Results 1  10
of
54
Transition Invariants
"... Proof rules for program verification rely on auxiliary assertions. We propose a (sound and relatively complete) proof rule whose auxiliary assertions are transition invariants. A transition invariant of a program is a binary relation over program states that contains the transitive closure of the tr ..."
Abstract

Cited by 119 (22 self)
 Add to MetaCart
(Show Context)
Proof rules for program verification rely on auxiliary assertions. We propose a (sound and relatively complete) proof rule whose auxiliary assertions are transition invariants. A transition invariant of a program is a binary relation over program states that contains the transitive closure of the transition relation of the program. A relation is disjunctively wellfounded if it is a finite union of wellfounded relations. We characterize the validity of termination or another liveness property by the existence of a disjunctively wellfounded transition invariant. The main contribution of
Termination of polynomial programs
 In VMCAI’2005: Verification, Model Checking, and Abstract Interpretation, volume 3385 of LNCS
, 2005
"... Abstract. We present a technique to prove termination of multipath polynomial programs, an expressive class of loops that enables practical code abstraction and analysis. The technique is based on finite differences of expressions over transition systems. Although no complete method exists for deter ..."
Abstract

Cited by 66 (4 self)
 Add to MetaCart
(Show Context)
Abstract. We present a technique to prove termination of multipath polynomial programs, an expressive class of loops that enables practical code abstraction and analysis. The technique is based on finite differences of expressions over transition systems. Although no complete method exists for determining termination for this class of loops, we show that our technique is useful in practice. We demonstrate that our prototype implementation for C source code readily scales to large software projects, proving termination for a high percentage of targeted loops. 1 Introduction Guaranteed termination of program loops is necessary for many applications,especially those for which unexpected behavior can be catastrophic. Even for applications that are not considered &quot;safety critical, &quot; applying automatic methodsfor proving loop termination would certainly do no harm. Additionally, proving general temporal properties of infinite state programs requires terminationproofs, for which automatic methods are welcome [4, 7, 10]. We present a method of nonlinear termination analysis for imperative loopswith multiple paths, polynomial guards, and polynomial assignments. The method is nonlinear, first, because the guards and assignments need not be linear and, second, because it can prove the termination of terminating loops that do not have linear ranking functions. The method is sound, but not complete.Indeed, we show that no complete method for this class of programs exists. In practical programs, however, our method proves termination of a high percentageof the targeted loops at low computation cost, and hence is useful.
Abstraction refinement for termination
 In Proceedings of the 12 th International Static Analysis Symposium
"... Abstract. Abstraction can often lead to spurious counterexamples. Counterexampleguided abstraction refinement is a method of strengthening abstractions based on the analysis of these spurious counterexamples. For invariance properties, a counterexample is a finite trace that violates the invariant; ..."
Abstract

Cited by 65 (14 self)
 Add to MetaCart
(Show Context)
Abstract. Abstraction can often lead to spurious counterexamples. Counterexampleguided abstraction refinement is a method of strengthening abstractions based on the analysis of these spurious counterexamples. For invariance properties, a counterexample is a finite trace that violates the invariant; it is spurious if it is possible in the abstraction but not in the original system. When proving termination or other liveness properties of infinitestate systems, a useful notion of spurious counterexamples has remained an open problem. For this reason, no counterexampleguided abstraction refinement algorithm was known for termination. In this paper, we address this problem and present the first known automatic counterexampleguided abstraction refinement algorithm for termination proofs. We exploit recent results on transition invariants and transition predicate abstraction. We identify two reasons for spuriousness: abstractions that are too coarse, and candidate transition invariants that are too strong. Our counterexampleguided abstraction refinement algorithm successively weakens candidate transition invariants and refines the abstraction. 1
Transition predicate abstraction and fair termination
 POPL'05
, 2005
"... ..."
(Show Context)
The polyranking principle
 In ICALP
, 2005
"... Abstract. Although every terminating loop has a ranking function, not every loop has a ranking function of a restricted form, such as a lexicographic tuple of polynomials over program variables. The polyranking principle is proposed as a generalization of polynomial ranking for analyzing termination ..."
Abstract

Cited by 50 (3 self)
 Add to MetaCart
(Show Context)
Abstract. Although every terminating loop has a ranking function, not every loop has a ranking function of a restricted form, such as a lexicographic tuple of polynomials over program variables. The polyranking principle is proposed as a generalization of polynomial ranking for analyzing termination of loops. We define lexicographic polyranking functions in the context of loops with parallel transitions consisting of polynomial assertions, including inequalities, over primed and unprimed variables. Next, we address synthesis of these functions with a complete and automatic method for synthesizing lexicographic linear polyranking functions with supporting linear invariants over linear loops. 1
Combining widening and acceleration in linear relation analysis
 IN SAS
, 2006
"... Linear Relation Analysis [CH78,Hal79] is one of the first, but still one of the most powerful, abstract interpretations working in an infinite lattice. As such, it makes use of a widening operator to enforce the convergence of fixpoint computations. While the approximation due to widening can be ar ..."
Abstract

Cited by 43 (7 self)
 Add to MetaCart
(Show Context)
Linear Relation Analysis [CH78,Hal79] is one of the first, but still one of the most powerful, abstract interpretations working in an infinite lattice. As such, it makes use of a widening operator to enforce the convergence of fixpoint computations. While the approximation due to widening can be arbitrarily refined by delaying the application of widening, the analysis quickly becomes too expensive with the increase of delay. Previous attempts at improving the precision of widening are not completely satisfactory, since none of them is guaranteed to improve the precision of the result, and they can nevertheless increase the cost of the analysis. In this paper, we investigate an improvement of Linear Relation Analysis consisting in computing, when possible, the exact (abstract) effect of a loop. This technique is fully compatible with the use of widening, and whenever it applies, it improves both the precision and the performance of the analysis. Linear Relation Analysis [CH78,Hal79] (LRA) is one of the very first applications
Termination analysis with calling context graphs
 of Lecture Notes in Computer Science
, 2006
"... Abstract. We introduce calling context graphs and various static and theorem proving based analyses that together provide a powerful method for proving termination of programs written in featurerich, first order, functional programming languages. In contrast to previous work, our method is highly a ..."
Abstract

Cited by 30 (7 self)
 Add to MetaCart
(Show Context)
Abstract. We introduce calling context graphs and various static and theorem proving based analyses that together provide a powerful method for proving termination of programs written in featurerich, first order, functional programming languages. In contrast to previous work, our method is highly automated and handles any source of looping behavior in such languages, including recursive definitions, mutual recursion, the use of recursive data structures, etc. We have implemented our method for the ACL2 programming language and evaluated the result using the ACL2 regression suite, which consists of numerous libraries with a total of over 10,000 function definitions. Our method was able to automatically detect termination of over 98 % of these functions. 1
Termination of integer linear programs
 In Proc. CAV’06, LNCS 4144
, 2006
"... Abstract. We show that termination of a simple class of linear loops over the integers is decidable. Namely we show that termination of deterministic linear loops is decidable over the integers in the homogeneous case, and over the rationals in the general case. This is done by analyzing the powers ..."
Abstract

Cited by 30 (0 self)
 Add to MetaCart
(Show Context)
Abstract. We show that termination of a simple class of linear loops over the integers is decidable. Namely we show that termination of deterministic linear loops is decidable over the integers in the homogeneous case, and over the rationals in the general case. This is done by analyzing the powers of a matrix symbolically using its eigenvalues. Our results generalize the work of Tiwari [Tiw04], where similar results were derived for termination over the reals. We also gain some insights into termination of nonhomogeneous integer programs, that are very common in practice. 1
Proving thread termination
 In PLDI
"... Concurrent programs are often designed such that certain functions executing within critical threads must terminate. Examples of such cases can be found in operating systems, web servers, email clients, etc. Unfortunately, no known automatic program termination prover supports a practical method ..."
Abstract

Cited by 22 (3 self)
 Add to MetaCart
Concurrent programs are often designed such that certain functions executing within critical threads must terminate. Examples of such cases can be found in operating systems, web servers, email clients, etc. Unfortunately, no known automatic program termination prover supports a practical method of proving the termination of threads. In this paper we describe such a procedure. The procedure’s scalability is achieved through the use of environment models that abstract away the surrounding threads. The procedure’s accuracy is due to a novel method of incrementally constructing environment abstractions. Our method finds the conditions that a thread requires of its environment in order to establish termination by looking at the conditions necessary to prove that certain paths through the thread represent wellfounded relations if executed in isolation of the other threads. The paper gives a description of experimental results using an implementation of our procedure on Windows device drivers, and a description of a previously unknown bug found with the tool.