Improving Automatic Complexity Analysis of Integer Programs

Abstract

In [16], we developed an approach for automatic complexity analysis of integer programs, based on an alternating modular inference of upper runtime and size bounds for program parts. In this paper, we show how recent techniques to improve automated termination analysis of integer programs (like the generation of multiphase-linear ranking functions and control-flow refinement) can be integrated into our approach for the inference of runtime bounds. The power of the resulting approach is demonstrated by an extensive experimental evaluation with our new re-implementation of the corresponding tool KoAT.

Funded by Deutsche Forschungsgemeinschaft (DFG, German Research Foundation) - 235950644 (Project GI 274/6-2) and DFG Research Training Group 2236 UnRAVeL.

A Proofs

1.1 A.1 Proof of Lemma 18

We first present lemmas which give an upper and a lower bound for sums of powers. These lemmas will be needed in the proof of Lemma 18.

Lemma 28

(Upper Bound for Sums of Powers). For any \(i\ge 2\) and \(k \ge 1\) we have \(\sum _{j=1}^{k-1} j^{i-2} \le \tfrac{k^{i-1}}{i-1}\).

Proof

We have \(\sum _{j=1}^{k-1} j^{i-2} \; \le \; \sum _{j=1}^{k-1} \int _{j}^{j+1} x^{i-2} \, dx \; \le \; \int _{0}^{k} x^{i-2} \, dx \; = \; \tfrac{k^{i-1}}{i-1}\).    \(\square \)

For the lower bound, we use the summation formula of Euler (see, e.g., [36]).

Lemma 29

(Summation Formula of Euler). We define the periodic function \(H : \mathbb {R}\rightarrow \mathbb {R}\) as \(H(x) = x - \lfloor x \rfloor - \tfrac{1}{2}\) if \(x \in \mathbb {R}\setminus \mathbb {Z}\) and as \(H(x) = 0\) if \(x\in \mathbb {Z}\). Note that H(x) is bounded by \(-\tfrac{1}{2}\) and \(\tfrac{1}{2}\). Then for any continuously differentiable function \(f: [1,n] \rightarrow \mathbb {C}\) with \(n\in \mathbb {N}\), we have \(\sum _{j=1}^{k} f(j) \; = \; \int _{1}^{k} f(x) \, dx + \tfrac{1}{2}\cdot (f(1)+f(k)) + \int _{1}^{k} H(x)\cdot f'(x)\, dx\).

This then leads to the following result.

Lemma 30

(Lower Bound for Sums of Powers). For any \(i\ge 2\) and \(k \ge 1\) we have \(\sum _{j=1}^{k-1} j^{i-1}\ge \tfrac{k^{i}}{i} - k^{i-1}\).

Proof

Consider \(f(x) = x^i\) with the derivative \(f'(x) = i \cdot x^{i-1}\). We get

Since \(\left| H(x)\right| \le \tfrac{1}{2}\), we have \(\left| \int _{1}^{k} H(x) \cdot i \cdot x^{i-1} \, dx\right| \; \le \; \tfrac{1}{2} \cdot \left| \int _{1}^{k} i \cdot x^{i-1} \, dx\right| \; =\; \tfrac{1}{2} \cdot i \cdot \left| \tfrac{k^i}{i} - \tfrac{1}{i}\right| \; = \; \tfrac{k^i - 1}{2}\). Thus, we obtain

$$ - \tfrac{1}{i+1} + \tfrac{1}{2} \cdot (1+k^i) + \tfrac{k^i - 1}{2} \ge R \ge - \tfrac{1}{i+1} + \tfrac{1}{2} \cdot (1+k^i) - \tfrac{k^i - 1}{2} $$

or, equivalently \(- \tfrac{1}{i+1} + k^i \ge R \ge - \tfrac{1}{i+1} +1\). This implies \(k^i> R > 0\). Hence, we get \(\sum _{j=1}^{k} j^i \; = \; \tfrac{k^{i+1}}{i+1} + R \; \ge \; \tfrac{k^{i+1}}{i+1}\) and thus, \(\sum _{j=1}^{k-1} j^i \; = \; \sum _{j=1}^{k} j^i - k^i \; \ge \; \tfrac{k^{i+1}}{i+1} - k^i\). With the index shift \(i\rightarrow i - 1\) we finally obtain the lower bound \(\sum _{j=1}^{k-1} j^{i-1}\ge \tfrac{k^{i}}{i} - k^{i-1}\).    \(\square \)

Proof of Lemma 18. To ease notation, in this proof \(\ell _0\) does not denote the initial location of the program \(\mathcal {T}\), but an arbitrary location from \(\mathcal {L}\). Then we can write \((\ell _0,\sigma _0)\) instead of \((\ell ,\sigma )\), \((\ell _n,\sigma _n)\) instead of \((\ell ',\sigma ')\), and consider an evaluation

$$ (\ell _{0},\sigma _{0}) \, (\rightarrow ^*_{\mathcal {T}'\setminus \mathcal {T}'_{>}} \circ \rightarrow _{\mathcal {T}'_{>}}) \, (\ell _{1},\sigma _{1}) \, (\rightarrow ^*_{\mathcal {T}'\setminus \mathcal {T}'_{>}} \circ \rightarrow _{\mathcal {T}'_{>}}) \, \ldots \, (\rightarrow ^*_{\mathcal {T}'\setminus \mathcal {T}'_{>}} \circ \rightarrow _{\mathcal {T}'_{>}}) \, (\ell _{n},\sigma _{n}). $$

Let \(M = \max \{0,\sigma _0\left( f_1(\ell _0)\right) , \dots , \sigma _0\left( f_d(\ell _0)\right) \}\). We first prove that for all \(1 \le i \le d\) and all \(0 \le k \le n\), we have

$$\begin{aligned} \sigma _k(f_i(\ell _k)) \; \le \; -k \text { if M = 0} \quad \text {and} \quad \sigma _k(f_i(\ell _k)) \; \le \; \gamma _i \cdot M \cdot k^{i-1} - \tfrac{k^i}{i!} \; \text { if M > 0.} \end{aligned}$$

(2)

The proof is done by induction on i. So in the base case, we have \(i = 1\). Since \(\gamma _1 = 1\), we have to show that \(\sigma _k\left( f_1(\ell _k)\right) \le M \cdot k^{0} - \tfrac{k^1}{1!} = M - k\).

For all \(0 \le j \le k-1\), the step from \((\ell _j,\sigma _j)\) to \((\ell _{j+1},\sigma _{j+1})\) corresponds to the evaluation of transitions from \(\mathcal {T}'\setminus \mathcal {T}'_{>}\) followed by a transition from \(\mathcal {T}'_{>}\), i.e., we have \((\ell _j,\sigma _j) \rightarrow ^*_{\mathcal {T}'\setminus \mathcal {T}'_{>}} (\ell '_j,\sigma '_j) \rightarrow _{\mathcal {T}'_{>}} (\ell _{j+1},\sigma _{j+1})\) for some configuration \((\ell '_j,\sigma '_j)\). Since f is an \(\text {M}\varPhi \text {RF}\) and all transitions in \(\mathcal {T}'\setminus \mathcal {T}'_{>}\) are non-increasing, we obtain \(\sigma _j(f_1(\ell _j)) \ge \sigma '_{j}(f_1(\ell '_{j}))\). Moreover, since the transitions in \(\mathcal {T}'_{>}\) are decreasing, we have \(\sigma '_j(f_{0}(\ell '_j)) + \sigma '_j(f_{1}(\ell '_j)) = \sigma '_j(f_{1}(\ell '_j)) \ge \sigma _{j+1}(f_{1}(\ell _{j+1})) + 1\). So together, this implies \(\sigma _j(f_{1}(\ell _j)) \ge \sigma _{j+1}(f_{1}(\ell _{j+1})) + 1\) and thus, \(\sigma _0\left( f_1(\ell _0)\right) \ge \sigma _1\left( f_1(\ell _1)\right) + 1\ge \ldots \ge \sigma _k\left( f_1(\ell _k)\right) + k\) or equivalently, \(\sigma _0\left( f_1(\ell _0)\right) - k\ge \sigma _k\left( f_1(\ell _k)\right) \). Furthermore, we have \(\sigma _0\left( f_1(\ell _0)\right) \le \max \{0,\sigma _0\left( f_1(\ell _0)\right) ,\dots ,\sigma _0\left( f_d(\ell _0)\right) \} = M\). Hence, we obtain \(\sigma _k\left( f_1(\ell _k)\right) \le \sigma _0\left( f_1(\ell _0)\right) - k \le M - k\). So in particular, if \(M = 0\), then we have \(\sigma _k(f_1(\ell _k)) \le -k\).

In the induction step, we assume that for all \(0 \le k \le n\), we have \(\sigma _k(f_{i-1}(\ell _k)) \, \le \, -k\) if \(M = 0\) and \(\sigma _k(f_{i-1}(\ell _k)) \; \le \; \gamma _{i-1} \cdot M \cdot k^{i-2} - \tfrac{k^{i-1}}{(i-1)!}\) if \(M > 0\). To show that the inequations also hold for i, we first transform \(\sigma _k(f_{i}(\ell _k))\) into a telescoping sum.

$$\begin{aligned} \sigma _k\left( f_i(\ell _k)\right) = \sigma _0\left( f_i(\ell _0)\right) + \sum _{j=0}^{k-1} (\sigma _{j+1}\left( f_i(\ell _{j+1})\right) - \sigma _{j}\left( f_i(\ell _{j})\right) ) \end{aligned}$$

For all \(0 \le j \le k-1\), the step from \((\ell _j,\sigma _j)\) to \((\ell _{j+1},\sigma _{j+1})\) again has the form \((\ell _j,\sigma _j) \rightarrow ^*_{\mathcal {T}'\setminus \mathcal {T}'_{>}} (\ell '_j,\sigma '_j) \rightarrow _{\mathcal {T}'_{>}} (\ell _{j+1},\sigma _{j+1})\) for some configuration \((\ell '_j,\sigma '_j)\). Since f is an \(\text {M}\varPhi \text {RF}\) and all transitions in \(\mathcal {T}'\setminus \mathcal {T}'_{>}\) are non-increasing, we obtain \(\sigma _j(f_{i-1}(\ell _j)) \ge \sigma '_{j}(f_{i-1}(\ell '_{j}))\) and \(\sigma _j(f_i(\ell _j)) \ge \sigma '_{j}(f_i(\ell '_{j}))\). Moreover, since the transitions in \(\mathcal {T}'_{>}\) are decreasing, we have \(\sigma '_j(f_{i-1}(\ell '_j)) + \sigma '_j(f_{i}(\ell '_j)) \ge \sigma _{j+1}(f_{i}(\ell _{j+1})) + 1\). So together, this implies \(\sigma _j(f_{i-1}(\ell _j)) + \sigma _j(f_{i}(\ell _j)) \ge \sigma _{j+1}(f_{i}(\ell _{j+1})) + 1\) or equivalently, \(\sigma _{j + 1}\left( f_i (\ell _{j+1})\right) - \sigma _{j}\left( f_i (\ell _j)\right) < \sigma _{j}\left( f_{i-1} (\ell _{j})\right) \). Hence, we obtain

$$\begin{aligned} \sigma _{k}\left( f_i(\ell _{k})\right)&= \sigma _{0}\left( f_i(\ell _{0})\right) + \sum _{j=0}^{k-1} (\sigma _{j+1}\left( f_i(\ell _{j+1})\right) - \sigma _{j}\left( f_i(\ell _{j})\right) ) \\&< \sigma _{0}\left( f_i(\ell _{0})\right) + \sum _{j=0}^{k-1} \sigma _{j}\left( f_{i-1}(\ell _{j})\right) . \end{aligned}$$

If \(M = 0\), then we obviously have \(\sigma _{0}(f_i (\ell _{0})) \le 0\) for all \(1\le i \le d\). For \(k \ge 1\), we obtain

$$\begin{aligned}&\sigma _0\left( f_i(\ell _0)\right) + \sum _{j=0}^{k-1} \sigma _{j}\left( f_{i-1}(\ell _{j})\right) \\ {} \le {}&0 + \sum _{j=0}^{k-1} -j \qquad \qquad \qquad \text {(by the induction hypothesis)} \\ {} \le {}&- k + 1. \end{aligned}$$

Hence, we have \(\sigma _k\left( f_i(\ell _k)\right) < - k + 1\) and thus, \(\sigma _k\left( f_i(\ell _k)\right) \le -k\).

If \(M > 0\), then we obtain

Hence, (2) is proved.

In the case \(M = 0\), (2) implies \(\sigma _n(f_i(\ell _n)) \le -n \le -\beta = -1 < 0\) for all \(1\le i \le d\) which proves the lemma.

Hence, it remains to regard the case \(M > 0\). Now (2) implies

$$\begin{aligned} \sigma _n(f_i(\ell _n)) \; \le \; \gamma _i \cdot M \cdot n^{i-1} - \tfrac{n^i}{i!}. \end{aligned}$$

(3)

We now prove that for \(i > 1\) we always have \(i! \cdot \gamma _i \ge (i-1)! \cdot \gamma _{i-1}\).

$$\begin{aligned}&i! \cdot \gamma _i \\ {} = {}&i! \cdot \left( 2 + \tfrac{\gamma _{i-1}}{i-1} + \tfrac{1}{(i-1)!}\right) \\ {} = {}&i! \cdot 2 + i \cdot (i-2)! \cdot \gamma _{i-1} + i \\ {} \ge {}&(i-1) \cdot (i-2)! \cdot \gamma _{i-1} \\ {} = {}&(i-1)! \cdot \gamma _{i-1}. \end{aligned}$$

Thus,

$$\begin{aligned} d! \cdot \gamma _d \ge i! \cdot \gamma _i \quad \text {for all } 1 \le i \le d. \end{aligned}$$

(4)

Hence, for \(n \ge \beta = 1 + d! \cdot \gamma _d \cdot M\) we obtain:

Finally, to show that \(\beta \in \mathbb {N}\), note that by induction on i, one can easily prove that \((i-1)! \cdot \gamma _i \in \mathbb {N}\) holds for all \(i \ge 1\). Hence, in contrast to \(\gamma _i\), the number \(i! \cdot \gamma _i\) is a natural number for all \(i \in \mathbb {N}\). This implies \(\beta \in \mathbb {N}\).    \(\square \)

1.2 A.2 Proof of Theorem 20

Proof

We prove Theorem 20 by showing that for all \(t\in \mathcal {T}\) and all \(\sigma _0 \in \varSigma \) we have

$$\begin{aligned} \left| \sigma _0\right| \left( {\mathcal {RB}}'(t)\right) \ge \sup \lbrace k \in \mathbb {N}\mid \ell \in \mathcal {L}, \sigma \in \varSigma , (\ell _0, \sigma _0) \, (\rightarrow ^* \circ \rightarrow _{t})^k \, (\ell , \sigma ) \rbrace . \end{aligned}$$

(5)

The case \(t \notin \mathcal {T}'_{>}\) is trivial, since \({\mathcal {RB}}'(t) = {\mathcal {RB}}(t)\) and \({\mathcal {RB}}\) is a runtime bound.

Now we prove (5) for a transition \(t_>\in \mathcal {T}'_{>}\), i.e., we show that for all \(\sigma _0 \in \varSigma \) we have

$$ \begin{array}{r@{\;\;}c@{\;\;}l} \left| \sigma _0\right| \left( {\mathcal {RB}}'(t_>)\right) &{} = &{} \sum _{\ell \in \mathcal {E}_{\mathcal {T}'}} \sum _{t \in \mathcal {T}_\ell } \left| \sigma _0\right| \left( {\mathcal {RB}}(t)\right) \cdot \left| \sigma _0\right| \left( {\mathcal {SB}}(t, \cdot )(\beta _{\ell })\right) \\ &{} \ge &{} \sup \lbrace k \in \mathbb {N}\mid \ell \in \mathcal {L}, \sigma \in \varSigma , (\ell _0, \sigma _0) \, (\rightarrow ^* \circ \rightarrow _{t_>})^k \, (\ell , \sigma ) \rbrace . \end{array} $$

So let \((\ell _0, \sigma _0) \, (\rightarrow ^* \circ \rightarrow _{t_>})^k \, (\ell , \sigma )\) and we have to show \(\left| \sigma _0\right| \left( {\mathcal {RB}}'(t_>)\right) \ge k\). If \(k = 0\), then we clearly have \(\left| \sigma _0\right| \left( {\mathcal {RB}}'\left( t_{>}\right) \right) \ge 0 = k\). Hence, we consider \(k > 0\). We represent the evaluation as follows:

$$ \begin{array}{l@{\quad }c@{\quad }l@{\quad }c} (\ell _0, \sigma _0) &{} \rightarrow ^{\tilde{k}_0}_{\mathcal {T}\setminus \mathcal {T}'} &{} ({\tilde{\ell }}_1, {\tilde{\sigma }}_1) &{} \rightarrow ^{k_1'}_{\mathcal {T}'} \\ (\ell _1, \sigma _1) &{} \rightarrow ^{\tilde{k}_1}_{\mathcal {T}\setminus \mathcal {T}'} &{} ({\tilde{\ell }}_2, {\tilde{\sigma }}_2) &{} \rightarrow ^{k_2'}_{\mathcal {T}'} \\ &{} &{} \ldots \\ (\ell _{m-1}, \sigma _{m-1}) &{} \rightarrow ^{\tilde{k}_{m-1}}_{\mathcal {T}\setminus \mathcal {T}'} &{} ({\tilde{\ell }}_m, {\tilde{\sigma }}_m) &{} \rightarrow ^{k_m'}_{\mathcal {T}'} \\ (\ell _m, \sigma _m) \end{array} $$

So for the evaluation from \((\ell _i, \sigma _i)\) to \(({\tilde{\ell }}_{i+1}, {\tilde{\sigma }}_{i+1})\) we only use transitions from \(\mathcal {T}\setminus \mathcal {T}'\), and for the evaluation from \(({\tilde{\ell }}_i, {\tilde{\sigma }}_i)\) to \((\ell _i, \sigma _i)\) we only use transitions from \(\mathcal {T}'\). Thus, \(t_>\) can only occur in the following finite sequences of evaluation steps:

$$\begin{aligned} ({\tilde{\ell }}_i, {\tilde{\sigma }}_i) \rightarrow _{\mathcal {T}'} ({\tilde{\ell }}_{i,1}, {\tilde{\sigma }}_{i,1}) \rightarrow _{\mathcal {T}'} \dots \rightarrow _{\mathcal {T}'} ({\tilde{\ell }}_{i,k_i'-1}, {\tilde{\sigma }}_{i,k_i'-1}) \rightarrow _{\mathcal {T}'} (\ell _i, \sigma _i). \end{aligned}$$

(6)

For every \(1 \le i \le m\), let \(k_i \le k_i'\) be the number of times that \(t_>\) is used in the evaluation (6). Clearly, we have

$$\begin{aligned} \sum _{i=1}^{m} k_i = k. \end{aligned}$$

(7)

By Lemma 18, all functions \(f_1,\dots ,f_d\) are negative after executing \(t_>\) at least \(1 + d! \cdot \gamma _d \cdot \max \{0, {\tilde{\sigma }}_i(f_1({\tilde{\ell }}_i)),\dots , {\tilde{\sigma }}_i(f_d({\tilde{\ell }}_i))\}\) times in an evaluation with \(\mathcal {T}'\). If all the \(f_i\) are negative, then \(t_>\) cannot be executed anymore as f is an \(\text {M}\varPhi \text {RF}\) for \(\mathcal {T}'_{>}\) with \(t_> \in \mathcal {T}'_{>}\) and \(\mathcal {T}'\). Thus, for all \(1 \le i \le m\) we have

$$\begin{aligned} 1 + d! \cdot \gamma _d\cdot \max \left\{ 0,{\tilde{\sigma }}_i\left( f_1({\tilde{\ell }}_i)\right) ,\dots ,{\tilde{\sigma }}_i\left( f_d({\tilde{\ell }}_i)\right) \right\} \ge k_i. \end{aligned}$$

(8)

Let \(t_i\) be the entry transition reaching \(({\tilde{\ell }}_i, {\tilde{\sigma }}_i)\), i.e., \({\tilde{\ell }}_i \in \mathcal {E}_{\mathcal {T}'}\) and \(t_i \in \mathcal {T}_{{\tilde{\ell }}_i}\). As \((\ell _0, \sigma _0) \rightarrow ^*_\mathcal {T}\circ \rightarrow _{t_i} ({\tilde{\ell }}_i, {\tilde{\sigma }}_i)\), by Definition 12 we have \(\left| \sigma _0\right| \left( {\mathcal {SB}}(t_i, v)\right) \ge |{\tilde{\sigma }}_i(v)|\) for all \(v \in \mathcal {PV}\) and thus,

In the last part of this proof we need to analyze how often such evaluations \(({\tilde{\ell }}_i, {\tilde{\sigma }}_i) \rightarrow ^*_{\mathcal {T}'} (\ell _i, \sigma _i)\) can occur. Again, let \(t_i\) be the entry transition reaching \(({\tilde{\ell }}_i, {\tilde{\sigma }}_i)\). Every entry transition \(t_i\) can occur at most \(\left| \sigma _0\right| \left( {\mathcal {RB}}(t_i)\right) \) times in the complete evaluation, as \({\mathcal {RB}}\) is a runtime bound. Thus, we have

   \(\square \)

1.3 A.3 Proof of Theorem 24

Let \(\mathcal {P}' = (\mathcal {PV},\mathcal {L}',\ell _0,\mathcal {T}')\). First note that for every evaluation \((\ell _0,\sigma _0) \rightarrow ^{k}_{\mathcal {T}'} (\ell ',\sigma )\) there is obviously also a corresponding evaluation \((\ell _0,\sigma _0) \rightarrow ^{k}_{\mathcal {T}} (\ell ,\sigma )\). To obtain the evaluation with \(\mathcal {T}\) one simply has to remove the labels from the locations. Then the claim follows because the guards of the transitions in \(\mathcal {T}'\) always imply the guards of the respective original transitions in \(\mathcal {T}\) and the updates of the transitions have not been modified in the transformation from \(\mathcal {T}\) to \(\mathcal {T}'\).

For the other direction, we show by induction on \(k \in \mathbb {N}\) that for every evaluation \((\ell _0,\sigma _0) \rightarrow ^{k}_{\mathcal {T}} (\ell ,\sigma )\) there is a corresponding evaluation \((\ell _0,\sigma _0) \rightarrow ^{k}_{\mathcal {T}'} (\ell ',\sigma )\) where either \(\ell ' = \ell \) or \(\ell ' = \langle \ell , \varphi \rangle \) for some constraint \(\varphi \) with \(\sigma (\varphi ) = \texttt {true}\).

In the induction base, we have \(k = 0\) and the claim is trivial. In the induction step \(k > 0\) the evaluation has the form

$$ (\ell _0,\sigma _0)\rightarrow _{t_1}(\ell _1,\sigma _1)\rightarrow _{t_2} \cdots \rightarrow _{t_{k-1}}(\ell _{k-1},\sigma _{k-1}) \rightarrow _{t_k}(\ell _{k},\sigma _{k}) $$

with \(t_1, \ldots , t_k \in \mathcal {T}\). By the induction hypothesis, there is a corresponding evaluation

$$ (\ell _0,\sigma _0)\rightarrow _{t_1'}(\ell _1',\sigma _1) \rightarrow _{t_2'} \cdots \rightarrow _{t_{k-1}'}(\ell _{k-1}',\sigma _{k-1}) $$

with \(t_1', \ldots , t_k' \in \mathcal {T}'\) where \(\ell _{k-1}' = \ell _{k-1}\) or \(\ell _{k-1}' = \langle \ell _{k-1}, \varphi \rangle \) for some constraint \(\varphi \) with \(\sigma _{k-1}(\varphi ) = \texttt {true}\). We distinguish two cases:

• Case 1: \(t_{k}\not \in \mathcal {T}_ SCC \). If \(\ell _{k-1}' = \ell _{k-1}\) and \(\ell _k \notin \mathcal {E}_{\mathcal {T}_{ SCC }}\), then \(t_k\) has not been modified in the transformation from \(\mathcal {P}\) to \(\mathcal {P}'\). Thus, we have the evaluation \((\ell _0,\sigma _0)\rightarrow _{t_1'}(\ell _1',\sigma _1) \rightarrow _{t_2'} \cdots \rightarrow _{t_{k-1}'}(\ell _{k-1}',\sigma _{k-1}) = (\ell _{k-1},\sigma _{k-1}) \rightarrow _{t_k} (\ell _{k},\sigma _{k})\) with \(t_k \in \mathcal {T}'\). If \(\ell _{k-1}' = \ell _{k-1}\) and \(\ell _k \in \mathcal {E}_{\mathcal {T}_{ SCC }}\), then for \(t_k = (\ell _{k-1},\tau ,\eta ,\ell _{k})\), we set \(\ell _k' = \langle \ell _k, \texttt {true}\rangle \) and obtain that \(t_k' = (\ell _{k-1},\tau ,\eta ,\ell _{k}') \in \mathcal {T}'\). So we get the evaluation \((\ell _0,\sigma _0)\rightarrow _{t_1'}(\ell _1',\sigma _1) \rightarrow _{t_2'} \cdots \rightarrow _{t_{k-1}'}(\ell _{k-1}',\sigma _{k-1}) = (\ell _{k-1},\sigma _{k-1}) \rightarrow _{t_k'} (\ell _{k}',\sigma _{k})\). Finally, we regard the case \(\ell _{k-1}' = \langle \ell _{k-1}, \varphi \rangle \) where \(\sigma _{k-1}(\varphi ) = \texttt {true}\). As \(t_k = (\ell _{k-1},\tau ,\eta ,\ell _{k})\in \mathcal {T}\setminus \mathcal {T}_{ SCC }\), and \(\mathcal {T}_{ SCC }\) is an SCC, there is a \(t_k' = (\langle \ell _{k-1}, \varphi \rangle , \varphi \wedge \tau , \eta , \ell _{k}) \in \mathcal {T}'\). Then \((\ell _0,\sigma _0)\rightarrow _{t_1'}(\ell _1',\sigma _1) \rightarrow _{t_2'} \cdots \rightarrow _{t_{k-1}'} (\ell _{k-1}',\sigma _{k-1}) = (\langle \ell _{k-1}, \varphi \rangle ,\sigma _{k-1}) \rightarrow _{t_{k}'}(\ell _{k},\sigma _{k})\) is an evaluation with \(\mathcal {T}'\). The evaluation step with \(t_k'\) is possible, since \(\sigma _{k-1}(\varphi ) = \texttt {true}\) and \(\sigma _{k-1}(\tau ) = \texttt {true}\) (due to the evaluation step \((\ell _{k-1},\sigma _{k-1}) \rightarrow _{t_k} (\ell _{k},\sigma _{k})\)). Note that the step with \(t_k'\) also results in the state \(\sigma _{k}\), because both \(t_k\) and \(t_k'\) have the same update \(\eta \).

• Case 2: \(t_{k}\in \mathcal {T}_ SCC \). Here, \(\ell _{k-1}'\) has the form \(\langle \ell _{k-1}, \varphi \rangle \) where \(\sigma _{k-1}(\varphi ) = \texttt {true}\). As \(\ell _k\) is part of the SCC and hence has an incoming transition from \(\mathcal {T}_ SCC \), at some point it is refined by Algorithm 2. Thus, for \(t_k = (\ell _{k-1}, \tau ,\eta , \ell _{k})\), there is some \(t_{k}' = \left( \langle \ell _{k-1}, \varphi \rangle ,\varphi \wedge \tau ,\eta , \left\langle \ell _{k},\alpha _{\ell _{k}}(\varphi _{ new })\right\rangle \right) \in \mathcal {T}'\) where \(\alpha _{\ell _{k}}(\varphi _{ new })\) is constructed as in Line 8. This leads to the corresponding evaluation \((\ell _0,\sigma _0)\rightarrow _{t_1'}(\ell _1',\sigma _1) \rightarrow _{t_2'} \cdots \rightarrow _{t_{k-1}'}(\langle \ell _{k-1}, \varphi \rangle ,\sigma _{k-1})\rightarrow _{t_{k}'}(\langle \ell _{k}, \alpha _{\ell _{k}}(\varphi _{ new })\rangle ,\sigma _{k})\). Again, the evaluation step with \(t_k'\) is possible, since \(\sigma _{k-1}(\varphi ) = \texttt {true}\) and \(\sigma _{k-1}(\tau ) = \texttt {true}\) (due to the evaluation step \((\ell _{k-1},\sigma _{k-1}) \rightarrow _{t_k} (\ell _{k},\sigma _{k})\)). And again, the step with \(t_k'\) also results in the state \(\sigma _{k}\), because both \(t_k\) and \(t_k'\) have the same update \(\eta \). Finally, note that we have \(\sigma _k(\alpha _{\ell _{k}}(\varphi _{ new })) = \texttt {true}\). The reason is that \(\models (\varphi \wedge \tau ) \rightarrow \eta (\varphi _{ new })\) and \(\sigma _{k-1}(\varphi \wedge \tau )= \texttt {true}\) implies \(\sigma _{k-1}(\eta (\varphi _{ new })) = \texttt {true}\). Hence, we also have \(\sigma _{k}(\varphi _{ new }) = \sigma _{k-1}(\eta (\varphi _{ new })) = \texttt {true}\). Therefore, \(\models \varphi _{ new } \rightarrow \alpha _{\ell _{k}}(\varphi _{ new })\) implies \(\sigma _{k}(\alpha _{\ell _{k}}(\varphi _{ new }))= \texttt {true}\).    \(\square \)

1.4 A.4 Proof of Theorem 25

Let \(\mathcal {P}' = (\mathcal {PV},\mathcal {L}',\ell _0,\mathcal {T}')\) result from \(\mathcal {P}\) by Algorithm 3. As in the proof of Theorem 24, for every evaluation \((\ell _0,\sigma _0) \rightarrow ^{k}_{\mathcal {T}'} (\ell ',\sigma )\) there is also a corresponding evaluation \((\ell _0,\sigma _0) \rightarrow ^{k}_{\mathcal {T}} (\ell ,\sigma )\), which is obtained by removing the labels from the locations.

For the other direction, we show that for each evaluation \((\ell _0,\sigma _0)\rightarrow _{t_1}(\ell _1,\sigma _1)\rightarrow _{t_2} \cdots \rightarrow _{t_k}(\ell _k,\sigma _k)\) with \(t_1,\ldots , t_k \in \mathcal {T}\) there is a corresponding evaluation \((\ell _0,\sigma _0)\rightarrow _{\mathcal {T}'}^k (\ell _k',\sigma _k)\) in \(\mathcal {P}'\). To obtain this evaluation, we handle all evaluation fragments separately which use programs \(\mathcal {Q}\) from \(\mathcal {S}\). This is possible, since different programs in \(\mathcal {S}\) do not share locations, i.e., entry and outgoing transitions of \(\mathcal {Q}\) cannot be part of another \(\mathcal {Q}'\) from \(\mathcal {S}\). Such an evaluation fragment has the form

$$\begin{aligned} (\ell _i,\sigma _i)\rightarrow _{t_{i+1}}(\ell _{i+1},\sigma _{i+1}) \rightarrow _{t_{i+2}} \cdots \rightarrow _{t_{n-1}}(\ell _{n-1},\sigma _{n-1}) \rightarrow _{t_n}(\ell _n,\sigma _n) \end{aligned}$$

(9)

where \(t_{i+1}\) is an entry transition to \(\mathcal {Q}\), \(t_n\) is an outgoing transition from \(\mathcal {Q}\), and the transitions \(t_{i+2}, \ldots , t_{n-1}\) belong to \(\mathcal {Q}\). By Theorem 24 it follows that there is a corresponding evaluation using the transitions \(t_{i+2}', \ldots , t_{n-1}'\) from the refined version of \(\mathcal {Q}\), such that with the new redirected entry transition \(t_{i+1}'\) and the new redirected outgoing transition \(t_n'\) we have

$$\begin{aligned} (\ell _i,\sigma _i)\rightarrow _{t_{i+1}'}(\ell _{i+1}',\sigma _{i+1}) \rightarrow _{t_{i+2}'} \cdots \rightarrow _{t_{n - 1}'}(\ell _{n - 1}',\sigma _{n - 1}) \rightarrow _{t_{n}'}(\ell _n,\sigma _n) \end{aligned}$$

(10)

Thus, by substituting each evaluation fragment (9) in an evaluation of \(\mathcal {P}\) by its refinement (10), we get a corresponding evaluation in \(\mathcal {P}'\).

   \(\square \)