Termination of Loop Programs with Polynomial Guards

Termination of Loop Programs with Polynomial Guards Bin Wu1 , Liyong Shen2, , Zhongqin Bi1,3 , and Zhenbing Zeng1 1

Shanghai Key Laboratory of Trustworthy Computing, East China Normal University, Shanghai, 200062, China 2 School of Mathematical Sciences, Graduate University of CAS, Beijing, 100049, China [email protected] 3 College of Computer and Information Engineering Shanghai University of Electric Power, Shanghai 200090, P.R. China

Abstract. Termination analysis of loop programs is very important in many applications, especially in those of safety critical software. In this paper, the termination of programs with polynomial guards and linear assignments is simplified to decide solvability of semi-algebraic systems(SAS). If the number of functions are finite or the functions are integer periodic, then the termination of programs is decidable. The discussion is based on simplifying the linear loops by its Jordan form. And then the process to find the nonterminating points for general polynomial guards is proposed. For avoiding floating point computations in the process, a symbolic algorithm is given to compute the Jordan form of a matrix.

1 Introduction From the very beginnings of formal analysis of software [1] [2], the task of formally verifying the correctness of a program has been decomposed into proving partial correctness and proving termination separately. Termination analysis is one of the building blocks of automated verification. For a generic loop while (conditions) {commands} it is well known that the termination problem is undecidable in all but the most simple cases[3]. In recent years, a lot of efforts on termination analysis have been achieved. The classical method to to analyze termination is based on the synthesis of ranking function. Several methods have been presented in [4,5,6,7,8,9] on the synthesis ranking functions. For instance, A.R. Bradley et al [7] can discover linear ranking functions for any linear loops over integer variables based on building ranking function templates and checking satisfiability of template instantiations that are Presburger formulas. The method is complete but neither efficient nor terminating on some loops. In [9], Y.H. Chen proposed a method of discovering nonlinear ranking functions by solving the

This research was supported in part by NSFC(No. 90718041). Corresponding author.

D. Taniar et al. (Eds.): ICCSA 2010, Part IV, LNCS 6019, pp. 482–496, 2010. c Springer-Verlag Berlin Heidelberg 2010

Termination of Loop Programs with Polynomial Guards

483

semi-algebraic systems. Besides these, some other methods ([10,11,12,13,14,15,16,17]) are available to analyze the termination of loop programs. For instance, [10] analyzed finite difference trees to prove termination of multipath loops with polynomial guards and assignments. In [15], A. Tiwari proves that the termination of a class of singlepath loops with linear guards and assignments is decidable, providing a decision procedure via constructive proofs. M. Braverman[16] generalized the work of A. Tiwari, and showed that termination of a simple of class linear loops over the integer is decidable. However, now of the previewed work deals with termination proving for loop programs with polynomial guards, and linear assignments. And we presented a decidable situation for the functions in the SASs are integer periodic. The symbolic technique is introduced to avoid floating point errors in computation. The rest of this paper is organized as follows. Section 2 we define some basic notions. In Section 3 onwards, we focus on polynomial guards which is convex. Section 4 presents a procedure for deciding termination of loop program with polynomial guards. In Section 5, we show how to compute the transformation matrix symbolically to avoid floating point errors in computation. Finally, conclusions are given in Section 6.

2 Preliminaries We use standard mathematical notation for representing vectors and matrices. Let C, R and Z be the complex number field, real number field and integer number domain, respectively. An (n×n)-matrix with constant entries aij at the (i, j)-position is denoted by A = (aij ) where i, j denote indices ranging over integers. A diagonal matrix A = (aij ) = diag(λ1 , · · · , λn ) has aii = λi and aij = 0 otherwise. In particular, an (n × 1) matrix is called a vector, and is denoted by c, d whenever the components of the vector are known constants; and by x, y whenever the components of the vector are all variables. The transpose of a matrix A = (aij ) is denoted by AT . Note that the transpose of a column vector c is arow vector cT . Using juxtaposition for matrix multiplication, we note that cT d = i ci di denotes the inner product of the vectors c and d. We will also denote matrices by specifying the submatrices inside it. For instance, diag(J1 , · · · , Jn ) would denote a matrix which has submatrices J1 , · · · , Jn on its “diagonal” and 0 elsewhere. If A is a (n×n)-matrix and c is a vector such that Ac = λc, then c is called an eigenvector of A corresponding to the eigenvalue λ. A function f : Rn → R is called a convex function if f (αx + (1 − α)y) ≥ αf (x) + (1 − α)f (y) for any x = (x1 , . . . , xn ), y = (y1 , . . . , yn ) ∈ Rn and 0 ≤ α ≤ 1. A set S is convex if αu + (1 − α)v ∈ S, for any u, v ∈ S. Program executions can be carried through the various changes of configuration allowed by the program’s transition relation. We say a program is terminating if all of its executions are finite. A program is called nonterminating if there exists at least one infinite execution. We consider programs of the following form: P1 : while (f (x) > 0) {x := Ax + c}. where f is a polynomial defined on Rn and c is a nonzero vector. The assignment x := Ax + c is interpreted as being done simultaneously and not in any sequential

484

B. Wu et al.

order. In the following discussion, we often consider its homogenous form F (¯ x) = deg(f ) ¯ = (x1 , . . . , xn , x0 ) = (x, x0 ). Then F (x, 1) = f (x). Acx0 f (x/x0 ) where x cording to the geometry theory, every positive degree homogenous equation F (¯ x) = 0 defines a conical surface in an n + 1 dimensional space with the origin as the apex.

3 Convex Guard In this section, we will focus on polynomial guard which is convex. And the convexity will lead to some propositions for the program analysis. 3.1 Homogeneous Case First let us consider a guard F (x) > 0, where F (x) is a homogenous polynomial in x0 , x1 , · · · , xn . We assume that F is irreducible. Then F (x) = 0 defines an irreducible convex hypersurface. Since it is rigorous for a function to be convex globally, we often consider the function which is convex within a linear constraint L(x) > 0 if needed. For simplicity, we set F (x) is homogenous form firstly. Following these assumptions, a program can be written as Q1 :while (F (x) > 0, L(x) > 0) {x := Ax}, where F (x) is a homogenous polynomial with degree greater than one and L(x) is a linear homogenous polynomial. F (x) and L(x) define a convex set, i.e., F (x) is a convex function on S = {x|F (x) > 0, L(x) > 0}. By the discussion in [15], we can obtain a similar theorem. Theorem 1. If the program Q1 defined by an (n × n)-real matrix A is nonterminating then there exists a real eigenvector v of A, corresponding to a positive real eigenvalue λ such that F (v) ≥ 0 and L(v) ≥ 0. Proof. Suppose the Program Q1 is nonterminating. Define the set N T of all points on which the program does not terminate. N T = {x ∈ Rn |F (x) > 0, L(x) > 0, F (Ax) > 0, L(Ax) > 0, · · · , F (Ai x) > 0, L(Ai x) > 0 · · · }. By assumption, N T = ∅. The set N T is also A-invariant, that is, if v ∈ N T, then Av ∈ N T. Since F (x) > 0 and L(x) > 0 define a convex set and there are convex functions, the set N T is convex. Define T = Rn − N T to be the set of all points where the program terminates. Define the boundary, ∂N T, of N T and T as the set of all v such that (for all ε) there exists a point in the ε-neighborhood of v that belongs to T and another that belongs to N T. Let N T be the completion of N T, that is, N T = N T ∪ ∂N T. Since N T is A-invariant, it means that A maps N T into N T. By continuity we have that A also maps N T into N T . Now, N T is convex, and if we identify points x and y, written as x ∼ y, that are positive scalar multiples of each other (x = λy), then the resulting set (N T / ∼) is closed and bounded. By Brouwers fixed point theorem [18] and noting L is linear, it follows that there is a positive real eigenvector v of A in N T . For all points u ∈ N T , F (u) > 0. By continuity, F (v) ≥ 0 and L(v) ≥ 0.


485

Corollary 1. If there is no real eigenvector v of A such that F (v)L(v) = 0, then the loop Q1 is nonterminating if and only if there exists a real eigenvector v on which the loop is nonterminating. Remark 1. For an eigenvalue λ of a matrix A, it has an eigenvector space V = {kv|Av = λv, k ∈ Z\0}. Then cv = 0, v ∈ V can be positive or negative according to the sign of k, so we should check v and −v following Corollary 1. The example 3 in [15] gave a wrong answer because the author only checked one of v and −v. Example 1. Consider the program: Q1 : while (−x2 − y 2 + z 2 /2 > 0, z > 0) {(x, y, z)T := A · (x, y, z)T }. where the assignment matrix is ⎛

1 1

0

1 2

1 2

⎞

⎜ ⎟ ⎟ A=⎜ ⎝ 1 −1 −1 ⎠ . 1

The matrix A has three real eigenvalues as −1, 1/2 and 1, the corresponding eigenvectors are (1, −2, 1)T , ( 47 , − 72 , 1)T and (1, 0, 1)T . One can check that there does not exist an eigenvector v such that F (v) = 0. Then according to Corollary 1, this program is nonterminating, since the eigenvector ( 47 , − 27 , 1) is a nonterminating vector. 3.2 Nonhomogeneous Case The restriction that F (x) is of homogenous form is sometimes too restrictive. Fortunately, we can homogenize a generic polynomial f (x) by adding a homogenizing varix). Similarly, the linear able x0 . The corresponding homogenous form is denoted by F (¯ function of L(x) is denoted by L(¯ x). Clearly the program P1 is equivalent to the following homogenous form. x) > 0, x0 > 0) {x := Ax + c, x0 := x0 }, P1 :while (F (¯ writing as the uniform form ¯x}, x) > 0, x0 > 0) {¯ x := A¯ P1 :while (F (¯

Ac ¯ = (x, x0 ) and A¯ = . where x 0 1 Lemma 1. f (x) is a convex function on a set S if and only if F (¯ x) is a convex function ¯ where x ¯ = (x, x0 ) and S¯ = (S, x0 ) with x0 > 0. on S, Proof. One can check the lemma by the definition directly.

Proposition 1. The nonhomogeneous Program P1 is nonterminating if and only if the homogenous Program P1 is nonterminating.

486

B. Wu et al.

¯ = (v, 1)T is a nonterminating Proof. Let v be a nonterminating vector of P1, then v ¯ = (v1 , . . . , vn , v0 )T is a nonterminating vector of vector of P1 . For the converse, if v P1 , then v0 > 0. Therefore, (v1 /v0 , . . . , vn /v0 ) is a nonterminating vector of P1. According to this proposition and Lemma 1, it suffices to discuss the homogenous form in the following sections. Theorem 2. Suppose that F (¯ x) is convex on {x|F (x) > 0, x0 > 0}, if the program ¯ corresponding to a ¯ of A, P1 is nonterminating, then there exists a real eigenvector v positive eigenvalue λ such that F (¯ v) ≥ 0 and v0 ≥ 0. ¯ of A such that F (¯ Corollary 2. If there is no real eigenvector v v) = 0 or v0 = 0, then the loop P1 is nonterminating if and only if there exists an eigenvector v on which the loop is nonterminating. Since A¯ is expanded from A, we obtain the following lemma. ¯ then there is only one ¯ = (v1 , . . . , vn , v0 ) be an eigenvector of A, Lemma 2. Let v ¯ eigenvector such that v0 = 0, corresponding to the eigenvalue(λ = 1) of A. Proof. The eigenvalues of A¯ are the roots of the characteristic polynomial C(λ) = det(A¯ − λIn+1 ) = 0. However C(λ) = (λ − 1) det(A − λIn ), that means the eigenvalues of A¯ are formed by the eigenvalues of A and λ = 1. Let v be an eigenvector of A, ¯ Hence, we only need to find the then we can verify that (v, 0)T is a eigenvector of A. eigenvector corresponding to λ = 1. This eigenvector is a solution of the linear system (A − In )v = −cv0 , there always exists a solution which is decided by A and c with v0 = 0. This is the unique eigenvector of A¯ following the lemma. Since x0 > 0 is a guard, according to Lemma 2 and Corollary 2, we only need to check ¯ = (v, 1), with v a solution of (A − In )v = this vector for the guard F (¯ v). Where v −c(setting v0 = 1). ¯ be the unique eigenvector of A¯ mentioned in Lemma 2. Then the Corollary 3. Let v v) > 0. loop P1 is nonterminating if and only if F (¯ Example 2. Consider the program: P1 : while (−x2 − y 2 + 4 > 0) {x := x − y + 1; y := x + y − 1}. Then its homogenous form is P1 : while (−x2 − y 2 + 4z 2 > 0, z > 0) {x := x − y + z; y := x + y − z; z := z}. The guards define a convex cone set and the assignment matrix is ⎛ ⎞ 1 −1 1 A¯ = ⎝ 1 1 −1 ⎠ . 0 0 1 ¯ = (1, 1, 1)T . A¯ only has one real eigenvalue λ = 1 and the corresponding vector is v Since F (¯ v) = 2 > 0, according to Corollary 2, we only need to check whether v is a


487

¯ is fix point of N T , terminating point or not. By the proof of Theorem 1, we find that v then it is a nonterminating point. Therefore, P1 is nonterminating, and as a sequence, P1 is nonterminating with a point (1, 1)T . We can also consider this example on the other hand, the matrix A has no real eigenvalues, according to Corollary 3, we solve (A − In )v = −c, that is

0 −1 −1 v= . 1 0 1 Then v = (1, 1)T is a solution, and we have shown that it is a nonterminating point.

4 Program Simplification According to Section 3, it is shown that Q1 does not terminate if we find an eigenvector v associated to a positive eigenvalue to be a nonterminating vector. However, it is not decided when there exist eigenvectors satisfying F (v) = 0 or L(v) = 0. Furthermore, the guards may not be convex if the guard L(v) is not linear. And we need to give more discussion of the program in this section. Consider the effect of repeated linear assignments (x := Ax), it will be much simpler if A is a diagonal matrix. So we try to diagonalize the assignment matrix A. It is well known that it can be transformed to its Jordan canonical form which is the simplest equivalent form. We recall the proposition which can found in many linear algebra books such as [19]. Proposition 2. For any square matrix A, there is an invertible matrix P, and a matrix D such that D = P −1 AP . Here D = diag(J1 , J2 , · · · , JK ) is the real Jordan form with each block Ji having either of the two forms: ⎛ ⎞ ⎛ ⎞ λi 1 0 . . . 0 Di I 0 . . . 0 ⎜ 0 λi 1 . . . 0 ⎟ ⎜ 0 Di I . . . 0 ⎟ ⎜ ⎟ ⎜ ⎟ ⎜ .. .. .. . . .. ⎟ ⎜ . . . . ⎟ ⎜ . . . . . ⎟ , ⎜ .. .. .. . . . .. ⎟ , (1) ⎜ ⎟ ⎜ ⎟ ⎜ ⎟ ⎜ ⎟ . . . . ⎝0 0 0 . 1⎠ ⎝ 0 0 0 . I ⎠ 0 0 0 . . . λi 0 0 0 . . . Di where λi is a real eigenvalue of A and Di is a real 2×2 matrix as to a pair of conjugate eigenvalues ai ± bi i, i = −1.

ai −bi b i ai

associated

2

For uniformity, we denote the Jordan block only as the second form. Then the first form is the degenerate case that Di and I are both 1 × 1 matrices and we treat it as a real. And the modular |Di | is defined as |λi | and a2i + b2i for the two cases respectively. We now see that symbolically powering the matrix A is an essential step in deciding termination of the loop. If D = P −1 AP then Dn = (P −1 AP )n = P −1 An P . Hence powering the matrix A is simplified as powering the matrix D. Since P is invertible, we can get the following proposition.

488

B. Wu et al.

Proposition 3. Let P be an invertible linear transformation. The program Q1 : while(F (x) > 0, L(x) > 0) {x := Ax}. is terminating if and only if the program Q2 : while(F (P y) > 0, L(P y) > 0) {y := P −1 AP y} is terminating. Suppose the invertible transformation P is given, we then write the program Q2 as Q3 : while(F (y) > 0, L(y) > 0) {y := Dy} Here, we still write F and L for less symbols. According to the structure of D, we partition the variables in y into y1 , . . . , yK and rewrite Q3 as Q3 : while(F (y1 , . . . , yK ) > 0, L(y1 , . . . , yK ) > 0) {y1 := J1 y1 ; . . . ; yK = JK yK }. If F (x) is also linear, the following Lemma 1 in [15], the program can be reduced to considering the Jordan blocks only corresponding to the positive eigenvalues. However, N is posit does not hold when F (x) is nonlinear. For a simple instance, (D1 D22 D34 )

0 1 itive for any number N of iteration, where D1 = 2, D2 = −3 and D3 = −1 0 correspond to positive, negative and complex eigenvalues respectively. For an input v, we now consider loop conditions at the N -th iteration. Assume that yi assigned of vi by A has Ki components, yi0 , yi1 , . . . , yiKi −1 , where each yik is either a 2 × 1 or 1 × 1 matrix depending on the choice of Di . Then the value of yi at the N -th iteration is given by ⎛

N −(Ki −1) ⎞ DiN N DiN −1 N2 N DiN −2 · · · KN Di i −1 N ⎜ N −(Ki −2) ⎟ N −1 N ⎜ 0 ⎟ Di N Di · · · Ki −2 Di ⎜ ⎟ N ⎜ ⎟ vi . (2) . . . . .. yi (N ) = Ji vi = ⎜ . .. .. .. ⎟ . . ⎜ ⎟ N −1 N ⎝ 0 ⎠ 0 ··· Di N Di N 0 0 ··· 0 Di If Di ∈ R, then one can check that lim

N →∞

N −(k−1) N k−1 Di N N −k k Di

= 0.

(3)

ai −bi cos(θi ) − sin(θi ) 2 2 If Di = ai + b i where , we rewrite it as Di = sin(θi ) cos(θi ) b i ai

cos(kθi ) − sin(kθi ) for any k ∈ Z + and θi = arccos( √ a2i 2 ). Then Dik = |Di |k ai +bi sin(kθi ) cos(kθi ) N N −(k−1) | k−1 | Di lim N N −k = 0. (4) N →∞ | k Di |


489

mK Consider one homogenous term of F (y) as y1m1 y2m2 · · · yK where K i=1 mi = m. m Ki −1 iK −1 m m In the expression yimi = yi0 i0 yi1 i1 · · · yiK −1i where j=0 mij = mi and if yik mi

mij

i

mij

is 2 × 1 then yij j = yij 1 yij 2 where mij1 + mij2 = mij . 1 2 By (3), (4) and the equation (2), if yij is 1 × 1 then yimi = (JiN [1] · vi )mi0 (JiN [2] · m vi )mi1 · · · (JiN [Ki ] · vi ) iKi −1 is dominated by miK

yimi = (JiN [1, Ki ] · vi,Ki )mi0 (JiN [2, Ki ] · vi,Ki )mi1 · · · (JiN [Ki , Ki ] · vi,Ki )

i −1

(5) when N is large enough, where JiN [j] is the j-th row vector of JiN , JiN [j, Ki ] is Ki -th element of the vector and vi,Ki is Ki -th element of the vector vi . If yij is 2 × 1, then the dominating term of yimi is miK

yimi = (JiN [1, Ki ]·vi,Ki )mi0 (JiN [2, Ki ]·vi,Ki )mi1 · · · (JiN [Ki , Ki ]·vi,Ki )

i −1

,

where vi,l = (vi,l1 , vi,l2 ). Precisely, (JiN [1, Ki ] · viKi )mi0 can be expanded as

|Di |N −Ki −1 )mi0 ( KN i −1 m ·((vi,Ki 1 cos((N − (Ki − 1))θi ) − vi,Ki 2 sin((N − (Ki − 1))θi )) i01 m ·((vi,Ki 1 cos((N − (Ki − 1))θi ) + vi,Ki 2 sin((N − (Ki − 1))θi )) i02 ,

(6)

and similar to the other terms. mK Therefore, if N is large enough, then the homogenous item y1m1 y2m2 · · · yK of F m1 m2 mK is dominated by the product of their dominating term y1 y2 · · · yK . The value of variables in yi , after the N -th iteration, are given by equation (2). As before, assume that the N -th the loop condition is written as F (y1 , . . . , yK ) > 0. We can express the requirement that the loop condition be true after the N -th iteration as F (y1 (N ), . . . , yK (N )) > 0. Without loss of generality, we assume that 0 ≤ |D1 | ≤ |D2 | ≤ · · · ≤ |DK |. Considering the equation using determined terms, we then can write F as F (S), where N N −(K1 −1) N −(Kk −1) D1 , · · · , (DK )N , · · · , KNk Di } is the set S := {(D1 )N , · · · , K 1 being regarded as main variables. If F is homogenous with degree m, then the homogenous item set spanned by S with degree m is i sm Sm = {S = i |si ∈ S}.

mi =m

Suppose N is large enough, we can sort the elements of Sm by their absolute values, and only one is kept if it has other same absolute value elements. Then we can simplify Sm = {|S1 | > |S2 | · · · > |Sl |}. According to Sm , F can be rearranged by the value order as (7) F (N, v) = f1 (N, v) · |S1 | + · · · + fl (N, v) · |Sl | where v is the initial input y(0), the coefficients of polynomials fi (N, v) are formed by the coefficients of (5) and (6). So N can only be in cos((N − (Ki − 1))θi ) and

490

B. Wu et al.

sin((N − (Ki − 1))θi ) as (6), which always induces a rotated value corresponding to 2 × 2 − Di . Hence, we can write the coefficient function as fi (N, v) = fi (v, cos((N − Ni1 )θi1 ), sin((N − Ni1 )θi1 ), · · · , cos((N − Nik )θik ), sin((N − Nik )θik )),

(8)

where k is the number of the complex eigenvalues. Now, we decide the termination of program Q1. For the loop condition (7), we can consider the coefficients of equation F (S). Intuitively if y(0) is a witness to nontermination, then fi (N, y(0)) > 0 and fj (N, y(0)) = 0 for all 0 ≤ j < i and N > N0 ≥ 0. Then we write the functions in a semi-algebraic system(SAS) as Si = {v|fi (N, v)) > 0, fj (N, v) = 0, 0 ≤ j < i, N > N0 }. That means we need to solve an SAS to decide the termination after the simplification. Since the guard (7) has finite items, it can only induce SASs as Si , i = 1, . . . , l. And we then get the following theorem. Theorem 3. The termination of Q1 : while (F (x) > 0, L(x) > 0) {x := Ax}, is decidable if and only if the SASs Si , i = 1, . . . , l are solvable. Remark 2. Here solvable means that we can decide whether an SAS has real solutions or not. If there exists v0 satisfies a SAS Si for N > N0 , then v0 is a nonterminating point and the program is nonterminating. The solvablity of the SAS depends on the number of its functions. If it only has finite functions then it is solvable. The number of functions can also be infinite with N increasing. However, the situation is easy if the functions in the SAS are integer periodic functions. This situation can happen where the normalized complex eigenvalues are all integer periodic, i.e., θi = pq π, p, q ∈ Z. Since the functions ˜ being the common period, then we only need to in the SAS are periodic, assuming N consider the functions of SAS in a period and it is formed with finite functions ˜ > N > N0 }. Si = {v|fi (N, v)) > 0, fj (N, v) = 0, 0 ≤ j < i, N0 + N And this SAS is solvable. We summarize this situation as a corollary. Corollary 4. If all the normalized complex eigenvalues are integer periodic, then the termination of Q1 : while (F (x) > 0, L(x) > 0) {x := Ax} is decidable. Example 3. Consider the program Q1 : while (−x2 + 10y 2 + z 2 > 0, x > 0) {x := 2y + z; y := −x + z; z := y + z}


The assignment matrix is

491

⎞ 0 21 A = ⎝ −1 0 1 ⎠ . 0 11 ⎛

The set defined by the guards is not convex and the results in Section 3 can not work for this example. We now analysis using the above procedure. The real Jordan form of A is J and the corresponding transformation matrix is P . ⎛ ⎞ ⎛ ⎞ 10 0 11 2 J = ⎝ 0 0 −1 ⎠ , P = ⎝ 0 1 −1 ⎠ . 01 0 10 1 The new program is Q2 : while (F1 := 9x22 +7x23 −2x1 x2 −2x1 x3 −24x2 x3 > 0, F2 := x1 +x2 +2x3 > 0) {x1 := x1 ; x2 := −x3 ; x3 := x2 } The general solution is given by x (N ) = 1N x1 (0) 1

N

x2 (N ) cos( N2π ) − sin( N2π ) 0 −1 x2 (0) x2 (0) N = =1 · x3 (N ) x3 (0) x3 (0) 1 0 sin( N2π ) cos( N2π ) The first loop condition corresponding to the loop condition F1 is 12N · 9x23 + 7x22 + 24x2 x3 + cos( N2π ) · (−2x1 x2 − 2x1 x3 )

+ sin( N2π ) · (2x1 x3 − 2x1 x2 ) + cos( N2π )2 · (2x22 − 2x23 − 48x2 x3 ) > 0 and the second loop condition F2 is x1 +cos( N2π )·(x2 +2x3 )+sin( N2π )·(2x2 −x3 ) > 0. In many cases, one can find that all the items are the dominant items. We now check the conditions for a period N = 4n, 4n + 1, 4n + 2 and 4n + 3, n ∈ Z + . Then the generated constraints of the loop conditions are the following, respectively, Con1 Con2 Con3 Con4

:= {9x22 + 7x23 − 2x1 x2 − 2x1 x3 − 24x2 x3 := {7x22 + 9x23 − 2x1 x2 + 2x1 x3 + 24x2 x3 := {9x22 + 7x23 + 2x1 x2 + 2x1 x3 − 24x2 x3 := {7x22 + 9x23 + 2x1 x2 − 2x1 x3 + 24x2 x3

> 0, x1 + x2 + 2x3 > 0, x1 + 2x2 − x3 > 0, x1 − x2 − 2x3 > 0, x1 − 2x2 − x3

> 0}, > 0}, > 0}, > 0}.

4 Then the nonterminating points is in the set Con := i=1 Coni and Q2 is nonterminating if Con is not empty. In fact, this set is not empty since we can check that (x1 , x2 , x3 ) = (5, 2, 0) is a point of Con and it makes Program Q2 nonterminating, and correspondingly, the point x = − 32 , y = 72 , z = 32 makes Program Q1 nonterminating. If we consider the Jordan blocks only corresponding to the positive eigenvalue, such as Lemma 1 in [15]. From Q2, we get Q3 : while (−4x1 > 0, x1 > 0) {x1 := x1 }.

492

B. Wu et al.

Obviously, the program Q3 is terminating, and correspondingly the program Q1 is terminating. However, the program Q1 is nonterminating. Hence, we need to consider the Jordan blocks corresponding to the positive, negative, and complex eigenvalues respectively. Actually, the above procedure is a generalization of the rusult in [15]. Tiwari gave the subtle discussion for this situation showing that the nonterminating points can only be in the SASs whose functions involve the positive eigenvalues. That means these functions are without N as the variable. Then the SASs are solvable since the number of functions is finite. We write the result of [15] as a corollary. Corollary 5. If the guards of program Q1 : while (F (x) > 0, L(x) > 0) {x := Ax} are linear, then the termination of Q1 is decidable. 4.1 General Polynomial Guard We find that the convexity of F leads to some interesting properties and advantages in Section 3, but it is not necessary for the simplification in this section. On the other hand, the number of guard polynomials dose not change the difficulty of solving the SAS in Section 4 theoretically. Consider the general case: P : while (f1 (x) > 0, . . . , fl (x) > 0) {x := Ax + c}. It has two cases with homogenous form. If c = 0 or some fi (x) is nonhomogeneous, it is equivalent to ¯x}. Q : while (F1 (¯ x) > 0, . . . , Fl (¯ x) > 0, x0 > 0) {¯ x := A¯ If c = 0 and all fi (x) are homogenous, then P can be written as P : while (F1 (x) > 0, . . . , Fl (x) > 0) {x := Ax}. The termination is decidable for the two situations according to Corollary 4 and Corollary 5. The generic case is to consider the program without any assumptions is depended on the solvableness of SASs and there are not obvious results. Recently, Xia and Zhang [20] proposed a conjecture that the decision of P is undecidable using another technique.

5 Computing the Transformation Matrix The termination can be determined following the discussion in Sections 3 and 4. Then the main task is to find the transformation matrix P of A such that P −1 AP = D where D is the real Jordan form. P is formed by eigenvectors and generalized eigenvectors


493

of A and there are several numerical algorithms to compute these eigenvectors. Here we give a sketch of the computation. Let Di be a real eigenvalue Di = λi or a matrix corresponding to a pair of conjugate eigenvalues ai ± bi i, whose associated Jordan block is as the form of (1). We call v a generalized eigenvector of λi with order K if (A − λi I)K v = 0 but (A − λi I)K−1 v = 0. There exists a Ki -th order generalized eigenvector associated to the Jordan block Ji . Let v1 = v; v2 = (A − λi I)v1 ; . . . ; vKi = (A − λi I)vKi −1 , vj ∈ Rn be a chain of the generalized eigenvectors and v1 the Ki -th order generalized eigenvector, then we have A(vKi |vKi−1 | · · · |v2 |v1 ) = (vKi |vKi−1 | · · · |v2 |v1 )Ji , and we denote the matrix (vKi |vKi−1 | · · · |v2 |v1 ) by Pi . It is obvious that vKi is an eigenvector of A.

ai −bi If Di = , similarly, we can get an eigenvectors chain in complex space b i ai v1 = v; v2 = (A − λi I)v1 ; . . . ; vKi = (A − λi I)vKi −1 , vi ∈ C n , λi = ai + bi i. Since vi ∈ C n , we can decompose them as vi = xi + yi i, that is, v1 = x1 + y1 i; v2 = x2 + y2 i; · · · ; vKi = xKi + yKi i. Then we have the following equations, posed in two different ways: Av1 = λi v1 + v2 Ax1 = ai x1 − bi y1 + x2 Ay1 = bi x1 + ai y1 + y2 .. .. . . AvKi = λi vKi

(9)

AxKi = ai xKi − bi yKi AyKi = bi xKi + ai yKi .

Then in matrix we have A(yKi |xKi |yKi−1 |xKi−1 | · · · |y1 |x1 ) = (yKi |xKi |yKi−1 |xKi−1 | · · · |y1 |x1 )Ji , and we still denote (yKi |xKi |yKi−1 |xKi−1 | · · · |y1 |x1 ) by Pi . Hence P −1 AP = D where P = (P1 |P2 | · · · |PK ). The subtle details of the numerical algorithms can be found in Linear Algebra Notes of MP274 Lecture Notes 1991 and the course files on http://www.numbertheory.org/courses/MP274/. Although we can get the Jordan matrix D, the precision of the numerical computation relies on the manufactured presetting. In general cases, it is difficult to preset the precision for an unknown problem.

494

B. Wu et al.

5.1 Computing the Transformation Matrix Symbolically Since it is not safe to compute the transformation matrix numerically, we try to give transformation matrix in a symbolic way. Firstly, to avoid the numerical step in eigenvalues computation, the eigenvectors are solved from linear equations with the algebra conditions of eigenvalues. Secondly, we compute the generalized eigenvectors and construct the chain of generalized eigenvectors which are corresponding to Jordan blocks. For the real eigenvalues λi , the algebra condition equation is the characteristic polynomial C(λ) = 0. For a pair of conjugate eigenvalue a ± bi, b = 0, we have C(a ± bi) = CR(a, b) + CI(a, b)i = 0, then the algebraic condition equations are CR(a, b) = 0, CI(a, b) = 0, b = 0. In the computation, we often factorize C(λ) = C1 (λ) · · · Ck (λ) in rational polynomial space Q[λ] and compute the chain of generalized eigenvectors for each different factor Ci (λ). For the uniformity, we set the eigenvalue to be the form of a ± bi which is real for b = 0 and imaginary for b = 0. Then we need to solve the equations (9) with CR(a, b) = 0, CI(a, b) = 0. If b = 0 then the right-hand side of the equation system (9) defines two same equation systems for x and y. In this case, there are two same chains of generator vectors and we only take one. Alogrithm 1. Computing the transformation matrix symbolically. step1. Compute and factorize the characteristic polynomial C(λ) = C1 (λ) · · · Cl (λ) in rational polynomial space. For each square-free factor of Ck (λ), compute CR(a, b)= 0 and CI(a, b) = 0. step2. Solve the linear systems (9) with a pair of algebraic condition equations CR(a, b) = 0 and CI(a, b) = 0. step2.1 Solve the eigenvector xi and yi , i = 1, . . . , ei from Ax = ax − by, Ay = bx + ay with CR(a, b) = 0 and CI(a, b) = 0. step2.2 If there exist, find the generalized eigenvectors xiji and yiji from Axi+1 = axi+1 −byi+1 +xi , Ayi+1 = bxi+1 +ayi+1 +yi with CR(a, b) = 0 and CI(a, b) = 0. step2.3 Let Piji = (xi1 |yi1 | · · · |xiji |yiji ) and Pk = (P1j1 | · · · |Pei jei ), drop the linear dependent columns from Pk . step3. Output P = (P1 | · · · |Pl ) as the transformation matrix whose entries are symbolic with algebraic conditions. In the algorithm, l is often lesser than the number of Jordan blocks. Because Pk can represent several eigenvectors associated to different roots of algebraic conditions. Example 4. Let A be the follow matrix, ⎛

0 0 0 0 0 −27

⎜ ⎜1 ⎜ ⎜ ⎜0 ⎜ A =⎜ ⎜0 ⎜ ⎜ ⎜0 ⎝

⎞

⎛

18 b

⎟ ⎜ ⎜ −9 b 0 0 0 0 18 ⎟ ⎟ ⎜ ⎟ ⎜ ⎜ −12 b 1000 9 ⎟ ⎟ ⎜ ⎟ . (y11 |x11 ) =⎜ ⎜ 6b 0 1 0 0 −12 ⎟ ⎟ ⎜ ⎟ ⎜ ⎜ 2b 0010 3 ⎟ ⎠ ⎝

00001 2

−b

9

⎞

⎛

−9 a

9 − 9a

1

1

⎞

⎜ ⎟ ⎟ ⎜ −9 + 6 a −15 + 12 a ⎟ 9 ⎟ ⎜ ⎟ ⎟ ⎜ ⎟ ⎟ ⎜ ⎟ −6 ⎟ 6 12 − 4 a ⎜ ⎟ ⎟ ⎟, (x22 |x21 ) =⎜ ⎟. ⎜ −2 a ⎟ −6 ⎟ −2 ⎜ ⎟ ⎟ ⎜ ⎟ ⎟ ⎜ a−2 ⎟ 1 ⎟ a − 1 ⎝ ⎠ ⎠ 1

(10)


495

then its characteristic polynomial is C(λ) = (λ2 − 2λ + 3)(λ2 − 3)2 , the square-free factors are (λ2 −2λ+3) and (λ2 −3). Their algebraic conditions are CRI1 = {(a, b) ∈ R2 |a2 − b2 − 2a + 3 = 0, 2ab − 2b = 0} and CRI2 = {(a, b) ∈ R2 |a2 − b2 − 3 = 0, 2ab = 0}. Using the above algorithm, we compute the corresponding (generalized)eigenvectors (y11 |x11 ) with (a, b) ∈ CRI1 and (x22 |x21 ) with (a, b) ∈ CRI2 in (10). We can find that (x22 |x21 )(a,b)∈CRI2 implies two vector sets since CRI2 has two real solutions √ {a = ± 3, b = 0}. Then the transforation matrix is P = (y11 |x11 |x22 |x21 |x22 |x21 ). Then the Jordan form can be deduced by P −1 AP within the algebraic equations (a1 , b1 ) ∈ CRI1 , and (a2 , b2 ) = (a2 , b2 ) ∈ CRI2 . ⎞ ⎛ 1 −2 b1 −1 0 0 0 0 ⎜ b1 ⎜ ⎜ ⎜0 ⎜ ⎜ P −1 AP = ⎜ 0 ⎜ ⎜ ⎜ ⎜0 ⎝ 0

1

0

0

0

0

0

a2 a2 −3 −a2 +a 2

1

0

0

0

0

a2 a2 −3 −a+a 2

0

0

0

−a2 a2 +3 −a2 +a 2

1

0

−a2 a2 +3 −a2 +a 2

0 0

0 0

0

⎟ ⎟ ⎟ ⎟ ⎟ ⎟ ⎟. ⎟ ⎟ ⎟ ⎟ ⎠

6 Conclusions In this paper, observing only the eigenvectors (and the generalized eigenspace) corresponding to eigenvalues of the assignment matrix, we presented a technique to prove termination of single-path loop programs with polynomial guards and linear assignments. And we presented a decidable situation for the functions in the SASs are integer periodic. The symbolic technique is introduced to avoid floating point errors in computation. For the generic program, we will give further discussion, for instance, by considering the rational dependence of the complex eigenvalues.

References 1. Floyd, R.W.: Assigning meanings to programs. In: Schwartz, J.T. (ed.) Mathematical Aspects of Computer Science. Proceedings of Symposia in Applied Mathematics, vol. 19, pp. 19–32. American Mathematical Socity (1967) 2. Hoare, C.A.R.: An axiomatic basis for computer programming. Communications of ACM 12(10), 576–580 (1969) 3. Turing, A.: On computable numbers, with an application to the entscheidungsproblem. London Mathematical Socity 42(2), 230–265 (1936) 4. Col´on, M., Sipma, H.: Synthesis of linear ranking functions. In: Margaria, T., Yi, W. (eds.) TACAS 2001. LNCS, vol. 2031, pp. 67–81. Springer, Heidelberg (2001) 5. Col´on, M., Sipma, H.: Practical methods for proving program termination. In: Brinksma, E., Larsen, K.G. (eds.) CAV 2002. LNCS, vol. 2404, pp. 442–454. Springer, Heidelberg (2002) 6. Podelski, A., Rybalchenko, A.: A complete method for the synthesis of linear ranking functions. In: Steffen, B., Levi, G. (eds.) VMCAI 2004. LNCS, vol. 2937, pp. 239–251. Springer, Heidelberg (2004)

496

B. Wu et al.

7. Bradley, A.R., Manna, Z., Sipma, H.B.: Termination analysis of integer linear loops. In: Abadi, M., de Alfaro, L. (eds.) CONCUR 2005. LNCS, vol. 3653, pp. 488–502. Springer, Heidelberg (2005) 8. Cousot, P.: Proving program invariance and termination by parametric abstraction, lagrangian relaxation and semidefinite programming. In: Cousot, R. (ed.) VMCAI 2005. LNCS, vol. 3385, pp. 1–24. Springer, Heidelberg (2005) 9. Chen, Y., Xia, B., Yang, L., Zhan, N., Zhou, C.: Discovering non-linear ranking functions by solving semi-algebraic systems. In: Jones, C.B., Liu, Z., Woodcock, J. (eds.) ICTAC 2007. LNCS, vol. 4711, pp. 34–49. Springer, Heidelberg (2007) 10. Bradley, A.R., Manna, Z., Sipma, H.B.: Termination of polynomial programs. In: Cousot, R. (ed.) VMCAI 2005. LNCS, vol. 3385, pp. 113–129. Springer, Heidelberg (2005) 11. Babic, D., Hu, A.J., Rakamaric, Z., Cook, B.: Proving termination by divergence. In: SEFM 2007: Software Engineering and Formal Methods, London, England, UK, pp. 93–102. IEEE, Los Alamitos (2007) 12. Leue, S., Wei, W.: A region graph based approach to termination proofs. In: Hermanns, H., Palsberg, J. (eds.) TACAS 2006. LNCS, vol. 3920, pp. 318–333. Springer, Heidelberg (2006) 13. Wu, B., Bi, Z.: Termination of nested loop. In: ISCSCT 2008: International Symposium on Computer Science and Computational Technology, Shanghai, China, vol. 2, pp. 536–539. IEEE, Los Alamitos (2008) 14. Podelski, A., Rybalchenko, A.: Transition invariants. In: LICS 2004: Logic in Computer Science, Turku, Finland, pp. 32–41. IEEE, Los Alamitos (2004) 15. Tiwari, A.: Termination of linear programs. In: Alur, R., Peled, D.A. (eds.) CAV 2004. LNCS, vol. 3114, pp. 70–82. Springer, Heidelberg (2004) 16. Braverman, M.: Termination of integer linear programs. In: Ball, T., Jones, R.B. (eds.) CAV 2006. LNCS, vol. 4144, pp. 372–385. Springer, Heidelberg (2006) 17. Bi, Z., Shan, M., Wu, B.: Non-termination analysis of linear loop programs with conditionals. In: ASEA 2008: Advanced Software Engineering and Its Applications, Hainan Island, China, pp. 159–164. IEEE, Los Alamitos (2008) 18. Smart, D.R.: Fixed Piont Theorems. Cambridge University Press, Cambridge (1980) 19. Hoffman, K., Kunze, R.: Linear algebra, 2nd edn. Prentice-Hall, New Jersey (1971) 20. Xia, B., Zhang, Z.: Termination of linear programs with nonlinear constraints (2009), http://arxiv.org/abs/0904.3588v1