Alternation for Termination

Proving termination of sequential programs is an important problem, both for establishing the total correctness of systems and as a component of proving more general termination and liveness properties. We present a new algorithm, TREX, that determines if a sequential program terminates on all inputs. The key characteristic of TREX is that it alternates between refining an overapproximation and an under-approximation of each loop in a sequential program. In order to prove termination, TREX maintains an over-approximation of the set of states that can be reached at the head of the loop. In order to prove nontermination, it maintains an under-approximation of the set of paths through the body of the loop. The over-approximation and under-approximation are used to refine each other iteratively, and help TREX to arrive quickly at a proof of either termination or non-termination. TREX refines the approximations in alternation by composing three different program analyses: (1) local termination provers that can quickly handle intricate loops, but not whole programs, (2) non-termination provers that analyze one cycle through a loop, but not all paths, and (3) global safety provers that can check safety properties of large programs, but cannot check liveness properties. This structure allows TREX to be instantiated using any of the pre-existing techniques for proving termination or non-termination of individual loops. We evaluated TREX by applying it to prove termination or find bugs for a set of real-world programs and termination analysis benchmarks. Our results demonstrate that alternation allows TREX to prove termination or produce certified termination bugs more effectively than previous techniques.

[1]  Thomas A. Henzinger,et al.  SYNERGY: a new algorithm for property checking , 2006, SIGSOFT '06/FSE-14.

[2]  Vincent Danos,et al.  Transactions in RCCS , 2005, CONCUR.

[3]  Brian Campbell,et al.  Amortised Memory Analysis Using the Depth of Data Structures , 2009, ESOP.

[4]  Thomas A. Henzinger,et al.  Proving non-termination , 2008, POPL '08.

[5]  Robert J. Simmons,et al.  Proofs from Tests , 2008, IEEE Transactions on Software Engineering.

[6]  Andreas Podelski,et al.  Termination proofs for systems code , 2006, PLDI '06.

[7]  Viktor Vafeiadis,et al.  Proving that non-blocking algorithms don't block , 2009, POPL '09.

[8]  Sumit Gulwani,et al.  Ranking Abstractions , 2008, ESOP.

[9]  Sriram K. Rajamani,et al.  Compositional may-must program analysis: unleashing the power of alternation , 2010, POPL '10.

[10]  Andreas Podelski,et al.  Transition invariants , 2004, Proceedings of the 19th Annual IEEE Symposium on Logic in Computer Science, 2004..

[11]  Andreas Podelski,et al.  Abstraction Refinement for Termination , 2005, SAS.

[12]  Sumit Gulwani,et al.  Proving Conditional Termination , 2008, CAV.

[13]  Ashish Tiwari,et al.  Termination of Linear Programs , 2004, CAV.

[14]  Henny B. Sipma,et al.  The Polyranking Principle , 2005, ICALP.

[15]  Andreas Podelski,et al.  A Complete Method for the Synthesis of Linear Ranking Functions , 2004, VMCAI.

[16]  Henny B. Sipma,et al.  Linear Ranking with Reachability , 2005, CAV.

[17]  Peter W. O'Hearn,et al.  Automatic Termination Proofs for Programs with Shape-Shifting Heaps , 2006, CAV.

[18]  Robin Milner,et al.  On Observing Nondeterminism and Concurrency , 1980, ICALP.

[19]  Peter W. O'Hearn,et al.  Variance analyses from invariance analyses , 2007, POPL '07.

[20]  Henny B. Sipma,et al.  Termination Analysis of Integer Linear Loops , 2005, CONCUR.