Termination Analysis with Recursive Calling Graphs

Journal of Network and Computer Applications 59 (2016) 109–116

Contents lists available at ScienceDirect

Journal of Network and Computer Applications

journal homepage: www.elsevier.com/locate/jnca

Termination analysis with recursive calling graphs

Teng Long a,b,n, Wenhui Zhang b a School of Information Engineering, China University of Geosciences (Beijing), 29#, Xueyuan Road, Haidian District, Beijing, PR China b State Key Laboratory of Computer Science, Institute of Software, Chinese Academy of Sciences, 4#, South Fourth Street of Zhongguancun, Haidian District, Beijing, PR China article info abstract

Available online 16 July 2015 As one of the significant aspects for green software systems, termination analysis is related to the fi Keywords: optimization of the resource utilization. The approach for size-change termination principle was rst Termination analysis proposed by Lee, Jones and Ben-Amram in 2001, which is an effective method for automatic termination Green software programs analysis. According to its abstracted constructs (size-change graphs), the principle ignores the condition and Size-change termination principle return values for function call. In this paper, we devise a new construct including the ignoring features to extend the set of programs that are size-change terminating in real life. The main contribution of our paper is twofold: firstly, it supports the analysis of functions in which the returned values are relevant to termination. Secondly, it gains more accuracy for oscillating value change in termination analysis. & 2015 Elsevier Ltd. All rights reserved.

1. Introduction analysis is unrelated to the order of the variables which is decided in SCT. Therefore, it is one of the approaches which are success- With the development of information and communication fully applied in a large class of programs for termination analysis. technologies, it gives rise to the increasing popularity of electronic There are some attempts (Ben-Amram and Genaim, 2014, 2013; devices, raising serious environment concerns for the society. Ben-Amram, 2009; Cook et al., 2013) to relax the well-founded Trying to address these issues, there is a critical need to consider restriction. However, the downside is that the SCG can only greenness in the whole life cycle of software systems. express the transitions involving decreases in well-founded partial A guarantee of right behaviors of software systems is signifi- orders. In fact, there are still many situations with oscillating value cant, which can lighten greatly network loads and avoid wasting change, in which the traditional SCT approach is not applicable. resources. Termination property is one of the properties that We present a technique for deriving program termination proper- describe the right behaviors of the software system. Moreover, ties from size-change information, by constructing a recursive callings the termination analysis (Kuwahara et al., 2014; Heizmann et al., graph (RCG, defined in Section 3) and a set of extended size-change 2010; Codish et al., 2010, 2012; Farzan et al., 2015) is a much- graphs (ESCGs, defined in Section 3) for the program. The former one studied topic. In real-life software systems, methods to derive describes the relation to function and function return based on termination properties from recursive and mutually recursive locations in the program. The latter ones approximate the oscillating functions are useful in program analysis. size change at each location in the program. The strong connected The size-change termination (SCT) principle which was pre- components in the RCG are an approximation of all sequences of sented in Lee et al. (2001) is simple but surprisingly rich enough to function calls that could be idempotent.2 Our paper presents an capture the progress of many real-life programs. Size-change important technique which could help stramline the application of graphs (SCG) are essential auxiliary constructs to support SCT. the green software programs. The main contribution of our paper with More importantly, the relations between input and output vari- recursive calling graphs is twofold: Firstly, it supports the analysis that ables of a function call are restricted to the forms as x4y0 or can handle recursive and mutually recursive functions in which return xZy0.1 It operates over the variables whose “ size” is well-founded values are relevant to termination. Secondly, the approach extends the based on the function call's structure in the program. Once a set of programs that are size-change terminating. combination of the relations has been found, termination follows The paper is organized as follows: in Section 2,weintroducethe if one variable at least is guaranteed to decrease. The termination syntax of the language used in this paper and the definitions that are related to size-change termination principle. We propose the definitions

n Corresponding author. E-mail addresses: [email protected] (T. Long), [email protected] (W. Zhang). 1 The names for input and output variables could be different. 2 Idempotent graphs describe the self-recursive function calls. http://dx.doi.org/10.1016/j.jnca.2015.06.019 1084-8045/& 2015 Elsevier Ltd. All rights reserved. 110 T. Long, W. Zhang / Journal of Network and Computer Applications 59 (2016) 109–116 of auxiliary constructs and do termination analysis in Section 3. Section 3 A closure set of size-change graphs (sets of abstract transitions) outlines how to record the returned values, and how to do a more is used to express the set of all the possible call sequences. All of precise analysis. An algorithm is proposed in Section 4. Section 5 the idempotent ones in closure set stand for the infinite call illustrates the application of the approach on an example with self- sequences. If a descent arc “4” can be found, it satisfies the recursive function callings. Related work is discussed in Section 6.We “infinite descent” in the principle. end with concluding remarks in Section 7.

3. Termination analysis 2. Preliminaries The termination analysis for programs with nested self- In this section, we will list the syntax of the language used in recursive functions over integer domain is complex, because of this paper and the deﬁnitions in size-change termination principle the complicated “size change” situation. The possible cases are as in Lee et al. (2001). follows:

2.1. Language 1. The value of variables in the program declines all the time. 2. The value of variables in the program increases in each The language used in this paper is a simple first-order call-by- function call. value functional language, defined in Table 1. A variable can 3. The value of variables in the program is oscillating, such as in represent any expression. Similarly, a constant can represent any the McCarthy's 91 function. expression. An expression can be a conditional choice based on the equational theory (if..then..else). Functions are used to represent There are only two arc forms in size-change graphs, such as 0 0 definitions about these variables. So does the expressions. x4y or xZy , therefore, it can deal with the first case. In our work, additional variables and a new auxiliary construct are used 2.2. Size-change termination principle to address the latter two cases.

3.1. Additional variables Definition 1 (Size-change graph (SCG)). Suppose functions f and g are defined in program P. A size-change graph G : f -g for P is a 4 Z In this work, additional variables consist of counter variables set of labeled arcs x-y or x-y where xAVariablesðf Þ, and returned variables. The former one is used to record the yAVariablesðgÞ. number of times for some function call/return, while the latter one is used to record the returned value. Functions f and g (the caller and callee) are respectively called The returned values are always ignored in available approaches, the source and the target of G. G is an abstraction of a call so functions in which the returned values are relevant to termina- transition – from f to g. The arcs in the graph are as abstract tion cannot be analyzed correctly. Adding extra variables in the transitions. program is the first step to extend the range of programs for Definition 2 (Closure). The closure of a set of size-change graphs termination analysis. V is the smallest set cl(g) such that A set of additional variables add consists of a set of returned variables and a set of counter variables. After augmenting the g DclðgÞ program with additional variables, the set of variables V in the 0 0 ″ V V If G1 : f -f and G2 : f -f are in cl(g), then G1; G2 AclðgÞ. G1; G2 : program will augmented as [ add. ″ 4 4 w0 f -f with arc set E defined below: E ¼fx-zj (y; w:x-y-z or w 4 Z Z Z w x-y-z; wAf4; Zgg [fx-zj (y:x-y-zÞg where x-y and 3.2. Definitions of auxiliary constructs w0 y-z are respectively arcs of G1 and G2. We construct the recursive calling graph (RCG) to describe the control flow for the augmented program which can express not Size-change graph G is idempotent if G; G ¼ G. A self-recursive only the function calls but the function returns. The transitions in a function call can be expressed by an idempotent size-change RCG are described as ESCGs which are extended by transforming graph. δ the arc types from x4y0 or xZy0 to x-y0 where δAZ is the Theorem 1 (Size-change termination principle). Program P is SCT changed value in the transition. 4 terminating iff every idempotent G in cl(g) has an arc z-z. The changes of values in ESCGs have to be satisfied in size reducing. In other words, the corresponding code cannot be The SCT is described in Lee et al. (2001) as follows: Aprogram revisited, and the recursive calling graph cannot result in any fi terminates on all inputs if every in nite call sequence (following program infinite cycle. control flow) would cause an infinite descent in some data values. 3.2.1. Extended size-change graph Table 1 The language syntax. Definition 3 (Extended size-change graph (ESCG)). Suppose functions f and g are defined in program P. Location a is the place x A Var (Variables) where the value of variables function g changed in program P.An op A Prim (Primitive operators) A extended size-change graph Ba : f -g for P is a set of labeled arcs f FName (Function names) δ c A Const (Constants) x-y where xAVariablesðf Þ, yAVariablesðgÞ; δAZ is the changed e A Exp (Expressions) value for function calls. e:: if e0 then e1 else e2 j xj cj e1 op e2 Suppose functions f ; g are defined in the program. An ESCG Ba AB, δ j f ðe1; …; enÞ Ba : f -g for the program is a set of labeled arcs x-y where d A Def (Definitions) δAZ; xAVariablesðf Þ; yAVariablesðgÞ.Functionsf and g are respectively d:: f ðx1; …; xnÞ¼e called the source and the target of BðsourceðBÞ¼f ; targetðBÞ¼gÞ. T. Long, W. Zhang / Journal of Network and Computer Applications 59 (2016) 109–116 111

Definition 4 (E-Multipath). An e-multipath M is a transition L ¼fEðvÞjvAVariablesðpÞ; pAPg: A set of labels (expressions sequence B1, B2, B3; … such that target(Bi)¼source ðBi þ 1Þ for EðvÞ is related to some variable v): to express the conditions i ¼ 1; 2; …. An e-thread is a connected path of arcs in M that of function call. δ δ δ Z ; -t -t þ 1 -t þ 2… starts from some Bt, t 1 th ¼ zit zit þ 1 zit þ 2 with each δ AZ; z AV; jAN. t þ j t þ j Suppose positions p ; p AP are defined in the program. There 1 2 δ Definition 5 (Composition). The composition of two transitions B : are transitions B ; B AB, ESCGs B : f -g with labeled arcs x-1 y δ a b a δ δ 0 0 2 3 0 4 0 f -g and B : g-h is B; B : f -h with arc set E defined below. and v-u, Bb : g-f with labeled arcs y-x and u-v where δ1 δ2 Notation: write x-y-z if δ ; δ are the changed values of variables δ1; δ2; δ3; δ4 AZ; x; vAVariablesðf Þ; y; uAVariablesðgÞ. δ 1δ 2 in each function, x-1 y and y-2 z are respectively arcs of B and B0. An example of RCG is in Fig. 1. Nodes in the RCG are the program points. The program point 1 describes function f with Arc is a set of arcs calling condition L1. By contrast, the program point 2 describes δ þ δ δ δ Arc ¼fx 1- 2zj x-1 y in B; y-2 z in B0g function g with calling condition L2. Blocks in the RCG are transitions in the program. There are transitions between the For nested functions, if there are inner function f and outer in points with conditions L1 and L2 respectively as follows: function fout, we can use composition of ESCGs to express the function call in nested functions. There are ESCGs B : f -f and 1 in 1-2: f ðx; vÞ-gðy; uÞ, L1 B : f -f , and variables r Av , xAVariablesðf Þ and - ; - ; 2 out δ add δ in 2 1: gðy uÞ f ðx vÞ, L2 A -1 -2 y Variablesðf out Þ. There are arc x r in B1 and arc r y in B2, where δ AZ; δ ¼ 0. We use B ¼ B ; B to show the connection 1 2 1 2 The blocks f ðx; vÞ-gðy; uÞ at location a and gðy; uÞ-f ðx; vÞ at between the returned values and the termination of programs. location b are described as ESCGs. Definition 6 (M-Transition). An m-transition is a transition as B : All the calling condition can be expressed in the form as lgZrg f -g which is the composition for all the transitions in a multipath or lg4rq, where lg; rg AV [ const (const is a set of constant). There is an equation sizeðlg; rgÞ¼absðlgrgÞ, where absðEÞ is the absolute M : B1; B2; …; Bn, where sourceðB1Þ¼f ; targetðBnÞ¼g. value of expression E. E δ δ δ Assume an arc x-y0 in m-transition B comes from x-1 z -2 z …-n y0. 4 ; Δ 1 Δ 2 For example, under condition n 0, there is sizeðn 0Þ¼absðnÞ, -i -j We should consider the changed value in arcs zi zi and zj zj which while under condition 100Zn, there is sizeð100; nÞ¼absð100nÞ. express the self-recursive function calls. All the possible self-recursive calls in the multipath should be considered by multiplying the visiting 3.3. Termination analysis with RCG number of times at the locations in the program.

Definition 7 (Tendency transition). Let B : f -g be an m-transition Lemma 1. Given a RCG G ¼ðP; B; LÞ for a program, every strong for a multipath M : B1; B2; …; Bn, where sourceðB1Þ¼f ; targetðBnÞ¼ δ G g.Wedefine B with integer labeled arcs as x-y; δAZ, and the connected component in has an e-idempotent m-transition. tendency transition BT of B with symbol labeled arcs as R Proof. Every strong connected component C in G can be expressed as x-y; RAfþ; ; ¼g. asequenceofnodes:Pi; Pi þ 1; …PN; Pi,whereeachP AP.Wecanget M - - … - Function Tend is defined as B↦BT an e-multipath from C: f g1 g2 gN f where f APi; g APi þ j; jA½0..N. TendðBÞ¼Tendðf -gÞ¼ j δ The m-transition of M is B : f -f 0.Anarcasx-x0, where þ 0 E 0 0 fx-y j x-y ; E40; xAVaribleðf Þ; y AVaribleðgÞg x; x0 AVariablesðf Þ can be constructed in B. E [fx-y0 j x-y0; Eo0; xAVaribleðf Þ; y0 AVaribleðgÞg ¼ E [fx-y0 j x-y0; E ¼ 0; xAVaribleðf Þ; y0 AVaribleðgÞg

Function Tend transform transition B with integer labeled arcs to the tendency transition BT with symbol labeled arcs that express the ascent or descent in some data value. We composite many transitions in an e-multipath. The result for composition seems as a new transition which describes the whole changed value after all the function calls. E-Idempotent B is that TendðBÞ¼TendðB; BÞ.

Deﬁnition 8 (Deterministic). Given an m-transition B, if there is no arc in the tendency transition BT of B, transition B is non- deterministic. Otherwise, it is deterministic.

3.2.2. Recursive calling graph

Deﬁnition 9 (Recursive calling graph). The recursive calling graph (RCG) for program is G ¼ðP; B; LÞ:

P ¼ff j f is function nameg: A set of points in RCG consists of the function names in the program. We deﬁne a function Variables ðχÞ as program points ↦fvg. B ¼fBa j a is one of the locations in the program, Ba is an ESCG:g: A set of ESCGs: to express the transitions from one point to another point in the RCG. Fig. 1. The recursive calling graph. 112 T. Long, W. Zhang / Journal of Network and Computer Applications 59 (2016) 109–116

There are different situations in SCC as follows: 4. Algorithm:R_Termination

δ δ There is ESCG G with arc x-1 x0 and G with arc x-2 x0.Wehave For some functions whose returned value may be related to the Δ a b Δ 1 0 2 0 arc x-x for idempotent graph Ga and arc x-x for idempotent termination of the program, some additional constructs may be used. We graph Gb. At location a, the number of times for function call is add the returned variable r and the counter variables co in the program. the value of (Δ1 div δ1), while at location b, the number of times Δ δ for function call is the value of ( 2 div 2). Ifδ SCC C consists of δ j 4.1. Preprocessing -i 0 - 0 transitionsX whoseX arcs are like xi xi and xj yj.Wehave E ¼ ðΔ Þþ ðδ Þð1Þ i j 4.1.1. Capturing returned values in the program i 4 0 j 4 0 Since the language used here is a functional language, it seems There is no other SCC as P0; …; P0 in C. appropriate to capture the returned values of functions. Sometimes i i these returned values are required for termination analysis (as in the McCarthy's 91 function). The ﬁrst extension proposed here is to add in δ δ δ -0 -1 … -N 0; ; 0 A ; A a global returned value for function calls in the program. For There is an e-thread as x y1 yN x x x Variablesðf Þ yj ; A :: McCarthy's 91 function, the process responding to the returned value VariablesðgjÞ j ½0 N.Wehave should be expressed as a composition between two extended size-

jX¼ N change graphs Ga and Gb at location a and b in the program (3). E ¼ ðδjÞð2Þ j ¼ 0 4.1.2. Adding counter variables in extend program In this case, there are no other loops in C. The whole changed value E It is possible to composite the transitions in the RCG, and δ for a path an arc as x-x0 is just the sum of each changed value during analyze the termination of the program for McCarthy's 91 function the loop. directly. However, it is impossible to detect the termination of the For deciding whether a transition is e-idempotent or not, we McCarthy's 91 function. The analysis is therefore extended to take should consider the situations mentioned above: advantage of other available information. Sometimes, the value of some variable decreases in several steps 4 Eo0: There is sizeðcon; xÞ-sizeðcon0; x0Þ in Tend(B), where but increases in some step, therefore, we cannot get the ﬁnal decision conAconst and xAV, where const is a set of constant. that the program terminate or not. But in the real world, it will ﬁnally 4 E40: There is sizeðx; conÞ-sizeðx0; con0Þ in Tend(B), where terminate. The non-deterministic is caused by missing the relation conAconst and xAV, where const is a set of constant. between the nested functions. The expressions co ¼ coþ1atlocation ¼ E¼0: There is sizeðlg; rgÞ-sizeðlg0; rg0Þ in Tend(B), where lgAV c, co ¼ co 1atlocationb and the condition co40inFig. 3 can and rg Aconst,orrg AV and lg Aconst. describe the relations between function calls and function returns.

4.1.3. Constructing size functions Therefore, each SCC in RCG is related to an e-idempotent We will deal with each calling conditions by constructing a size m-transition.□ function defined on a well-founded domain. Such function is related to some variable in a calling or return condition. The condition of the Lemma 2. Given a RCG G for an augmented program, any maximal transition will be unsatisfied according to the oscillating value. If we strong connected component of G satisfies a decreasing ordering on a cannot construct such size function for some MSCC in the RCG, it size function for some condition L. means that there are still some loops in the execution of the program. Otherwise, the program will terminate. Proof. Every maximal strong connected component C in G can be expressed a sequence of nodes as: Pi; Pi þ 1; …PN; Pi, where each 4.2. Algorithm:R_Termination Pi AP.ByLemma 1, we can construct an e-idempotent transition δ B : f -f 0 in which there exists an arc x-x0 where x; x0 AVariablesðf Þ. We propose an algorithm R_Termination to describe the R There is an arc x-x0 in Tend(B) respectively. analyzing process after augmenting and transforming. Following Lemma 1,thereisTend(B) with some changed tendency After augmenting, there is a set of variables that consists of the 0 V R related to C.Thereissizeðv; conÞ,wherev; v AV. According to the original variables and the additional ones add ¼fr [ cog,whereinclud- changed tendency “” for v (the descent in value of “v”), it violates ing returned value r and counter value co. After transforming the 0 the condition L : v4con.Orthereissizeðcon; vÞ,wherev; v AV. augmented program to a RCG G,wetakeG ¼ðP; B; L [ Lco Þ as the According to the changed tendency “ þ” for v (the ascent in value input for algorithm R_Termination. We take P as a set of points in the of “v”), it violates the condition L : con 4v.□ graph, B as a set of blocks (ESCGs), L as a set of transition conditions from some node to another one, Lco as the condition with counter variable co to express the constraint that there is no more number of Theorem 2 (Extended size-change termination principle). Let times for function return than for function call: G ¼ðP; B; LÞ be a RCG for an augmented program. If every MSCC of G is well-founded for some size function, then all of the functions 1. We analyze the termination of the augmented program by terminate on all inputs. dealing with the RCG G and the set of locations A. Firstly, we construct a set of ESCGs for each location in the program. Proof. Each variable in V is relate to some P AP. Each changed 2. Then we deal with the loops in G by function LoopðGÞ, if there is tendency R is related to the transition BAB. Each size function no loop in the RCG, such that all functions terminate on all sizeðlg; rgÞ is relate to some transition condition LAL. For each loop inputs according to Theorem 1. in G, there exists a size function which is well-founded ordering by 3. Otherwise, we decompose the RCG G into many MSCCs

Lemma 2. We can get that there is no inﬁnite loops in the program. ½C0; …; Ck. Each MSCC Ci consists of points, ESCGs and condi- The program will terminate for all the inputs.□ tions fCi jððPj; …; Pj þ nÞ; ðBj; …; Bj þ nÞ; ðLj; …; Lj þ nÞÞg. T. Long, W. Zhang / Journal of Network and Computer Applications 59 (2016) 109–116 113

4. For each Ci, there exists e-idempotent transition B according to 91. Neither SCT nor affine-SCT style (Anderson and Khoo, 2003) Lemma 1. We composite ESCGs in Ci, get a set of compositions S. analysis work for this function, because the returned value of the 5. And then, computing the tendency R by Tend(S). If we can function and the relative numbers of calls are relevant to its 0 3 0 construct some size function sizeðvÞ4 Lsizeðv Þ, v; v AV relate termination. to some L, then we should remove the condition respectively. f ðnÞ¼if n4100 then fi fi The condition L will nally be unsatis ed according to the a : n10 tendency R for some variable v in the SCC. else 6. We deal with the sub-RCG recursively. If we cannot find such b : f ðc : f ðnþ11ÞÞ ð3Þ size function, we have no proof of termination for the program on some inputs. Considering the program of McCarthy's 91 function (3), there 7. If we can construct size function for MSCC in each iteration, the are a nested loop with two designated locations (the location c for program terminates for all the inputs. the inner function and the location b for the outer function) in a self-recursive function. Despite its simplicity, there is no such sequence of size-change graphs that would make this program Algorithm 1. R_Termination ðGÞ. size-change terminate. There are only relations 4 and Z in the G; A B ; ; … ; ; ; …AA approach of size-change principle. The auxiliary constructs for the 1: SCGð Þ into a set of ESCGs ¼½Ba Bb a b 2: LoopðGÞ approach are size-change graphs which include transitions for 3: if there are loops then non-decreasing relations in function callings. Applying size- change principle in the example, we can get the size-change graph 4: DecomposeðGÞ into a set of MSCCs ½C0; …; Ck 5: for i ¼ 0; irk; iþþ do in Fig. 2. Because of the action nþ11, there are no transitions in the size-change graph G - . The traditional size-change principle 6: CompositionðCi; BÞ into a set of composition of ESCGs in f f cannot deal with the program with recursive function callings. S ¼½Bm; Bn, Bm; Bn AB 7: R ¼ TendðSÞ 0 8: if sizeðvÞ4 Lsizeðv Þ then 9: G0 ¼ RemoveðG; L; BÞ 10: LoopðG0Þ 11: else “ 12: halt and print there is no proof of termination for Fig. 2. The SCG of The McCarthy’s 91 Function in SCT. some inputs” 13: end if But we can get that the inner loop will terminate because when 14: end for the value of variable n is greater than 100, the execution of the 15: else program will move to location a and then the returned value 16: there are no loops n10 will be taken as an input value to the outer function (at 17: print “the program terminates for all inputs” location b). Because it is impossible that the number of times for 18: end if function return is more than the number of times for function call, the expression sizeðlg; rgÞ shows the size of some variable is We declare the functions in Algorithm 1 as follows: oscillating but finally decreased in each iteration. The main steps of our approach are as follows: firstly the original G; A SCGð Þ: We construct ESCGs for each location in the program is augmented by additional variables (including returned program. variables and counter variables), which are used to record the G G Loopð Þ: We analyze that whether there are loops in . returned value and the number of times for function call/return, G Decomposeð Þ: We decompose the graph as a set of loops which respectively. Secondly, we transform the extended program to a contain nodes, transitions and transition conditions. recursive calling graph. Then we analyze the maximal strong ; B CompositionðCi Þ: We composite ESCGs in the MSCC Ci. The connected components (MSCCs) of the RCG. The program is idempotent one is related to a loop. guaranteed to terminate if all the MSCCs are well-founded. For Tend(S): We get tendency R by doing composition with each the motivated example: the McCarthy's 91 function, we have: Step transition Bi between each pair of nodes Pi and Pi þ 1 in ESCC C. 1: The first step is used to augment program with additional G; ; AL Removeð L BÞ: We remove the condition L relate to some variables r and co. We assign an initial value 0 to both counter G G0 SCG in C from , get . variable co and returned variable r. There are co ¼ coþ1atlocation c (recording the number of times for function call), co ¼ co1at We extend the program by adding many constructs. And then location b (recording the number of times for function return) and G we take the RCG of such program as the input for Alg. r ¼ n10 at location a (recording the returned value “ n10”). R_Termination. Each SCC in G is the possible loop we should cut co ¼ 0; off. If all the possible loops in the program can be cut off, the ¼ program will terminate. Otherwise, there must exist some loops, r 0; which is the reason for the non-termination of the program. f ðnÞ¼if co ¼ 0then if n4100 then T : n10 5. Example else b : f ðc : f ðnþ11ÞÞ; co ¼ coþ1 At this stage we introduce an example to illustrate the analysis else techniques which is applied in McCarthy's 91 function (Manna and if n4100 then McCarthy, 1970). For all nr101, the returned value of the function fis a : r ¼ n10; co ¼ co1 else 3 4 0 ; sizeðvÞ Lsizeðv Þ is the abbreviation for the cases consists of (1)sizeðv cÞ b : f ðc : f ðnþ11ÞÞ; co ¼ coþ1 ð4Þ 4sizeðv0; c0Þ and (2) sizeðc; vÞ4sizeðc0; v0Þ, where v; v0 AV; c; c0 Aconst; EðvÞAL. 114 T. Long, W. Zhang / Journal of Network and Computer Applications 59 (2016) 109–116

Table 2 compositions are in Fig. 5. Ba; Bb is the composition of Ba and Bb, The MSCCs and ESCGs in RCG. which describes the changed value for function return 2-1 and

2-2. The composition Bc; Ba; B is one of the transitive closures of Size change ESCG MSCC b the transitions. Because there is no more visiting times for 0 4 sizeð100; nÞ4sizeð100; n Þ Bc; Ba; Bb fP1; P2g function return than function call, we can get co 0 for each point ; 4 0; ; sizeðn 100Þ sizeðn 100Þ Ba Bb fP2g in the program. According to this, the visiting numbers of times at location b are no more than the numbers at location c.

Fig. 5. The Composition Ba;Bb and Bc;Ba;Bb.

There is E ¼ Δ1 Δ2, according to the condition co40, we can get that ðΔ1 div 10Þ4ðΔ2 div 10Þ, so that E40 is true. We can handle the MSCCs with the combinations of ESCGs. The MSCC is well-founded if there is at least one descending sequence. After removing the descending condition from the RCG, the process for dealing with the MSCC in the remain part of RCG is repeated several times until there is no MSCC or no descending sequence. In this example, the parameters are in Table. 2.

The MSCC that consists of points P1, P2 and the composition Bc; Ba; Bb for location a, b, c, has a descending sequence sizeð100; nÞ4sizeð100; n0Þ. After removing condition 100Zn from

RCG, the MSCC consists of points P2 and composition Ba; Bb for location a, b, with a descending sequence sizeðn; 100Þ4sizeðn0; 100Þ. After removing condition n4100, there is no cycle in the RCG. The program will terminate.

Fig. 3. The RCG of the McCarthy's 91 function. 6. Related work In the extended program (4), there is no condition like coo0, because it is impossible that the number of times for function A constraint transition system (CTS) is an abstract program return is more than the number of times for function call. with a finite description. The nodes in a control flow graph are Condition co¼0 means that there is no nested function calls any finite, so does a set of variables associated with each nodes. more, so it is possible to reach the goal that terminating by Monotonicity constraints were first introduced to termination returning value n10 (at location T). Condition co40 means that analysis in 1991 (Sagiv, 1991). It considers relations 4 and Z, there are still many nested function calls, in that case, the returned which means that the proof of termination bases on a non- value r is the input for some nested function. increasing sequence. And there are a series of termination analysis Step 3: In this step, we construct the RCG in Fig. 3 for the approaches applying in both functional programs and imperative augmented program. Nodes in the RCG are the program points. The programs (Ben-Amram and Codish, 2008; Spoto et al., 2010; Alias program point 1 describes function f with co¼0. By contrast, the et al., 2010). Codish (2005) extended the SCT to monotonicity program point 2 describes function f with co40. Blocks in the RCG constraints and the integers in theory. They argued that in are transitions in the program. There are transitions (function call imperative programs, in which the constraints are not of the SCG and function return) between the pointswithconditionsasfollows: type, but terminate over the integers. Their approach (Codish et al., 2012) for checking termination by SAT solving. But the termination 1-2: f -f ðnþ11Þ; co ¼ 04nr100 analysis by abstraction functions is according to their syntactic 2-2: f -f ðnþ11Þ; co404nr100 structure. We generate auxiliary constructs by using relations 2-2; 2-1: f -f ðf ðnþ11ÞÞ; co404n4100 instead of functions. The paper (Ben-Amram, 2011) was motivated from the discussion to present an algorithm for constructing global Step 3: In this step, extended size change graphs was constructed ranking functions for terminating the CTS in integer domain. as the blocks in Fig. 3. The ESCGs are Ba, Bb and Bc in Fig. 4. Bc Zuleger et al. (Zuleger et al., 2011; Colcombet et al., 2014) applied describes the changed values for function call 1-2 and 2-2. Ba is CTS over integer domain in the context of cost analysis. But the used to store the returned value from the inner function in control flow graph in CTS cannot express the self-recursive variable r. The process that the returned value is used as the input function call such as f ðf ðnþ11ÞÞ. And the relations with label 4 to the outer function is described as Bb. and Z may be too coarse to lead to more precise analysis. Step 4: In this step, it is significant to show whether infinite call In papers (Avery, 2006; Schmitz, 2014) with bound analysis, sequences with infinite decent in some data value exist or not. The another method of SCT was introduced. Some approach deals with imperative languages such as C programs without function calls by bound analysis. In the method, the graphs are standard SCT graphs, although including as well as the xoy0 relation. Termina- tion is guaranteed in the same way as for SCT. But it cannot deal with the programs with function calls. The approach in paper (Ben-Amram and Genaim, 2014) can

Fig. 4. The ESCGs: Ba, Bb and Bc. deal with ackman function but not McCarthy's 91 function. This T. Long, W. Zhang / Journal of Network and Computer Applications 59 (2016) 109–116 115 kind of function is different from the functions that they can deal the National Program on Key Basic Research Project of China (973 with. Primarily, the returned value of the function and the relative Program) under Grant no. (2014CB340701) and the National numbers of calls are relevant to its termination. Meanwhile, in the Natural Science Foundation of China under Grant no. (61272135). McCarthy's 91 function, the value of some variable decreases in many steps but increases in some steps. For dealing with the functional programs, paper (Manolios and Vroon, 2010) proposed a method with bounded domain. This more References powerful termination principle may create the control flow graph in different ways by choosing call sites to be flow-points rather Alias C, Darte A, Feautrier P, Gonnord L. Multi-dimensional rankings, program fl — than function names. But it still cannot express the transition for termination, and complexity bounds of owchart programs. In: Static analysis 17th international symposium, SAS 2010, Perpignan, France; September 14–16, returning values. The calling context graph (CCG) related to the 2010. p. 117–33. http://dx.doi.org/10.1007/978-3-642-15769-1_8. McCarthy's 91 function is in Fig. 6. Anderson H, Khoo SC. Affine-based size-change termination. In: Programming languages and systems: first Asian symposium, APLAS 2003, Beijing, China; November 27–29, 2003. p. 122–40. Avery J. Size-change termination and bound analysis. In: Functional and logic programming, 8th international symposium, FLOPS 2006, Fuji-Susono, Japan; April 24–26, 2006. p. 192–207. http://dx.doi.org/10.1007/11737414_14. Ben-Amram A.M. Size-change termination, monotonicity constraints and ranking Fig. 6. The CCG of the McCarthy's 91 function. functions. In: Computer aided verification, 21st international conference, CAV 2009, Grenoble, France; June 26–July 2, 2009. p. 109–123. http://dx.doi.org/10. 1007/978-3-642-02658-4_12. Ben-Amram AM. Monotonicity constraints for termination in the integer domain. The nodes 1 and 2 are described as follows: Log Methods Comput Sci 2011;7(3):1–43. http://dx.doi.org/10.2168/LMCS-7 (3:4)2011. 〈 ; r ; 〉 Ben-Amram AM, Codish M. A sat-based approach to size change termination with 1. f fn 100g f ðnþ11Þ global ranking functions. In: Tools and algorithms for the construction and 2. 〈f ; fnr100g; f ðf ðnþ11ÞÞ〉 analysis of systems, 14th international conference, TACAS 2008, held as part of the joint European conferences on theory and practice of software, ETAPS 2008, Budapest, Hungary; March 29–April 6, 2008. p. 218–32. http://dx.doi.org/10. And the size-change graphs are as Fig. 7. 1007/978-3-540-78800-3_16. Ben-Amram AM, Genaim S. On the linear ranking problem for integer linear- constraint loops. In: The 40th annual ACM SIGPLAN-SIGACT symposium on principles of programming languages, POPL ’13, Rome, Italy, January 23–25, 2013; 2013. p. 51–62. http://dx.doi.org/10.1145/2429069.2429078. Ben-Amram AM, Genaim S. Ranking functions for linear-constraint loops. J ACM 2014;61(4):26. http://dx.doi.org/10.1145/2629488. Codish M, Lagoon V, Stuckey PJ. Testing for termination with monotonicity constraints. In: Logic programming, 21st international conference, ICLP 2005, Sitges, Spain; October 2–5, 2005. p. 326–340. http://dx.doi.org/10.1007/ ’ Fig. 7. The SCGs of The McCarthy s 91 Function in CCG. 11562931_25. Codish M, Fuhs C, Giesl J, Schneider-Kamp P. Lazy abstraction for size-change termination. In: Logic for programming, artificial intelligence, and reasoning—17th international conference, LPAR-17, Yogyakarta, Indonesia, October 10–15, 2010. Proceedings; 2010. p. The CCG approach cannot solve the problem because of losing 217–32. http://dx.doi.org/10.1007/978-3-642-16242-8_16. Codish M, Giesl J, Schneider-Kamp P, Thiemann R. SAT solving for termination the relation (arcs in Φ3, Φ4 in Fig. 7) between the returned value of proofs with recursive path orders and dependency pairs. J Autom Reason inner function and the input value of the outer function in nested 2012;49(1):53–93. http://dx.doi.org/10.1007/s10817-010-9211-0. recursion functions. Colcombet T, Daviaud L, Zuleger F. Size-change abstraction and max-plus automata. In: Mathematical foundations of computer science 2014—39th international 7. Conclusions symposium, MFCS, Part I; 2014. p. 208–219. http://dx.doi.org/10.1007/ 978-3-662-44522-8_18. Cook B, See A, Zuleger F. Ramsey vs. lexicographic termination proving. In: Tools The first main contribution of this paper is the design of an and algorithms for the construction and analysis of systems—19th international auxiliary construct named recursive calling graph to express the conference, TACAS 2013, held as part of the European joint conferences on – nested functions, which, in contrast to size-change graphs, is more theory and practice of software, ETAPS 2013, Rome, Italy; March 16 24, 2013. p. 47–61. http://dx.doi.org/10.1007/978-3-642-36742-7_4. generally applicable (with respect to the relation between the Farzan A, Heizmann M, Hoenicke J, Kincaid Z, Podelski A. Automated program number of calling times for the inner function and the outer verification. In: Language and automata theory and applications—9th interna- – function found and returned value considered). And we provide an tional conference, LATA 2015, Nice, France, March 2 6, 2015. Proceedings; 2015. p. 25–46. http://dx.doi.org/10.1007/978-3-319-15579-1_2. algorithm that can handle programs with oscillating value change, Heizmann M, Jones ND, Podelski A. Size-change termination and transition with proper preprocessing (additional variables). invariants. In: Static analysis—17th international symposium, SAS 2010, Per- More generally, our work establishes a termination analysis pignan, France, September 14–16, 2010. Proceedings; 2010. p. 22–50. http://dx. doi.org/10.1007/978-3-642-15769-1_4. over integers, which can handle nested functions in which Kuwahara T, Terauchi T, Unno H, Kobayashi N. Automatic termination verification returned values are relevant to termination. And it can finally for higher-order functional programs. In: Programming languages and systems detect function call sequences that repeatedly oscillate a value that —23rd European symposium on programming, ESOP 2014, held as part of the European joint conferences on theory and practice of software, ETAPS 2014, eventually violates some calling conditions. The approach could Grenoble, France, April 5–13, 2014. Proceedings; 2014. p. 392–411. http://dx.doi. help optimizing the allocation of resources by extending the set of org/10.1007/978-3-642-54833-8_21. programs that are size-change terminating. Lee CS, Jones ND, A. Ben-Amram M. The size-change principle for program There is nevertheless room for many improvements. We will termination. In: Conference record of POPL 2001: the 28th ACM SIGPLAN- SIGACT symposium on principles of programming languages, London, UK; consider the situation when termination depends on a fairness January 17–19, 2001. p. 81–92. http://dx.doi.org/10.1145/360204.360210. schedule in concurrent programs. Manna Z, McCarthy J. Properties of programs and partial function logic. Mach Intell 1970:5:27–37. Manolios P, Vroon D. Interactive termination proofs using termination cores. In: Interactive theorem proving, first international conference, ITP 2010, Edin- Acknowledgments burgh, UK, July 11–14, 2010. Proceedings; 2010. p. 355–370. http://dx.doi.org/ 10.1007/978-3-642-14052-5_25. Sagiv Y. A termination test for logic programs. In: Logic programming, proceedings This work is supported by the Fundamental Research Funds for of the 1991 international symposium, San Diego, CA, USA; October 28– the Central Universities under Grant no. (2-9-2014-011) (CUGB), November 1, 1991. p. 518–32. 116 T. Long, W. Zhang / Journal of Network and Computer Applications 59 (2016) 109–116

Schmitz S. Complexity bounds for ordinal-based termination—invited talk. In: Zuleger F, Gulwani S, Sinn M, Veith H. Bound analysis of imperative programs with Reachability problems—8th international workshop, RP 2014, Oxford, UK; the size-change abstraction. In: Static analysis—18th international symposium, September 22–24, 2014. Proceedings; 2014. p. 1–19. http://dx.doi.org/10.1007/ SAS 2011, Venice, Italy; September 14–16, 2011. p. 280–97. http://dx.doi.org/10. 978-3-319-11439-2_1.110. 1007/978-3-642-23702-7_22. Spoto F, Mesnard F, Payet É. A termination analyzer for java bytecode based on path-length. ACM Trans Program Lang Syst 2010;32(3):1–70. http://dx.doi.org/ 10.1145/1709093.1709095.