Termination Analysis of Polynomial Programs with Equality Conditions

Termination Analysis of Polynomial Programs with Equality Conditions

Abstract

In this paper, we investigate the termination problem of a family of polynomial programs, in which all assignments to program variables are polynomials, and test conditions of loops and conditional statements are polynomial equations. Our main result is that the non-terminating inputs of such a polynomial program is algorithmically computable according to a strictly descending chain of algebraic sets, which implies that the termination problem of these programs is decidable. The complexity of the algorithm follows immediately from the length of the chain, which can be computed by Hilbert’s function and Macaulay’s theorem. To the best of our knowledge, the considered family of polynomial programs should be the largest one with a decidable termination problem so far. The experimental results indicate the efficiency of our approach.

\SetKwRepeat

Dodowhile

\conferenceinfo

CONF ’yyMonth d–d, 20yy, City, ST, Country \copyrightyear20yy \copyrightdata978-1-nnnn-nnnn-n/yy/mm \doinnnnnnn.nnnnnnn

\authorinfo

Yangjia Li,Naijun Zhan and Mingshuai Chen State Key Lab. of Comp. Sci., Institute of Software, Chinese Academy of Sciences {yangjia,znj,chenms}@ios.ac.cn \authorinfoHui Lu Nanjing Audit University luhui@nau.edu.cn \authorinfoGuohua Wu Nanyang Technological University guohua@ntu.edu.sg

\category

F.3.1.Specifying and Verifying and Reasoning about ProgramsTermination

keywords: Termination Analysis, Polynomial Programs, Polynomial Ideals

1 Introduction

Termination analysis plays an important role in program verification and testing, and has attracted an increasing attention recently [Cook et al.(2011)Cook, Podelski, and Rybalchenko, Yang et al.(2010)Yang, Zhou, Zhan, and Xia]. However, the program termination problem is equivalent to the famous halting problem [Turing(1937)], and hence is undecidable in general. Thus, a complete method for termination analysis for programs, even for the general linear or polynomial programs, is impossible [Tiwari(2004), Müller-Olm and Seidl(2004), Bradley et al.(2005)Bradley, Manna, and Sipma, Braverman(2006)]. So, a practical way for termination analysis is conducted by providing sufficient conditions for termination and/or nontermination. Classical method for establishing termination of a program, either linear or polynomial, makes use of a well-founded domain together with a so-called ranking function that maps the state space of the program to the domain, which provides a sufficient condition for the termination of the program, e.g., [Ben-Amram and Genaim(2014), Colón and Sipma(2001), Podelski and Rybalchenko(2004a), Podelski and Rybalchenko(2004b), Chen et al.(2007)Chen, Xia, Yang, Zhan, and Zhou, Cousot(2005)]. In [Gupta et al.(2008)Gupta, Henzinger, Majumdar, Rybalchenko, and Xu], the authors considered a sufficient condition for non-termination inputs, while in [Harris et al.(2010)Harris, Lal, Nori, and Rajamani], the authors investigated sufficient conditions for termination and nontermination inputs respectively, and check the two conditions in parallel for termination analysis.

In contrast, Tiwari investigated this issue at a very fundamental level. He first noticed that the termination of a class of simple linear loops is related to the eigenvalues of assignment matrix and proved that the termination problem of these linear programs with input set is decidable [Tiwari(2004)]. This theory was further developed in [Braverman(2006), Xia and Zhang(2010), Xia et al.(2011)Xia, Yang, Zhan, and Zhang].

Following this line, Bradley et al. [Bradley et al.(2005)Bradley, Manna, and Sipma] tried to investigate the termination problem of a family of polynomial programs, which are modeled as multi-path polynomial programs (MPPs) by using finite difference tree (FDT).The MPP model is an expressive class of loops with multiple paths, polynomial loop guards and assignments, that enables practical code abstraction and analysis. It was proved in [Bradley et al.(2005)Bradley, Manna, and Sipma] that the termination problem of MPPs is generally undecidable. In [Bradley et al.(2005)Bradley, Manna, and Sipma], the authors only considered a small class of MPPs, i.e., MPPs with polynomial behaviour. Similar idea was used for termination analysis of polynomial programs in [Babić et al.(2013)Babić, Cook, Hu, and Rakamarić]. In [Liu et al.(2014)Liu, Xu, Zhan, and Zhao], the authors considered another class of MPPs, whose loop guards are polynomial equations. According to their algebraic structures, the authors established sufficient conditions for termination and nontermination simultaneously for these MPPs, thus termination analysis can be conducted by checking these conditions in parallel, which is analogous to [Harris et al.(2010)Harris, Lal, Nori, and Rajamani]. In [Liu et al.(2014)Liu, Xu, Zhan, and Zhao], the authors raised an open problem whether the termination of this family of MPPs is decidable.

In this paper, we give a confirmative answer to the open problem raised in [Liu et al.(2014)Liu, Xu, Zhan, and Zhao] that the termination problem of MPPs with equality guards is decidable. To the best of our knowledge, this family of polynomial programs should be the largest one with a decidable termination problem so far, noting that the program termination with inequality conditions is hardly to decide even for linear loops, since such problem is equivalent to the famous Skolem’s problem [Ouaknine and Worrell(2015)]. On the other hand, inequality loop guards can be strengthened as equality guards, e.g. , thus our approach can also be used to find non-terminating inputs for general MPPs.

The basic idea of our approach is as follows: Given an MPP with paths, for any input , if at the first iteration satisfies the loop guard, then one of the paths in the loop body will be nondeterministically selected and the corresponding assignment will be used to update the value of , which results in possible values of ; afterwards, the above procedure is repeated until the guard does not hold any more. Thus the execution of an MPP on input forms a tree. An input is called non-terminating if the execution tree on has an infinite path. Obviously, each of such paths forms an ascending chain of polynomial ideals, and an input is non-terminating iff is in the variety of an ascending chain in the execution tree. By using some results of polynomial algebra, we prove that there is a uniform upper bound for these ascending chains. This implies the decidability of termination problem of the family of MPPs. Similar argument is applicable to polynomial guarded commands in which all test guards are polynomial equations.

Related work

In the past, various well-established work on termination analysis can only be applied to linear programs, whose guards and assignments are linear. For single-path linear programs, Colón and Sipma utilized polyhedral cones to synthesize linear ranking functions [Colón and Sipma(2001)]. Podelski and Rybalchenko, based on Farkas’ lemma, presented a complete method to find linear ranking functions if they exist [Podelski and Rybalchenko(2004a)]. In [Ben-Amram and Genaim(2014)], Ben-Amram and Genaim considered to extend the above results in the following two aspects: firstly, they proved that synthesizing linear ranking functions for single path linear programs is still decidable if program variables are interpreted over integers, but with co-NP complexity, in contrast to PTIME complexity when program variables are interpreted over rationals or reals; secondly, they proposed the notion of lexicographical ranking function and a corresponding approach for synthesizing lexicographical ranking functions for dealing with linear programs with multi-path.

In recent years, the termination problem of non-linear programs attracted more attentions as they are omnipresent in safety-critical embedded systems. Bradley et al. proposed an approach to proving termination of MPPs with polynomial behaviour over through finite difference trees [Bradley et al.(2005)Bradley, Manna, and Sipma]. Similar idea was used in [Babić et al.(2013)Babić, Cook, Hu, and Rakamarić] for termination analysis of polynomial programs. Typically, with the development of computer algebra, more and more techniques from symbolic computation, for instance, Gröbner basis [Sankaranarayanan et al.(2004)Sankaranarayanan, Sipma, and Manna, Müller-Olm and Seidl(2004)], quantifier elimination [Kapur(2006)] and recurrence relation [Rodríguez-Carbonell and Kapur(2007), Kovács(2008)], are borrowed and successfully applied to the verification of programs. Certainly, these techniques can also be applied to polynomial programs to discover termination or non-termination proofs. Chen et al. proposed a relatively complete (w.r.t. a given template) method for generating polynomial ranking functions over by reduction to semi-algebraic system solving [Chen et al.(2007)Chen, Xia, Yang, Zhan, and Zhou]. Gupta et al. proposed a practical method to search for counter-examples of termination [Gupta et al.(2008)Gupta, Henzinger, Majumdar, Rybalchenko, and Xu], by first generating lasso-shaped [Cook et al.(2006)Cook, Podelski, and Rybalchenko] candidate paths and then checking the feasibility of the “lassoes” using constraint solving. Velroyen and Rümmer applied invariants to show that terminating states of a program are unreachable from certain initial states, and then identified these “bad” initial states by constraint-solving [Velroyen and Rümmer(2008)]. Brockschmidt et al. detected non-termination and Null Pointer Exceptions for Java Bytecode by constructing and analyzing termination graphs, and implemented a termination prover AProVE [Brockschmidt et al.(2011)Brockschmidt, Ströder, Otto, and Giesl].

For more general programs, many other techniques, like predicate abstraction, parametric abstraction, fair assumption, Lagrangian relaxation, semidefinite programming, sum of squares, etc., have been successfully applied [Cousot and Cousot(2012), Cousot(2005), Cook et al.(2008)Cook, Gulwani, Lev-Ami, Rybalchenko, and Sagiv].

The following work are more related to ours. Tiwari first identified a class of simple linear loops and proved that its termination problem is decidable over reals [Tiwari(2004)]. Braverman extended Tiwari’s result by proving the termination problem is still decidable when program variables are interpreted over integers [Braverman(2006)], and Xia and Zhang investigated an extension of Tiwari’s simple linear loops by allowing a loop condition to be non-linear constraint and proved that the termination problem of the extension is still decidable over reals, and becomes undecidable over integers [Xia and Zhang(2010)]. In [Bradley et al.(2005)Bradley, Manna, and Sipma], Brandley et al. proved that the termination problem of MPPs with inequalities as loop conditions is not semi-decidable. Additionally, Müller-Olm and Seidl proved that the termination problem of linear guarded commands with equations and inequations as guards is undecidable [Müller-Olm and Seidl(2004)]. Thus, we believe that the class of polynomial programs, i.e., polynomial guarded commands with equalities as guards, under consideration in this paper, is the largest one with a decidable termination problem, any extension of it by allowing inequalities, or inequations in a guard will result in the termination problem undecidable.

The rest of the paper is organized as follows. In Section 2, we give an overview of our approach by a running example. In Section 3, some concepts and results on computational algebraic geometry are reviewed. Section 4 is devoted to computing the upper bound on the length of a descending chain of algebraic sets. In Section 5, we introduce the model of MPPs with equality guards. In Section 6, we prove the decidability of the termination problem of the MPPs by proposing an algorithm to compute the set of non-terminating inputs. Section 7 extends the decidability result to polynomial guarded commands with equality guards. Section 8 reports some experimental results with our method. A conclusion is drawn in Section 9.

2 A running example

Consider the following polynomial program (denoted by running):

Example 1.
(1)

Here “?” means that the condition has been ignored by abstraction of the program, and thus in each iteration these two assignments are nondeterministically chosen. Our problem is to decide if or not for any initial value in a given set , the program would always terminate in a finite number of iterations.

For simplicity, the polynomial of the loop guard is denoted as , and the two polynomial vectors of the assignments as and . Our approach is to compute the set of all possible initial values of for which the program may not terminate. Thus, the termination problem of the program on the set of inputs is easily obtained by checking if . The detailed procedure is described step by step as follows:

  1. Consider the equation , and write the set of its solutions as . Thus, means that the body of the loop should be executed once at least w.r.t. the input.

  2. Denote by and the solution sets of equations:

    respectively. So, means that the loop body may be executed twice at least by correspondingly choosing to be the assignment in the first iteration. So allows at least two iterations in the execution. It is easy to calculate that , , and so .

  3. Similarly, the solution set of equation

    is the set of inputs for which the third iteration is achievable by successively choosing and in the first and the second iterations. is the set of inputs which allow at least three iterations. By simple calculation, we obtain that , , , , and .

  4. Now we note that . Our results reported in this paper guarantee that , namely, is actually the set of inputs which make the program possibly nonterminating.

  5. Observe that . So the program is nonterminating on input .

3 Preliminaries

In this section, we recall some basic concepts and results on computational algebraic geometry, which serve as the theoretical foundation of our discussion. For a detailed exposition to this subject, please refer to [Cox et al.(1997)Cox, Little, and O’Shea][MacAulay(1926)].

3.1 Polynomial rings and ideals

Consider a number field , which could be the field of rational numbers , real numbers or complex numbers throughout this paper. Let be a vector of variables. A monomial of is of the form where is a vector of natural numbers, and is called the degree of , denoted by . A polynomial of is a linear combination of a finite number of monomials over , i.e., where is the number of distinct monomials of and is the nonzero coefficient of , for each . The degree of is defined as . Denote by the set of monomials of and the polynomial ring of over . The degree of a finite set is defined as .

we introduce the lexicographic order for monomials: if there exists such that and for all . For every polynomial we write its leading monomial (i.e., the greatest monomial under ) as . For any , a set of monomials is called -compressed, if for any , , then

Definition 1 (Polynomial Ideal).
  1. A nonempty subset is called an ideal if , and .

  2. Let be a nonempty subset of , the ideal generated by is defined as

  3. The product of two ideals and is defined as

The ideal generated by is actually the minimal one of ideals that contain . When is a finite set, we simply write as . Given two polynomial sets and , we define . Obviously, .

Theorem 1 (Hilbert’s Basis Theorem).

Every ideal is finitely generated, that is, for some . Here is called a basis of .

We define the degree of an ideal as

Note that an ideal may have different bases. However, using the Buchberger’s algorithm under a fixed monomial ordering, a unique (reduced) Gröbner basis of , denoted by , can be computed from any other basis. We also simply write as for any basis . An important property of Gröbner basis is that the remainder of any polynomial on division by , written as , satisfies that

The Hilbert’s Basis Theorem implies that the polynomial ring is a Noetherian ring, i.e.,

Theorem 2 (Ascending Chain Condition).

For any ascending chain of ideals

of , there exists an such that for all .

3.2 Algebraic sets and varieties

By assigning values in to , a polynomial can be regarded as a function from the affine space to . Then the set of zeros of a polynomial set can be defined as . It is easy to verify that .

Definition 2 (Algebraic Set and Variety).

A subset

  1. is algebraic, if there exists some such that , and is called a set of generating polynomials of ;

  2. is reducible, if it has two algebraic proper subsets and such that ; otherwise it is called irreducible;

  3. is a variety, if it is a nonempty irreducible algebraic set.

The following properties on algebraic and variety can be easily verified: the union of two algebraic sets is an algebraic set, and the intersection of any family of algebraic sets is still algebraic; suppose are algebraic sets and is a variety, then

(2)

An algebraic set is usually represented by its generating polynomials in practice. Note that an algebraic set may have different sets of generating polynomials. However, by defining

for any , one can easily verify that is the maximal set that generates . So, any algebraic set can be identified by the ideal . The membership for any polynomial and any finite set of polynomials is equivalent to the unsatisfiability of , which is decidable [Tarski(1951)].

Additionally, noting that for two algebraic sets and , it follows from Theorem 2 that

Theorem 3 (Descending Chain Conditions).

For any descending chain of algebraic sets

of , there exists an such that for all .

3.3 Monomial ideals and Hilbert’s functions

An ideal is called monomial if it can be generated by a set of monomials. A monomial ideal always has a basis of monomials (due to Dickson’s Lemma), and any monomial should be a multiple of some .

Definition 3 (Hilbert’s function).

For a monomial ideal , a function is defined as

where is the set of homogeneous polynomials of degree and , and both of them are linear spaces over .

Note that is the number of monomials of degree , where

And means that contains all monomials of degree .

We invoke the Macaulay’s theorem [MacAulay(1926)] to estimate the value of Hilbert’s function . To this end, we define a function for every natural number as follows. When is given, any number can be uniquely decomposed as

where and . In fact, with ; and for , are successively determined by

until for some . Now we define

For instance, , and (note that ).

Theorem 4 (Macaulay).

For any monomial ideal , for all . Moreover, if and is -compressed.

4 Upper bound of the length of polynomial ascending chains

In this section, we investigate the length of polynomial ascending chains, which plays a key role in proving the decidability of the termination problem. In addition, this problem is independently of interest in mathematics and has received many studies [Socías(1992), Seidenberg(1971)].

The computing is based on Moreno-Socías’s approach [Socías(1992)], which consists of the following three steps:

  • Reduce computing the bound on -bounded polynomial ideal chains to computing the bound on -generating sequences of monomials, which is obtained by Moreno-Socías’s result [Socías(1992)].

  • Compute the longest homogeneous -generating sequence, which is achieved directly by using Hilbert’s function and Macaulay’s theorem. This step is different from Moreno-Socias’s, as his result on this step (i.e. Proposition 4.3 in [Socías(1992)]) is wrong.

  • Prove that the bound of -generating sequences of monomials is exactly same as the length of the longest homogeneous -generating sequence obtained in (ii), which is trivially achieved by introducing a fresh variable.

Definition 4.

For any increasing function (that is, for all ), an ascending chain of polynomial ideals of is called -bounded, if for all . Denote by the greatest length of all strictly ascending chains of which are -bounded.

Remark.
  1. The condition of -boundedness is necessary to define the greatest length, as the length of chains with unbounded degrees could be arbitrarily large (for instance, the length of could be arbitrarily large if is unbounded).

  2. For ease of discussion, we assume is increasing without loss of generality. In fact, for a general , consider the increasing function , . Then a -bounded chain is always a -bounded chain since for all . So , and we can use as the upper bound of the chains.

Our aim is to compute based on the number of variables and function . To this end, we particularly consider ascending chains of a special form.

Definition 5.

Given a function , a finite sequence of monomials is called -generating, if and for all .

Then a -generating monomial sequence generates a strictly ascending chain of monomial ideals satisfying , by defining . Moreno-Socías proved in [Socías(1992)] that in order to compute , it suffices to consider the ascending chains that are generated by -generating monomial sequences. That is,

Proposition 1 ([Socías(1992)]).

is exactly the greatest number of monomials of -generating sequences in .

Hence, in the rest of this section, we construct the longest chain of this form. We first do this for a special case where the degrees of polynomial ideals are not just bounded but completely determined by a function . Then we reduce the general case to this special one.

4.1 The longest chain of specified degrees

In this subsection, we only consider a special type of -generating sequences such that:

(3)

We inductively construct a -generating sequence of monomials as follows: Initially define ; suppose are defined for some , then let

(4)

until for some .

Obviously, this sequence satisfies equation (3). It follows immediately from the equation (4) that the corresponding ideal is -compressed for every , and from the definition of Hilbert’s function.

Example 2.

For and , we have a set

Then in this case.

Now we shall prove that the sequence we construct has the greatest number of monomials among all -generating sequences that satisfies (3).

Lemma 1.

If is a -generating sequence that satisfies equation (3), then .

Proof: We proceed by contradiction. Suppose . Let for all . For simplicity, we define and , for all . Observe that

(5)

Indeed, the first two equalities directly follow from the definition of , and the third inequality is from Theorem 4. Similarly, we have

(6)

Here, the third one becomes equality since is -compressed and and so the conditions for equality in Theorem 4 is satisfied. On the other hand, we observe that . Then it can be inductively proved from equations (5) and (6) that:

Here, the fact that is applied. So we have proved that for all and . Then . We have , which is contrary to the definition of .

We consider to compute the greatest length using the condition . To this end, we define to be the number such that

(7)

Then from this definition . Note that

then . Computing is presented in the following theorem.

Theorem 5.

Given a number , an increasing function , and a number , can be recursively calculated as follows:

  1. and , for any , and ;

  2. Write for , then they can be successively calculated by and for ,

    Here is a function defined as .

Proof: It is equivalent to show that the recursive function defined by the calculation procedure above is the same as the one defined by equation (7); namely, if we compute a number by the calculation, then should be as in equation (7). On the other hand, for any , decompose as . It can be verified by equation (5) that . So can also be recursively calculated from . Then it is easy to prove the result by induction on and .

For instance, let , then by Theorem 5, which is exactly the number of monomials in Example 2.

4.2 Reduction from the general case

Now we remove the restriction (3) and consider the length of a general -generating sequence of monomials in . Our method is to reduce this general case to the homogenous case. Specifically, we introduce a new variable (for which the lexicographic order becomes ), and construct for each a monomial such that , where . So and thus the restriction (3) is satisfied by . Furthermore,

Proposition 2.

is a -generating sequence of .

Proof: It suffices to prove that for every . In fact, if it is not the case then should be a multiple of some , where . It implies that is a multiple of , which is contrary to .

Then it immediately follows from the definition of that . Since is arbitrarily chosen, we obtain from Proposition 1. Conversely, we also show that . We consider the sequence of , which is defined as in equation (4). Then . By putting , this sequence becomes another sequence of .

Proposition 3.

is a -generating sequence.

Proof: Observe that for all . Then we only need to prove that for all . We assume that is a multiple of some , where . Let and , then (otherwise would be a multiple of ). We also have ; otherwise,f(j)=f(i) and thus , which is contrary to .

Note that . Then we can find some monomial such that , and is simultaneously a multiple of and a factor of . Put , then and . So is also in the sequence . However, is a multiple of and thus we find contradiction.

follows immediately from this result. Therefore, we obtain the following theorem.

Theorem 6.

.

Example 3.

For , the monomial set of the longest monomial ascending chain is

and .

However, according to Moreno-Socías’s approach [Socías(1992)], the monomial set is

and thus , which is obviously wrong.

More generally, it can be proved that for ,

(8)

Here, is used to define the Ackermann’s function same as in [Socías(1992)]. In fact, the length of the -generating sequence defined by (4) has been correctly computed in [Socías(1992)] by

Note that , then (8) follows immediately from this result and Theorem 6.

5 Termination of multi-path polynomial programs with equality guards

5.1 Multi-path polynomial programs

The polynomial programs considered in this paper are formally defined as follows:

Definition 6 (MPP with Equality Guard [Liu et al.(2014)Liu, Xu, Zhan, and Zhao]).

A multi-path polynomial program with equality guard has the form

(9)

where

  1. denotes the vector of program variables;

  2. is a polynomial and is the equality typed loop guard;

  3. () are vectors of polynomials, describing the transformations on program variables in the loop body;

  4. interprets as a nondeterministic choice between the transformations.

Remark.
  1. The loop guard of MPP (9) can be extended to a more general form . However, it is essential to assume that inequalities will never occur in guards, otherwise the termination problem will become undecidable, even not semi-decidable [Bradley et al.(2005)Bradley, Manna, and Sipma].

  2. The initial value of is not specified here, and assume it is taken from . If the input is subject to semi-algebraic constraints, our decidability result still holds according to [Tarski(1951)].

Example 4.

Consider the following MPP (named as liu1):

(10)

We have , , and .

Example 5.

A nondeterministic quantum program [Li et al.(2014)Li, Yu, and Ying] is of the form:

(11)

where

  1. is a density matrix.

  2. is a two-outcome quantum measurement, where and are complex matrices.

  3. are quantum super-operators, which are linear transformations over .

In this example, , and , where is the trace of a matrix , and is the complex conjugate of the transpose of . Clearly, it is a multi-path linear program over . In [Li et al.(2014)Li, Yu, and Ying], the non-terminating inputs of this program plays a key role in deciding the termination of quantum programs.

5.2 Execution of MPPs

Given an input , the behavior of MPP (9) is determined by the choices of nondeterministically, and all the possible executions form a tree.

Definition 7 (Execution Tree [Liu et al.(2014)Liu, Xu, Zhan, and Zhao]).

The execution tree of MPP (9) for an input is defined inductively as follows:

  1. the root is the input value of ;

  2. for any node , it is a leaf node if ; otherwise, has children , , and there is a directed edge from to