[

[

[
Abstract

We describe an algorithm for proving termination of programs abstracted to systems of monotonicity constraints in the integer domain. Monotonicity constraints are a non-trivial extension of the well-known size-change termination method. While deciding termination for systems of monotonicity constraints is PSPACE complete, we focus on a well-defined and significant subset, which we call MCNP, designed to be amenable to a SAT-based solution. Our technique is based on the search for a special type of ranking function defined in terms of bounded differences between multisets of integer values. We describe the application of our approach as the back-end for the termination analysis of Java Bytecode (JBC). At the front-end, systems of monotonicity constraints are obtained by abstracting information, using two different termination analyzers: AProVE and COSTA. Preliminary results reveal that our approach provides a good trade-off between precision and cost of analysis.

t

SAT-Based Termination Using Monotonicity Constraints] SAT-Based Termination Analysis Using Monotonicity Constraints over the Integersthanks: Supported by the G.I.F. grant 966-116.6.

M. Codish et al.]MICHAEL CODISH, IGOR GONOPOLSKIY
Department of Computer Science, Ben-Gurion University, Israel and AMIR M. BEN-AMRAM
School of Computer Science, Tel-Aviv Academic College, Israel thanks: Part of this author’s work was carried out while visiting DIKU, the University of Copenhagen. and CARSTEN FUHS, JÜRGEN GIESL
LuFG Informatik 2, RWTH Aachen University, Germany

ermination analysis, monotonicity constraints, SAT encoding.

1 Introduction

Proving termination is a fundamental problem in verification. The challenge of termination analysis is to design a program abstraction that captures the properties needed to prove termination as often as possible, while providing a decidable sufficient criterion for termination. Typically, such abstractions represent a program as a finite set of abstract transition rules which are descriptions of program steps, where the notion of step can be tuned to different needs. The abstraction considered in this paper is based on monotonicity-constraint systems (MCSs).

The MCS abstraction is an extension of the SCT (size-change termination [Lee et al. (2001)]) abstraction, which has been studied extensively during the last decade (see http://www2.mta.ac.il/~amirben/sct.html for a summary and references). In the SCT abstraction, an abstract transition rule is specified by a set of inequalities that show how the sizes of program data in the target state are bounded by those in the source state. Size is measured by a well-founded base order. These inequalities are often represented by a size-change graph.

The size-change technique was conceived to deal with well-founded domains, where infinite descent is impossible. Termination is deduced by proving that any (hypothetical) infinite run would decrease some value monotonically and endlessly, so that well-foundedness would be contradicted.

Extending this approach, a monotonicity constraint (MC) allows for any conjunction of order relations (strict and non-strict inequalities) involving any pair of variables from the source and target states. So in contrast to SCT, one may also have relations between two variables in the target state or two variables in the source state. Thus, MCSs are more expressive, and [Codish et al. (2005)] observe that earlier analyzers based on monotonicity constraints [Lindenstrauss and Sagiv (1997), Codish and Taboch (1999), Lindenstrauss et al. (2004)] apply a termination test which is sound and complete for SCT, but incomplete for monotonicity constraints, even if one does

static int a(int x, int y){   if (x>y){     int x1=x-1; int y1=y+1;     if (x1>=y1)       return a(x1,y1);     else return y;   } else {     int x1=x+1; int y1=y-1;     if (x1<=y1)       return a(x1,y1);     else return x;   } }

not change the underlying model, namely that “data” are from an unspecified well-founded domain. They also point out that monotonicity constraints can imply termination under a different assumption—that the data are integers. Not being well-founded, integer data cannot be handled by SCT. As an example, consider the Java program on the right which computes the average of x and y. The loops in this program can be abstracted to the following monotonicity-constraint transition rules:

To prove termination of the Java program it is sufficient to focus on the corresponding abstraction. Note that termination of this program cannot be proved using SCT, not only because SCT disallows constraints between source variables (such as ), but also because it computes with integers rather than natural numbers.

To see how the transition constraints imply termination, observe that if (1) is repeatedly taken, then the value of grows; constraint (with the fact that descends) implies that this cannot go on forever. In (2), the situation is reversed: descends and is lower-bounded by . In addition, constraint of rule (2) implies that, once this rule is taken, there can be no more applications of (1). Therefore any (hypothetical) infinite computation would eventually enter a loop of (1)s or a loop of (2)s; possibilities which we have just ruled out. In this paper, we show how to obtain such termination proofs automatically using SAT solving.

Although MCS and SCT are abstractions where termination is decidable, they have a drawback: the decision problems are PSPACE complete and a certificate for termination under these abstractions can be of prohibitive complexity (not “polynomially computable” [Ben-Amram (2009)]). Typical implementations based on the SCT abstraction apply a closure operation on transition rules which is exponential both in time and in space. [Ben-Amram and Codish (2008)] addressed this problem for SCT, identifying an NP complete subclass of SCT, called SCNP, which yields polynomial-size certificates. Moreover, [Ben-Amram and Codish (2008)] automated SCNP using a SAT solver. Experiments indicated that, in practice, this method had good performance and power when compared to a complete SCT decision procedure, and had the additional merit of producing certificates.

In this paper we tackle the similar problem to prove termination of monotonicity-constraint systems in the integer domain. As noted above, the integer setting is more complicated than the well-founded setting. Termination is often proved by looking at differences of certain program values (which should be decreasing and lower-bounded). One could simulate such reasoning in SCT by creating fresh variables to track the non-negative differences of pairs of original variables. However this loses precision and may square the number of variables, which is an exponent in the complexity of most SCT algorithms. Instead, we use an idea from [Ben-Amram and Codish (2008)] which consists of mapping program states into multisets of argument values. The adaption of this method to integer data is non-trivial. Our new solution uses the following ideas: (1) We associate two sets with each program point and define how to “subtract” them so that the difference can be used for ranking (generalizing the difference of two integers). This avoids the quadratic growth in the exponent of the complexity, since we are only working with the original variables and relations, and is also more expressive. (2) We introduce a concept of “ranking functions” which is less strict than typically used but still suffices for termination. It allows the co-domain of the function to be a non-well-founded set that has a well-founded subset. This gives an additional edge over the naïve reduction to SCT, which can only make use of differences which are definitely non-negative.

After presenting preliminaries in Sect. 2, Sect. 3 introduces ranking structures, which are termination witnesses. In Sect. 4 we show that such a witness can be verified in polynomial time, hence the resulting subclass of terminating MCSs lies in NP. Consequently, we call it MCNP. In Sect. 5 we devise an algorithm that uses a SAT solver as a back-end to solve the resulting search problems. Sect. 6 describes an empirical evaluation using a prototypical implementation as the back-end for termination analysis of Java Bytecode (JBC). Results indicate a good trade-off between precision and cost of analysis. All proofs and further details of the evaluation can be found in the appendices.

Related work. Termination analysis is a vast field and we focus here on the most closely related work. On termination analyzers for JBC, we mention COSTA [Albert et al. (2008)], Julia [Spoto et al. (2010)], and AProVE [Brockschmidt et al. (2010), Otto et al. (2010)]. Both COSTA and Julia abstract programs into a CLP form, as in this work; but use a richer constraint language that makes termination of the abstract program undecidable. On extending SCT to the integer domain: [Avery (2006)] uses constraints of the form along with polyhedral state invariants (similar constraints as those used by COSTA and Julia) to find lower-bounded combinations of the variables. [Manolios and Vroon (2006)] uses SCT constraints on pseudo-variables that represent “measures” invented by the system. This allows it to handle integers by taking, for example, the differences of two variables as a measure. [Dershowitz et al. (2001), Serebrenik and De Schreye (2004)] prove termination of logic programs that depend on numerical constraints by inferring “level mappings” based on constraints selected from the source program; so, a constraint like can trigger the use of as a level mapping. There are numerous applications of SAT for deciding termination problems for all kinds of programs (e.g., one of the first such papers is [Codish et al. (2006)]).

2 Monotonicity-Constraint Systems and Their Termination

Our method is programming-language independent. It works on an abstraction of the program provided by a front-end. An abstract program is a transition system with states expressed in terms of a finite number of variables (argument positions).

Definition 1 (constraint transition system)

A constraint transition system is an abstract program, represented by a directed multigraph called a control-flow graph (CFG). The vertices are called program points and they are associated with fixed numbers (arity) of argument positions. We write to specify the arity of vertex . A program state is an association of a value from the value domain to each argument position of a program point , denoted and abbreviated . The set of all states is denoted . The arcs of the CFG are associated with transition rules, specifying relations on program states, which we write as . The transition predicate is a formula in the constraint language of the abstraction.

Note that a state corresponds to a ground atom: argument positions are associated with specific values. In a transition rule, positions are associated with variables that can only be constrained through . Thus in the notation , may represent ground values or variables, according to context. The constraint language in our work is that of monotonicity constraints.

Definition 2 (monotonicity constraint)

A monotonicity constraint (MC) on is a conjunction of constraints where , and . We write whenever is a consequence of (in the theory of total orders). This consequence relation is easily computed, e.g., by a graph algorithm. A transition rule , where is a MC, is also known as a monotonicity-constraint transition rule. An integer monotonicity-constraint transition system (MCS)111In this work only the integer domain is of interest, hence “integer” will be omitted. is a constraint transition system where the value domain is and transition predicates are monotonicity constraints.

It is useful to represent a MC as a directed graph (often denoted by the letter ), with vertices , and two types of edges : weak and strict. If then there is a strict edge from to and if (but not ) then the edge is weak. Note that there are two kinds of graphs, those representing transition rules and the CFG. We often identify an abstract program with its set of transition rules, the CFG being implicitly specified.

Definition 3 (run, termination)

Let be a transition system. A run of is a sequence of states labeled by constraints such that each labeled pair of states, , corresponds to a transition rule from (identical except that variables and are replaced by values and ) and such that is satisfied. A transition system terminates if it has no infinite run.

Example 4

This example presents a MCS in textual form as well as graphical form. This system is terminating, and in the following sections we shall illustrate how our method proves it. In the graphs, solid arrows stand for strict inequalities and dotted arrows stand for weak inequalities.

\xymatrix@R=15ptp:
p: \xymatrix@C=9pt@R=15pt x_1 & x_2\ar@.¿[l]\ar@.¿[dr]\ar@.¿[d] & x_3
y_1\ar[u] & y_2\ar@.¿[ul] & y_3
\xymatrix@R=15pt p:
p: \xymatrix@C=9pt@R=15pt x_1 & x_2 & x_3\ar[l]\ar@.¿[dl]\ar@.¿[d]
y_1\ar@.¿[u]\ar[ur] & y_2\ar[u] & y_3
\xymatrix@R=15pt p:
q: \xymatrix@C=8pt@R=15pt x_1 & x_2\ar@.¿[d] & x_3
y_1\ar[u] & y_2
\xymatrix@R=15pt q:
p: \xymatrix@C=8pt@R=15pt x_1 & x_2 \ar@.¿[l]\ar@.¿[dr]\ar@.¿[d]
y_1\ar@.¿[u] & y_2 & y_3

3 Ranking Structures for Monotonicity-Constraint Systems

This section describes ranking structures, a concept that we introduce for proving termination of MCSs. Sect. 3.1 presents the necessary notions in general form. Then, Sect. 3.2 specializes them to the form we use for MCNP.

3.1 Ranking structures

Recall that is a quasi-order if it is transitive and reflexive; its strict part is the relation ; the quasi-order is well-founded if there is no infinite chain with . A set is well-founded if it has a tacitly-understood well-founded order.

A ranking function maps program states into a well-founded set, such that every transition decreases the function’s value. As shown in [Ben-Amram (2011)], for every terminating MCS there exists a corresponding ranking function. However, these are of exponential size in the worst case. Since our aim is NP complexity, we cannot use that construction, but instead restrict ourselves to polynomially sized termination witnesses. These witnesses, called ranking structures, are more flexible than ranking functions, and suffice for most practical termination proofs.

Definition 5 (anchor, intermittent ranking function)

Let be a MCS with state space . Let be a quasi-order and a well-founded subset of . Consider a function . We say that is a -anchor for (or that is anchored by for ) if for every run where both and correspond to the transition rule , we have for all , where at least one of these inequalities is strict; and for some . A function which satisfies the above conditions is called an intermittent ranking function (IRF).222The term “intermittent ranking function” is inspired by [Manna and Waldinger (1978)].

Example 6

Consider the transition rules from Ex. 4. Let and let . In any run built with and , the value of is non-negative at least in every state followed by a transition by . Moreover, a transition by decreases the value strictly and a transition by decreases it weakly. Hence, is anchored by for (in Sect. 3.2, we come back to this example and show how fits the patterns of termination proofs that our method is designed to discover).

Definition 7 (ranking structure)

Consider and as in Def. 5. Let . Let consist of all transition rules where anchors for . For , let consist of all transition rules where anchors in . We say that is a ranking structure for if .

Note that by the above definition, for every there is a (unique) with . We denote this index as (i.e., for all ).

Example 8

For the program of Ex. 4, a ranking structure is with as in Ex. 6 and . Here, we have and . Later, in Ex. 18 and 27 we will extend the ranking structure to the whole program .

The concept of ranking structures generalizes that of lexicographic global ranking functions used, e.g., in [Ben-Amram and Codish (2008), Alias et al. (2010)]. A lexicographic ranking function is a ranking structure, however, the converse is not always true, since the function does not necessarily decrease on a transition rule which it anchors, and because may assume values out of in certain states.

Theorem 9

If there is a ranking structure for , then terminates.

Definition 10

A ranking structure for is irredundant if for all , there is a transition such that .

It follows easily from the definitions that if there is a ranking structure for , there is an irredundant one, of length at most .

3.2 Multiset Orders and Level Mappings

The building blocks for our construction are four quasi-orders on multisets of integers, and a notion of level mappings, which map program states into pairs of multisets, whose difference (not set-theoretic difference; see Def. 15 below) will be used to rank the states.333 A reader familiar with previous works using this term should note that here, a level mapping is not in itself some kind of ranking function. The difference will be itself a multiset, and we now elaborate on the relations that we use to order such multisets.

Definition 11 (multiset types)

Let denote the set of multisets of integers of at most elements, where is fixed by context.444For monotonicity-constraint systems, is the maximum arity of program points. The -ordered multiset type, for , is the quasi-ordered set where:

  1. (max order) holds iff , or is empty; holds iff , or is empty while is not.

  2. (min order) holds iff , or is empty; holds iff , or is empty while is not.

  3. (multiset order [Dershowitz and Manna (1979)]) holds iff is obtained by replacing a non-empty by a (possibly empty) multiset such that ; the weak relation holds iff or .

  4. (dual multiset order [Ben-Amram and Lee (2007)]) holds iff is obtained by replacing a sub-multiset by a non-empty multiset with ; the weak relation holds iff or .

Example 12

For :    ,    ,    , and .

Definition 13 (well-founded subset of multiset types)

For , we define as follows: For min (respectively max) order, the subset consists of the multisets whose minimum (resp. maximum) is non-negative. For ms and dms orders, the subset consists of the multisets all of whose elements are non-negative.

Lemma 14

For all , is a total quasi-order, with its strict part; and is well-founded.

For MCs over the integers, it is necessary to consider differences: in the simplest case, we have a “low variable” that is non-descending and a “high variable” that is non-ascending, so is non-ascending (and will decrease if or changes). If we also have a constraint like , to bound the difference from below, we can use this

\xymatrix@C=15pt@R=15pt x & y\ar@.¿[l]\ar@.¿[d] x’\ar@.¿[u] & y’

for ranking a loop (we refer to this situation as “the ”—due to the diagram on the right). In the more general case, we consider sets of variables. We will search for a similar situation involving a “low set” and a “high set”. We next define how to form a difference of two sets so that one can follow the same strategy of “diminishing difference”.

Definition 15 (multiset difference)

Let be non-empty multisets with types respectively. Their difference is defined in the following way, depending on the types (there are 6 cases):

  1. For , and has the type of .
    (Here, signifies or depending on the value of ).

  2. For and , and has type (where and ).

For and such that is defined, we say that the types of and are compatible. We write if the difference belongs to the well-founded subset.

Note that relates multisets of possibly different types and is not an order relation. Termination proofs do not require to define the difference of multisets with types in . To see why, observe that in “the ”, only one multiset must change strictly, and the non-strict relations , are contained in , , respectively. Note also that is equivalent, in all relevant cases, to with . The intuition into why multiset difference is defined as above is rooted in the following lemma.

Lemma 16

Let be two multisets of compatible types , and let be the type of . Let be of the same types as respectively. Then

Level mappings are functions that facilitate the construction of ranking structures. Three types of level mappings are defined in [Ben-Amram and Codish (2008)]: numeric, plain, and tagged. In this paper we focus on “plain” and “tagged” level mappings and we adapt them for multisets of integers. Numeric level mappings have become redundant in this paper due to the passage from ranking functions to ranking structures. We first introduce the extension for plain level mappings.

Definition 17 (bi-multiset level mapping, or “level mapping” for short)

Let be a MCS. A bi-multiset level mapping, maps each program state to a pair of (possibly intersecting) multisets and with types indicated respectively by . Only compatible pairs are admitted. The selection of argument positions only depends on the program point .

Example 18

The following are the level mappings used (in Ex. 27) to prove termination of the program of Ex. 4. Here, each program point is mapped to .

We now turn to tagged level mappings. Assume the context of Def. 17 and let denote the sum of the arities of all program points. A tagged bi-multiset level mapping is just like a bi-multiset level mapping, except that set elements are pairs of the form where is from and is a natural constant, called a tag. We view such a pair as representing the integer value (recall that is an integer). This transforms tagged multisets into multisets of integers, so Defs. 15, 17, and the consequent definitions and results can be used without change.

Tags “prioritize” certain argument positions and can usefully turn weak inequalities into strict ones. For example, consider a transition rule . The tagged set is strictly greater (in order as well as in order) than (because ). The plain sets and do not satisfy these relations. Thus tagging may increase the chance of finding a termination proof. We do not have any fixed rule for tagging; our SAT-based procedure will find a useful tagging if one exists. In the remainder we write “level mapping” to indicate a, possibly tagged, bi-multiset level mapping.

Level mappings are applied in termination proofs to express the diminishing difference of their low and high sets. To be useful, we also need to express a constraint relating the high and low sets, providing, figuratively, the horizontal bar of “the ”. A transition rule that has such a constraint is called bounded.

Definition 19 (bounded)

Let be a MCS, a level mapping,555We sometimes write (for short) instead of . and . A transition rule in is called bounded w.r.t.  if .

Definition 20 (orienting transition rules)

Let be a level mapping. (1) orients transition rule if and ; (2) orients strictly if, in addition, or .

Example 21

We refer to Ex. 4 and the level mapping from Ex. 18. Function orients all transition rules, where and are oriented strictly; and are bounded w.r.t.  (the reader may be able to verify this by observing the constraints, however later we explain how our algorithm obtains this information).

Corollary 22 (of Def. 20 and Lemma 16)

Let be a level mapping and define . If orients , then ; and if orients strictly, then .

The next theorem combines orientation and bounding to show how a level mapping induces anchors. Note that we refer to cycles in the CFG also as “cycles in ”, as the CFG is implicit in .

Theorem 23

Let be a MCS and a level mapping. Let be such that every cycle including satisfies these conditions: (1) all transitions in are oriented by , and at least one of them strictly; (2) at least one transition in is bounded w.r.t. . Then is a -anchor for , where .

Definition 24 (MCNP anchors and ranking functions)

Let be a MCS and a level mapping. We say that is a MCNP-anchor for w.r.t.  if and satisfy the conditions of Thm. 23. The function is called a MCNP (intermittent) ranking function (MCNP IRF).

Note that if is not included in any cycle, then the definition is trivially satisfied for any . Indeed, such transition rules are removed by our algorithm without searching for level mappings at all.

Example 25

The facts in Ex. 21 imply that , , and are MCNP-anchors w.r.t. .

We remark that numerous termination proving techniques follow the pattern of, repeatedly, identifying and removing anchors. However, typically, the function used for ranking is required to be strictly decreasing, and bounded, on the anchor itself, which (at least implicitly) means that a lexicographic ranking function is being constructed; see, e.g., [Colón and Sipma (2002)]. The anchor criterion expressed in Thm. 23 (inspired by [Giesl et al. (2007), Thm. 8]) is more powerful. We note that the difference is only important with non-well-founded domains. When the ranking is only done with orders that are a priori well-founded, as for example in [Giesl et al. (2006), Hirokawa and Middeldorp (2005)], considering the strictly-oriented transitions as anchors is sufficient. In comparison to [Giesl et al. (2007)], we note that they do not use the concept of anchors, and propose an algorithm which can generate an exponential number of level-mapping-finding subproblems (whereas ours generates, in the worst case, as many problems as there are transition rules).

4 The MCNP Problem

In this section, we present necessary and sufficient conditions for orientability and boundedness. Based on these, we conclude that proving termination with MCNP IRFs is in NP. This also forms the basis for our SAT-based algorithm in Sect. 5.

Definition 26 (Mcnp)

A system of monotonicity constraints is in MCNP if it has a ranking structure which is a tuple of MCNP IRFs.

It follows from Thm. 9, that if a MCS is in MCNP, then it terminates.

Example 27

Consider again Ex. 4 and the level mappings from Ex. 18. Then, is a ranking structure for . As already observed, , and are MCNP-anchors for . Observe now that is both strict and bounded on .

Ranking structures are constructed through iterative search for suitable level mappings which prescribe pairs of (possibly tagged) multisets of arguments which must satisfy relations of the form , , and .

Let and , be non-empty sets of (tagged) argument positions of or of . We show how to check for each if . Viewing as a graph (as in Ex. 4), let denote the transpose of (obtained by inverting the arcs). While tagged level mappings can be represented as “ordinary” bi-multiset level mappings (as indicated in Sect. 3.2), for their SAT encoding, it is advantageous to represent the orders on tagged pairs explicitly:

(1)

Below, either both represent arguments, or both represent tagged arguments, with relations , interpreted accordingly.

  1. max order: () every must be “covered” by an such that . Strict descent requires and .

  2. min order: () same conditions but on (now covers ).

  3. multiset order: () every must be “covered” by an such that . Furthermore each either covers each related strictly () or covers at most a single . Descent is strict if there is some that participates in strict relations.

  4. dual multiset order: () same conditions but on (now covers ).

We also show how to decide if the relation holds: For and , holds iff .666Note that checking this amounts to checking for in the case ; for the other cases, holds if there is at least one arc from an vertex to an vertex; holds if there is an arc from every vertex to every vertex. For and , holds iff . For and , holds iff . For and , holds if . For and , holds if .

Since the above conditions allow for verification of a proposed MCNP ranking structure in polynomial time, we obtain the following theorem.

Theorem 28

MCNP is in NP.

5 A SAT-based MCNP Algorithm

Given that MCNP is in NP, we provide a reduction (an encoding) to SAT which enables us to find termination proofs using an off-the-shelf SAT solver. We invoke a SAT solver iteratively to generate level-mappings and construct a ranking structure . Our main algorithm is presented in Sect. 5.1. Sect. 5.2 discusses how to find appropriate level mappings and Sect. 5.3 introduces the SAT encoding.

5.1 Main algorithm

Given a MCS , the idea is to iterate as follows: while is not empty, find a level mapping inducing one or more anchors for . Remove the anchors, and repeat. The instruction “find a level mapping” is performed using a SAT encoding (for each of the compatible pairs of multiset orders). To improve performance, the algorithm follows the SCC (strongly connected components) decomposition of (the CFG of) . This leads to smaller subproblems for the SAT solver and is justified by the observation that inter-component transitions are trivially anchors (not included in any cycle). In the following let denote the set of non-vacant SCCs of (that is, SCCs which are not a vertex without any arcs).

Main Algorithm.


input: (a MCS)
output: (tuple of level mappings such that
             is a ranking structure for ). The algorithm aborts if is not in MCNP.

  1. (empty queue);   (stack with non-vacant SCCs of );

  2. while ()

    • pop from (a MCS) and find (using SAT) a level mapping
      to anchor some transition rules in     (if none, abort: MCNP)

    • extend to program points not in by

    • append to and remove from the -anchors that were found

    • push elements of to

  3. return

Theorem 29

The main algorithm succeeds if and only if is in MCNP.

5.2 Finding a level mapping

The main step in the algorithm is to find a level mapping which anchors some transition rules of a strongly-connected MCS. Let be strongly connected and a level mapping which orients all transition rules in , strictly orients the transition rules from a non-empty set , and where (non-empty) are bounded. Following Thm. 23, a transition rule is an anchor if every cycle in containing has an element from and an element from . We need to check all cycles in (possibly exponentially many). We describe a way of doing so by numbering nodes which lends itself well to a SAT-based solution.

Definition 30 (node numbering)

A node numbering is a function from program points to . For , we denote . For a set , we say that agrees with if for all :  .

Now for , checking that every cycle of containing also contains an element of , is reduced to finding a node numbering with which agrees with . Then, any cycle containing must contain also an edge with . But this implies that because agrees with .

Lemma 31

Let , , , and be as above. Then, is a MCNP-anchor for w.r.t  if and only if: (1) ; or (2) there are node numberings and agreeing with and respectively, such that and .

Example 32

We now describe the application of the Main Algorithm to Ex. 4. Initially, there is a single SCC, . Using SAT solving (as described in Sect. 5.3) we find that level mapping of Ex. 18 orients all transitions, strictly orients and is bounded on . Hence, by choosing the numbering , , , , we obtain that , and are anchors. Note that the problem encoded to SAT represents the choice of the level mapping and node numbering at once. Now, is set to , and the anchors are removed from , leaving a SCC consisting of point and transition rule . In a second iteration, level mapping of Ex. 18 is found and appended to . No SCC remains, and the algorithm terminates.

Note that our algorithm is non-deterministic (due to leaving some decisions to the SAT solver). In this example, the first iteration could come up with the numbering , which would cause only to be recognized as an anchor. Thus, another iteration would be necessary, which would find a numbering according to which and are anchors, since this time there is no other option.

5.3 A SAT encoding

Let be a strongly connected MCS (assume the context of the Main Algorithm of Sect. 5.1). For a compatible pair we construct a propositional formula which is satisfiable iff there exists a level mapping that anchors some transition rules in . We focus on tagged level mappings (omitting tags is the same as assigning them all the same value).

Each program point and argument position is associated with an integer variable . Integer variables are encoded through their bit representation. In the following, we write, for example, to indicate that the relation on integer variables is encoded to a propositional formula in CNF. Let and consider each . At the core of the encoding, we use a formula which introduces a propositional variable to specify a corresponding “tagged edge”, , as prescribed in Eq. (1). Here, and are the integer tags associated with the program points and argument positions of and (in ). We proceed likewise for the propositional variable .

Example 33

Consider from Ex. 4. The formula contains (among others) the following conjuncts. From , and ; from , and . Observe also, and .

We introduce the following additional propositional variables:

  • oriented weakly by

  • oriented strictly by

  • is an anchor w.r.t.  in

and, for every program point , two integer variables and to represent the node numberings from Def. 30.

Our encoding takes the following form:

The first two conjuncts specify that is a level mapping which orients , the third is specified as , and the rest are explained below:

Proposition

imposes the intended meanings on , and (see Def. 20 and Lemma 0).

Proposition

enforces that the node numberings and agree with sets and , cf. Lemma 31:

Proposition

imposes that and are true exactly when and , respectively. We focus on the case when , the other cases are similar and omitted for lack of space. The encoding of proposition is similar (and also omitted for lack of space).

The propositional variables , , , and () indicate the argument positions of and selected by the level mapping for the low and high sets, respectively. The first subformula specifies that a transition rule is weakly oriented by the order if for each where is selected (i.e., the