted subset of linear loops. Theorem Termination of such loops is not semi-decidable (not recursively enumerable). No complete method. 23

Synthesis Problem Identify class of loops L , class of functions F , and class of assertions A such that synthesis of ranking functions of form F with supporting invariants A is complete for L . Example : (Lexicographic) linear ranking functions and linear invariants for linear loops over the reals. 24

Recent Work Col´ on & Sipma 2001, 2002 Linear ranking functions for linear loops. Col´ on, Sankaranarayanan & Sipma 2003 Constraint-based linear invariant generation. Podelski & Rybalchenko 2004 Complete method for one-transition linear loops. Bradley, Manna & Sipma 2005 Lexicographic linear ranking functions, supporting invariants. Bradley, Manna & Sipma 2005 Linear ranking functions, supporting invariants, for integer linear loops. 25

Synthesis of Linear Ranking Functions with Supporting Invariants 26