Skip to main content
SpringerLink
Log in

Proving mutual termination

  • Published:
Formal Methods in System Design Aims and scope Submit manuscript

Abstract

Two programs are said to be mutually terminating if they terminate on exactly the same inputs. We suggest inference rules and a proof system for proving mutual termination of a given pair of procedures \(\langle \) \(f\), \(f'\) \(\rangle \) and the respective subprograms that they call under a free context. Given a (possibly partial) mapping between the procedures of the two programs, the premise of the rule requires proving that given the same arbitrary input in, f(in) and \(f'(in)\) call procedures mapped in the mapping with the same arguments. A variant of this proof rule with a weaker premise allows to prove termination of one of the programs if the other is known to terminate. In addition, we suggest various techniques for battling the inherent incompleteness of our solution, including a case in which the interface of the two procedures is not identical, and a case in which partial equivalence (the equivalence of their input/output behavior) has only been proven for some, but not all, the outputs of the two given procedures. We present an algorithm for decomposing the verification problem of whole programs to that of proving mutual termination of individual procedures, based on our suggested inference rules. The reported prototype implementation of this algorithm is the first to deal with the mutual termination problem.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12

Similar content being viewed by others

Notes

  1. We use the term ‘procedure’ to refer to the programming language entity typically called a ‘function’, in order to avoid confusion with the mathematical entity ‘function’.

  2. By ‘uninterpreted procedure’ we mean code that mimics the functionality of an uninterpreted function, namely it returns a non-deterministic value, but given the same parameter(s) it returns the same value.

  3. By non-deterministic procedure, we mean a modeling tool for the purpose of verification, i.e., the verification engine checks the verification condition under every possible value in the range defined by the type of the procedure’s return-value.

  4. We follow the convention by which the stack grows downwards. The top frame therefore contains states reachable in the initial call of f.

  5. This definition is generalized naturally to cases in which g has multiple outputs owing to global data and arguments passed by reference.

  6. Callees(f) is defined syntactically, i.e., the procedures that appear in the code of f, regardless of whether they are actually called with any particular input.

  7. In the pseudocode we use the convention by which \(\%\) is the modulo operator, ‘:=’ is an assignment and ‘=’ is equality.

  8. In graph-theoretic terms, the procedures in S constitute a feedback vertex set [10] of both m and \(m'\).

  9. Our tool RVT is capable of proving partial equivalence of procedures with respect to individual outputs.

References

  1. http://ie.technion.ac.il/~ofers/rvt.html

  2. Available from https://github.com/cenan/betik

  3. Barnett M, Chang BYE, DeLine R, Jacobs B, Leino KRM (2005) Boogie: a modular reusable verifier for object-oriented programs. In: de Boer FS, Bonsangue MM, Graf S, de Roever WP (eds) FMCO, lecture notes in computer science, vol 4111. Springer, Berlin, pp 364–387

    Google Scholar 

  4. Bradley AR, Manna Z, Sipma HB (2005) Linear ranking with reachability. In: Etessami K, Rajamani SK (eds) CAV., LNCSSpringer, Berlin, pp 491–504

    Google Scholar 

  5. Clarke E, Kroening D (2003) Hardware verification using ANSI-C programs as a reference. In: Proceedings of ASP-DAC. IEEE Computer Society Press, Los Alamitos, pp 308–311

  6. Cook B, Podelski A, Rybalchenko A (2005) Abstraction refinement for termination. SAS 5:87–101

    MathSciNet  Google Scholar 

  7. Cook B, Podelski A, Rybalchenko A (2011) Proving program termination. Commun ACM 54(5):88–98

    Article  Google Scholar 

  8. Elenbogen D (2014) Proving mutual termination of programs. Master’s thesis, Technion, Israel Institute of Technology, http://www.cs.technion.ac.il/~edima/msc-thesis.pdf

  9. Elenbogen D, Katz S, Strichman O (2013) Proving mutual termination of programs. In: Bertacco V, Legay A (eds) Hardware and software: verification and testing (HVC’12). Springer, Berlin, pp 24–39

    Chapter  Google Scholar 

  10. Even S (1979) Graph algorithms. Computer Science Press, Rockville

    MATH  Google Scholar 

  11. Floyd R (1967) Assigning meanings to programs. Proc Symp Appl Math 19:19–32

    Article  MathSciNet  Google Scholar 

  12. Garner LE (1981) On the Collatz 3n + 1 algorithm. Proc Am Math Soc 82(1):19–22

    MATH  MathSciNet  Google Scholar 

  13. Godlin B (2008) Regression verification: theoretical and implementation aspects. Master’s thesis, Technion, Israel Institute of Technology

  14. Godlin B, Strichman O (2008) Inference rules for proving the equivalence of recursive procedures. Acta Inf 45(6):403–439

    Article  MATH  MathSciNet  Google Scholar 

  15. Godlin B, Strichman O (2013) Regression verification—proving equivalance of similar programs. J Softw Test Verif Reliab 23(3):241–258

    Article  Google Scholar 

  16. Godlin B, Strichman O (2009) Regression verification. In: \(46\)th Design automation conference (DAC)

  17. Hawblitzel C, Kawaguchi M, Lahiri SK, Rebêlo H (2013) Towards modularly comparing programs using automated theorem provers. In: Bonacina MP (ed) CADE, vol 7898., Lecture notes in computer scienceSpringer, Berlin, pp 282–299

    Google Scholar 

  18. Kawaguchi M, Lahiri SK, Rebelo H (2010) Conditional equivalence. Tech Rep MSR-TR-2010-119, Microsoft Research

  19. Loughry J, van Hemert J, Schoofs L (2000) Efficiently enumerating the subsets of a set. Unpublished. Available from http://applied-math.org/subset.pdf

  20. Manna Z, McCarthy J (1969) Properties of programs and partial function logic. Mach Intell 5:27–37

    MATH  Google Scholar 

Download references

Acknowledgments

This material is based on research sponsored by the Air Force Research Laboratory, under agreement number FA8655-11-1-3006. The U.S. Government is authorized to reproduce and distribute reprints for Governmental purposes notwithstanding any copyright notation thereon.

Author information

Authors and Affiliations

  1. CS, Technion, Haifa, Israel

    Dima Elenbogen & Shmuel Katz

  2. Information Systems Engineering, IE, Technion, Haifa, Israel

    Ofer Strichman

Authors
  1. Dima Elenbogen
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Shmuel Katz
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Ofer Strichman
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Ofer Strichman.

Ethics declarations

Conflicts of interest

The authors declare that they have no conflict of interest.

Appendix: Mutual termination of procedures with infinite-type variables

Appendix: Mutual termination of procedures with infinite-type variables

The question whether call equivalence can be proven even when the variable types are infinite is particularly interesting in cases such as the Collatz problem mention in Example 1, because if the answer is yes, then this stands in stark contrast to the corresponding termination problem (recall that termination of this program is not known). Indeed in this case call equivalence can be verified even when the input a is an unbounded integer. Rather than the model-theoretic solution described so far (which relies on CBMC’s ability to reason about C programs, in which variables are of a finite type), here we take the proof-theoretic approach instead and formulate a verification condition which is valid only if the two procedures are call-equivalent. For this purpose we need to represent the transition relation of the two procedures \(T_{{f}^{UF}}, T_{{f'}^{UF}}\), which is easy to do with the help of static single assignment form:

figure g

It is not hard to see that the following verification condition is valid if \(f,f'\) are call-equivalent, and can be decided with a decision procedure for integer linear arithmetic and uninterpreted functions:

$$\begin{aligned} (T_{{f}^{UF}} \ \wedge \ T_{{f'}^{UF}}\ \wedge \ a_0 = a'_0)\ \rightarrow \big (((a_0 > 1) \leftrightarrow \lnot (a'_0 \le 1))\ \wedge \ ((a_0 > 1) \rightarrow (a_3 = a'_3)) \big )\;. \end{aligned}$$
(25)

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Elenbogen, D., Katz, S. & Strichman, O. Proving mutual termination. Form Methods Syst Des 47, 204–229 (2015). https://doi.org/10.1007/s10703-015-0234-3

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10703-015-0234-3

Keywords

Search

Navigation