Monotonicity Constraints for Termination in the Integer Domain

Size-Change Termination (SCT) is a method of proving program termination based on the impossibility of infinite descent. To this end we use a program abstraction in which transitions are described by Monotonicity Constraints over (abstract) variables. When only constraints of the form x>y' and x\geq y' are allowed, we have size-change graphs. In the last decade, both theory and practice have evolved significantly in this restricted framework. The crucial underlying assumption of most of the past work is that the domain of the variables is well-founded. In a recent paper I showed how to extend and adapt some theory from the domain of size-change graphs to general monotonicity constraints, thus complementing previous work, but remaining in the realm of well-founded domains. However, monotonicity constraints are, interestingly, capable of proving termination also in the integer domain, which is not well-founded. The purpose of this paper is to explore the application of monotonicity constraints in this domain. We lay the necessary theoretical foundation, and present precise decision procedures for termination; finally, we provide a procedure to construct explicit global ranking functions from monotonicity constraints in singly-exponential time, and of optimal worst-case size and dimension (ordinal).


Introduction
This paper concerns automated termination analysis-deciding whether a program terminates, and possibly generating a global ranking function.The termination problem is well-known undecidable for Turing-complete programming languages; one of the ways in which this obstacle may be circumvented is to study, for this purpose, a class of abstract programs that are expressive enough to allow many concrete programs to be represented, so that termination of the abstraction implies termination of the concrete program.An important point is that the abstract programs do not constitute a Turing-complete programming language and can have a decidable termination problem.The abstraction studied in this paper is monotonicity constraint transition systems [12,6].The term will be usually abbreviated to MCS.
The MCS abstraction is an extension of the SCT (Size-Change Termination [23]) abstraction, which has been studied quite extensively during the last decade 1 .represent a program as a transition system with states.Abstraction of a program consists of the formation of a control-flow graph for the program, identification of a set of state variables, and formation of a finite set of abstract transitions (i.e., abstract descriptions of program steps, where the notion of step can be tuned to different needs).
In the SCT abstraction, an abstract transition is specified by a set of inequalities, that relate variable values in the target state to those of the source state (these inequalities are often represented by a size-change graph).Extending this notion, a monotonicity constraint (MC) allows for any conjunction of order relations, including equalities as well as strict and non-strict inequalities, and involving any pair of variables from the source state and target state.The Monotonicity Constraint Transition Systems treated in this paper also allow constraints to be associated with a point in the control-flow graph (these are called state invariants).
The size-change technique was conceived to deal with well-founded domains, where infinite descent is impossible.Termination is deduced by proving that any (hypothetical) infinite run would decrease some value monotonically and endlessly, so that well-foundedness would be contradicted.
Monotonicity constraints generalize the SCT abstraction and are clearly more expressive, a fact that was highlighted by Codish, Lagoon and Stuckey [12].They made the intriguing observation that pre-existing termination analyzers based on monotonicity constraints [24,13,25] apply a termination test which is sound and complete for SCT, but incomplete for general monotonicity constraints, even if one does not change the underlying model-namely that "data" are from an unspecified well-founded domain.In addition, they pointed out that monotonicity constraints can imply termination under a different assumption-that the data are integers.Integers, not being well-founded, cannot be handled by the SCT abstraction.
In practice, the integers are already the predominant domain for monotonicity constraints and size-change termination.Often-in particular in functional and logic programming-they represent the size of a list or tree (whence the term size-change termination), and are necessarily non-negative, which allows the well-founded model to be used.In contrast, in certain application domains, and typically in imperative programming, the crucial variables are of integer type and might be negative (by design or by mistake).But MCs can still imply termination, as witnessed by the loop while(x<y) x=x+1.The value of x does not descend but grow; however the constraint x < y (along with the fact that y does not change) tells us that this cannot go on forever.
In a previous paper [6], the theory of monotonicity constraint transition systems in the well-founded model was investigated.Main results include: • The syntax and semantics of the abstraction are presented.
• A combinatorial termination criterion is formulated in terms of the representation of monotonicity constraints as graphs (briefly: the existence of an infinite descending path, or walk, in every infinite multipath).This is an adaptation of the SCT criterion from [23].• It is proved that satisfaction of this criterion is equivalent to the termination of transition system that satisfies the constraints-in logical terms, the criterion is sound and complete.• Termination of MCSs is shown decidable, and more precisely, PSPACE-complete.
Two decision procedures are given: a direct closure-based algorithm, and a reduction of the problem to SCT, which provides an alternative algorithm, along with insight into the relationship between the two constraint domains.• An algorithm is given to construct explicit global ranking functions given any terminating MCS (recall that a global ranking function is a function from program states into a well-founded domain, that decreases on every transition).The algorithm has optimal time complexity (2 O(n log n) ) and produces a ranking function whose values are tuples, under the lexicographic ordering.It is also optimal in the dimension (length of the tuples, implying the ordinal of the codomain), at least in a worst-case sense.
The contribution of this paper is to obtain some similar results in the integer model.This development is more complicated than in the well-founded model, but is certainly worthwhile due to the practical importance of this domain (many published termination analyses target the integers specifically; a few, closest to this work, are referenced in the related-work section).An intuitive reduction of the integer case back to the well-founded case is to create a new variable for every difference x i − x j which can be deduced from the constraints to be non-negative, and also deduce relations among these new variables to obtain a new abstract program over the natural numbers.But this solution may square the number of variables, which is bad because this number is in the exponent of the complexity, and in general is not complete (see Example 2.9) in the next section).We tackle the problem directly instead, but as an interesting corollary we shall find that the above reduction is, in fact, a correct solution given a certain preprocessing of the program.
This paper is organized as follows.In the next section we formally introduce monotonicity constraint transition systems and their semantics.After this quick technical introduction a sample of examples are given, witnessing the range of termination arguments captured by this framework.Section 3 recalls the notion of a stable MCS (introduced in [6]).Stabilization propagates invariants around the abstract program and makes it more amenable to local analysis.Section 4 gives a combinatorial termination criterion (in terms of graphs), similar to what has been known for SCT and for MCS in previous work.The criterion is proved sound and complete and decision algorithms are discussed.In Section 5, we recall another notion from [6], that of elaboration.Elaborating a systems makes some information which implicit in it, explicit, and further simplifies its algorithmic processing.It is used in Section 6, presenting the algorithm to construct ranking functions.Section 7 complements the previous sections by briefly explaining the role of reachability (sometimes a program may seem to contain an infinite loop, but it is not reachable).Section 8 discusses related work and Section 9 concludes.This paper is intended to be self-contained, so that it can be read independently of its predecessor [6].However, a reader may be interested to know what the challenges were in handling the integer domain in constrast with the well-founded domain, where the definitions or techniques are the same, when they differ and how.The paper is interspersed with special comments marked with the symbol Z.These comments are meant to answer the above questions.They can be skipped without compromising the integrity of the text.
The central results of this work have been presented in the 20th International Conference on Computer Aided Verification conference (2009) and are stated, very briefly, in the proceedings [5] .

Basic Definitions and Motivating Examples
Z: The basic definitions (Sect.2.1-2.2) are essentially as in [6], except for the notation πtermination, introduced for distinction between the integer interpretation of an MCS and the well-founded interpretation.Section 2.3 includes examples to show the expressiveness of the integer MCS model and contrast it with the usage of SCT to analyze the same programs.
2.1.Monotonicity constraint transition systems.A monotonicity constraint transition system is an abstract program.An abstract program is, essentially, a set of abstract transitions.An abstract transition is a relation on (abstract) program states.When describing program transitions, it is customary to mark the variables in the resulting state with primes (e.g., x ′ ).For simplicity, we will name the variables x 1 , . . ., x n (regardless of what program variables they represent).This notation also suggests that the same number of variables (n) is used to represent all states.Of course, in actual programs this is not necessarily the case (for example due to different scopes) and it will be more efficient to maintain only the necessary variables at each program point.

Definition 2.1 (MCS).
A monotonicity constraint transition system, or MCS, is an abstract program representation that consists of a control-flow graph (CFG), monotonicity constraints and state invariants, all defined below.
• A control-flow graph is a directed graph (allowing parallel arcs) over the set F of flow points.• A monotonicity constraint (MC) is a conjunction of order constraints x ⊲⊳ y where x, y ∈ {x 1 , . . ., x n , x ′ 1 , . . ., x ′ n }, and ⊲⊳ ∈ {>, ≥, =}.• Every CFG arc f → g is associated with a monotonicity constraint G.We write G : f → g. • For each f ∈ F , there is an invariant I f , which is a conjunction of order constraints among the variables.
The terms "abstract program" and "MCS" are used interchangeably, when context permits.The letter A is usually used to denote such a program; F A will be its flowpoint set.When notions of connectivity are applied to A (such as, "A is strongly connected"), they concern the underlying CFG.
Note that we may have unsatisfiable MCs, such as x 1 > x 2 ∧ x 2 > x 1 ; it is useful to view all such MCs as synonyms and use the common notation ⊥ for them (as one would typically do in an Abstract Interpretation domain).Definition 2.4 (transition system).The transition system associated with A is the binary relation Note that a program representation may also be called a "transition system."I am using the unqualified term for a semantic object.The program representation is referred to as an MC transition system (or sometimes just MC system).
Definition 2.5 (run).A run of T A is a (finite or infinite) sequence of states s = s 0 , s 1 , s 2 . . .such that for all i, (s i , s i+1 ) ∈ T A .
Note that by the definition of T A , a run is associated with a sequence of CFG arcs labeled by G 1 , G 2 , . . .where s i−1 , s i |= G i .This sequence constitutes a (possibly non-simple) path in the CFG.Definition 2.6 (termination).Transition system T A is uniformly terminating if it has no infinite run.MCS A is said to be π-terminating if T A is uniformly terminating.
The prefix π (a symbol for the order type of the integers [26]) is included since the same MCS can be interpreted in the well-founded model of [6] and may possibly be non-terminating there (though this would require the value domain to be of an order type greater than ω).The term uniform refers to termination that is independent of the initial state.In Section 7 we discuss the consequences of specifying an initial flow-point.
Remark.It may be tempting to abstract away from the integers and, just as the well-founded case was treated generally (so that any well-founded domain could be used), give a general definition of the property that the domain has to satisfy for our termination arguments to apply.The property is that for any two elements there are only finitely many elements strictly between them.However, this abstraction buys us no generality, as every total order with this property is isomorphic to a subset of the integers.On the other hand, the fact that we assume the underlying set to be, specifically, the integers, has the satisfactory outcome that completeness of our deduction means that specific knowledge about the integers could not have been used in any better way.

2.3.
Examples.Here are a few small examples that illustrate the transformation of programs into MCS.The reader is invited to verify that the abstract programs created are indeed terminating.To contrast the expressiveness of the MC abstraction with that of the better-known SCT, comments are included regarding how the examples might be treated by SCT-based tools.Recall that in the SCT framework, only well-founded domains are handled.
Example 2.7.Consider the following program, in a self-explanatory functional programming language with integer data.
else f(m, n-1) In this example the recursive calls depend on some variable being positive, and therefore the proof can somehow be embedded in the well-founded framework.This requires placing the control-flow points at the call sites, where we can rely on the guards; it is also necessary to deal with the fact that n, while being pertinent to the termination proof, is only known to be positive (and thus can be admitted into the SCT abstraction) in the second call.When using MCs, we need not worry about all of this.We can place a single flow-point at the function entry (as done in the simple-minded abstraction of [23]).When analysing the body of the function, we create an abstract transition for each recursive branch, taking into account the branch condition.The abstract variables will be m, n and 0 (the analyser should recognize that these three quantities are involved in the comparisons).The resulting MCS thus consists of two abstract transitions: else 0 Here, it is possible to use the SCT framework by placing the control-flow point at the call site, where we know that the difference m − n is positive, and using the difference as the abstract variable.With an MCS, we can use a straight-forward translation: As noted, both of the above examples could be proven terminating by SCT using an abstraction that relies on invariants and judicious placement of the flow-points; such techniques have been implemented, for example, in the theorem prover ACL2 [27].The next programs challenge to the simple invariant-based technique, and therefore illustrate more significantly the advantage of monotonicity constraints.
Example 2.9.Consider the following program: g(m,n) = if m <= 0 then n else g(n, m-1) Both parameters are pertinent to termination, but only m is known to be positive at the call site.But as m ′ is unrelated to m, this does not suffice to prove termination.Neither is the difference n − m useful as an abstract variable, since there is no information on its sign and it does not change monotonically.Nonetheless, it is not hard to prove termination with the straight-forward MCS abstraction: Example 2.10.In this example, unsatisfiability of certain paths is crucial to the termination proof.
while (0<x<n) if b then x := x+1 else x := x-1 A way to handle this program with SCT might be the calling-context method implemented in ACL2; the theorem prover is used to discover the fact that an increment cannot be followed by a decrement (or vice versa).It produces an abstract program into which this information is already coded.It also produces the abstract variable n − x.In contrast, with monotonicity constraints, a naïve translation of the program is sufficient.Since only the integer domain is treated in this work, we represent the Boolean variable b as an integer with the test interpreted as b>0.This yields: The apparent difficulty here is that the sign of n is not known at the point where it is added to m.Hence, one cannot adequately represent the effect of such an update by a monotonicity constraint.A similar problem arises with other operations (notably subtraction).However, this nut is easily cracked, since one can represent the effect of addition as a disjunction of three monotonicity constraints.Thus, for the above program, we have the following (terminating) abstraction: Note that when n is initially positive, the first parameter grows at first, until n reaches zero and then the first parameter begins to shrink.Programs with such "phase shift" have attracted the attention of termination researchers, and appear in several publications, e.g., [11].

2.4.
A comment regarding state invariants.None of the above examples used state invariants (associated with a flow-point rather than a transition), and in fact it is easy to see that one can always do without them, as it is possible to include the constraints I f in every MC that transitions from f .However, it may be convenient to make the association of certain assertions with a flow point, rather than a specific transition, explicit, and our algorithms make significant use of such invariants.

Z:
The next two sections deal, respectively, with the representation and transformation of MCSs; the ideas are not essentially different from those used in [6] but there are some new details which are important for the sequel.
2.5.Weighted graph representation.An MC can be represented by a labeled digraph (directed graph).This representation enables a style of reasoning, using graph properties like paths, which has been very useful in most, if not all, previous work on SCT and monotonicity constraints.An arc x r − → y (r is the label) represents a relation x > y or x ≥ y.One only needs two labels, > and ≥.It is convenient to use integers for the labels, and apply techniques from the world of weighted graphs.Hence, we employ the term weighted graph representation.Definition 2.12.The weighted graph representation of a monotonicity constraint is a weighted digraph with node set {x 1 , . . ., x n , x ′ 1 , . . ., x ′ n } and for each constraint x > y (respectively x ≥ y), an arc x −1 − − → y (x 0 − → y ′ ).The arcs are referred to, verbally, as strict (label −1) or non-strict (label 0).
The notation x → y may be used to represent an arc from x to y (of unspecified label).In diagrams, to avoid clutter, we distinguish the types of arcs by using a dashed arrow for the weak inequalities (see Figure 1).Note that an equality constraint x = y is represented by a pair of non-strict arcs.In certain algorithms, it is convenient to assume that the such arcs are distinguished from "ordinary" non-strict arcs.We refer to them as no-change arcs.Definition 2.13 (⊢).Let P (s, s ′ ) be any predicate over states s, s ′ , possibly written using variable names, e.g., Definition 2.14.A monotonicity constraint G, in graph representation, is closed under logical consequence (or just closed) if, whenever G ⊢ x > y, or G ⊢ x ≥ y, for x, y ∈ {x 1 , . . ., x n , x ′ 1 , . . ., x ′ n }, the stronger of the implied relations is explicitly included in the graph.
Note that for G : f → g, the condition G ⊢ P takes the invariants I f and I g into account (consider Definitions 2.3 and 2.13).Thus, a closed MC subsumes the invariants in its source and target states.Definition 2.15.An MC H is at least as strong as G if whenever G ⊢ P , also H ⊢ P .The (consequence) closure of a monotonicity constraint G, denoted G, is the weakest MC that is at least as strong as G and is consequence-closed.
The closure of a graph be computed efficiently (O(n 3 ) time) by a DFS-based algorithm.First the graph is divided in strongly connected components.Within every component, only non-strict arcs should appear; otherwise the graph is unsatisfiable and should be immediately replaced by the fixed object ⊥.Otherwise, the components represent groups of variables constrained to be equal, and the acyclic graph of components can be processed to determine the constraints relating each pair.
Henceforth, we identify a MC with its consequence-closed graph representation, and assume that this is how our algorithms will maintain them.In graph representation, the restriction of the SCT framework is that only arcs of the form x → y ′ are admitted.Graphs of this form are called size-change graphs in the SCT literature and so will they be called in this paper.

Transforming MC systems.
A key tool in processing MC systems is the idea of transforming them for the purposes of analysis.We employ two kinds of transformations: the first kindcreates a new system that is "equivalent" in the sense that they have the same runs, up to renaming of flow-points and possibly variablesthe precise notion is bisimulation, defined below.The second kind of transformation creates a system that represents part of the runs of the given one-see the definition of restriction below.These definitions are given here for later reference.The first (bisimulation) is cited verbatim from [6].Definition 2.16.Let A, B be transition systems, with flow-point sets F A , F B respectively, and both having states described by n variables.We say that A simulates B if there is a relation φ ⊆ F B × F A ("correspondence of flow-points") and, for all (f, g) ∈ φ, a bijection ψ g,f : {1, . . ., n} → {1, . . ., n} ("variable renaming") such that for every (finite or infinite) state-transition sequence (f We say that A bisimulates B if, in addition, for every (finite or infinite) state-transition sequence (g Thus, A bisimulates B if they simulate each other via the same pair of mappings.Definition 2.17.We say that an abstract program A (bi-)simulates an abstract program B if T A (bi-)simulates T B , via mappings φ and ψ, as above.
We say that A simulates B deterministically if for every f ∈ F B and assignment σ satisfying I f there is a unique g ∈ F A with (f, g) ∈ φ such that, letting σ ′ = σ • (ψ g,f ), assignment σ ′ satisfies I g .
If A bisimulates B, and A simulates B deterministically, we say (for brevity) that A bisimulates B deterministically.
Determinism means that the invariants of different A flow-points that simulate a given B flow-point have to be mutually exclusive.Definition 2.18.The notation A ∼ φ,ψ B means that A simulates B deterministically via flow-point correspondence φ and the variable renaming function φ.We omit φ when it is the identity, and omit both if it is not important to specify them.Definition 2.19.Let A, B be transition systems, with same flow-point sets F A = F B , and both having states described by n variables.We say that A is a restriction of B, and write A ⋐ B, if every (finite or infinite) state-transition sequence (f 1 , σ 1 ) → (f 2 , σ 2 ) → (f 3 , σ 3 ) → . . . of B is also a transition sequence of A.
A restriction results, obviously, from tightening the constraints at certain flowpoints or transitions.Definition 2.20.We write A ⋐ φ B, if there exists C such that A ⋐ C and C ∼ φ B.

Stable Systems
The notion of stable MC systems is from [6].This section recalls the definition and states some consequences of stability that are used in forthcoming proofs.
Z: There is no novelty here.Definition 3.1.An MCS A is stable if (1) all MCs in A are satisfiable; (2) For all G : f → g in A, whenever G ⊢ x i £ x j (some relation between source variables), also Note that while consequence-closure requires that all information from I f and I g be present in G, stability requires that G cannot add information to I f and I g .Stabilizing a given system may require flow-points to be duplicated, since two MCs coming out of f may disagree on the conditions that must be placed in I f .
It is always possible to tranform an MC system B into a stable A such that A ∼ B; this transformation is called stabilization, and an algorithm is described in [6].Stabilization does not rename variables, but may require flow-points to be duplicated, since two MCs coming out of f may disagree on the conditions that must be placed in I f .In the worst case, it can multiply the size of the system by a factor exponential in the number of variables n (specifically by the Ordered Bell Number B n which is between n! and 2 n−1 n! [30, Seq.A670]).A brute-force solution, which always reaches the worst case, was also described.This solution turned out useful in constructing global ranking functions and will also be used for this purpose in this paper.
3.1.Properties of stable systems.Lemma 3.2.Let M = G 1 G 2 . . .G ℓ be a finite multipath of a stable MCS.Suppose that there is a path in M from x[0, s] to x[ℓ, t].Then there is a thread with such endpoints.
The lemma works for down-paths (and down-threads) as well as for up-paths (and up-threads), which can be seen (for more convenient argument) as paths in the transposed graph.
Proof.We consider the shortest path among the given endpoints.It has to be a thread, for otherwise it has two consecutive arcs among the nodes of a single graph G i .Stability and consequence-closure of the graphs imply that these two arcs can always be replaced by a single one, contradicting the choice of a shortest path.
. .G ℓ be a finite multipath of a stable MCS.Suppose that there is a path in M from x[t, i] to x[t, j] for some t, i, j with i = j.Then there is an arc with such endpoints.
The argument is very similar to the previous one and we omit a detailed proof.Lemma 3.4.In a stable MCS, every finite multipath is satisfiable.
The proof, again, is rather similar to the previous ones and is given in full in [6].

Termination
A central contribution of [23] was the definition of a "path based" termination condition for systems of size-change graphs, dubbed the SCT criterion.The condition hinges on the presence of certain infinite paths in infinite sequences of size-change graphs (such sequences represent hypothetic execution histories).This criterion was generalized in [6] to monotonicity constraints, where the paths have become walks (possibly cyclic).It has also been shown that assuming stability, the condition reduces to the SCT criterion, which is easier to reason about as well as to test for.
x[0, 3] In this section we prove that for π-termination too, termination is captured by a path-based criterion.We consider in particular the case of a stable system, but also the general case.This yields a proof that π-termination is decidable in PSPACE.

Z:
The path-based criterion, and consequently the algorithm, enhance the criteria and algorithm of [6] in a way which seems, at least after the fact, very natural.The completeness proof was the challenging part as it differs significantly from [6]; it is inspired by [12].This section also includes a discussion of the algorithm proposed in [12].
Definition 4.1 (multipath).Let A be an n-variable MCS, and let f 0 . .be an MC-labeled path in the CFG (either finite or infinite).The multipath M that corresponds to this path is a (finite or infinite) graph with nodes x[t, i], where t ranges from 0 up to the length of the path (which we also refer to as the length of M ), and 1 ≤ i ≤ n.Its arcs are obtained by merging the following sets: for all t ≥ 1, M includes the arcs of G t , with source variable x i renamed to x[t − 1, i] and target variable x ′ j renamed to x[t, j].The multipath may be written concisely as G 1 G 2 . . .; if M 1 , M 2 are finite multipaths, M 1 corresponding to a CFG path that ends where M 2 begins, we denote by M 1 M 2 the result of concatenating them in the obvious way.The notation (G) x represent a multipath made of x copies of G.
Figure 2 depicts multipath G 1 G 3 G 1 , based on the MCs from Figure 1.
Clearly, a multipath can be interpreted as a conjunction of constraints on a set of variables associated with its nodes.We consider assignments σ to these variables, where the value assigned to x[t, i] are denoted σ[t, i].A multipath can be seen as an execution trace of the abstract program, whereas a satisfying assignment constitutes a (concrete) run of T A .Conversely: every run of T A constitutes a satisfying assignment to the corresponding multipath.Definition 4.2.A path in the graph representation of an MC or a multipath is strict if it includes a strict arc.

Observation 4.3. A finite multipath is satisfiable if and only if it does not contain a strict cycle.
We next define down-paths and up-paths.The definition of a down-path is just the standard definition of path (which has already been used in this paper) but it is renamed in order to accommodate the notion of an up-path.Definition 4.4.A down-path in a graph is a sequence (v 0 , e 1 , v 1 , e 2 , v 2 , . . . ) where for all i, e i is an arc from v i−1 to v i (in the absence of parallel arcs, it suffices to list the nodes).An up-path is a sequence (v 0 , e 1 , v 1 , e 2 , v 2 , . . . ) where for all i, e i is an arc from v i to v i−1 .
The term path may be used generically to mean either a down-path or an uppath (such usage should be clarified by context).
Semantically, in an MC or a multipath, a down-path represents a descending chain of values, whereas an up-path represents an ascending chain.Note also that an up-path is a down-path in the transposed graph.
An up-thread in M is an up-path that only includes arcs in a backward direction A thread is either.

4.2.
Combinatorial criteria for π-termination.We formulate necessary and sufficient conditions for the termination of an MCS in terms of its multipaths.The first criterion is called Condition S as it assumes a stable MCS.The second, Condition G, works with any MCS.We may later refer to the up-thread (x[k, l k ]) as the low thread, while the downthread (x[k, h k ]) is the high thread.This naming is meant to stress the relation the values assumed by the variables on the low thread are always lower than those assumed on the high thread.The fact that the values in the high thread descend, while those in the low thread ascend, suggests that the process cannot go on forever, which is what we want.A down-thread/up-thread pair satisfying this condition will be called an approaching pair.If the condition of infinitely many strict arcs is not guaranteed, we will use the term a weakly approaching pair.Theorem 4.7.Condition S is a sufficient condition for π-termination.
Proof.Suppose that Condition S is satisfied and that A does not terminate.Thus, some infinite multipath M is satisfiable.The threads postulated in Condition S imply that the sequence of differences σ[k, h k ] − σ[k, l k ] is infinitely descending, while consisting of non-negative integers.This is impossible, so we conclude that A is π-terminating.
Condition S is also a necessary condition for termination of stable systems (i.e., the criterion is sound and complete), but we will prove this later.
Readers familiar with SCT will surely notice that if, for each flow-point f , for every pair of variables such that I f ⊢ x i ≤ x j , we create a variable x (i,j) to represent x j − x i (guaranteed to be non-negative) and we connect such variables with the obvious size-change arcs (if x i ≤ x ′ l and x j ≥ x ′ h then x (i,j) ≥ x ′ (l,h) , etc), Condition S becomes equivalent to ordinary (well-founded) size-change termination in the new variables.The SCT condition requires every infinite multipath to include an infinitely-descending thread (a down-thread which is infinitely often strict).Our approaching pairs correspond precisely to threads in the difference variables.
Thus, given a stable system, π-termination reduces to SCT, and this immediately provides us with a decision algorithm.Nevertheless, we dedicate the next couple of subsections to new decision algorithms, based directly on Condition S. The motivation for doing so is threefold.First, it is theoretically interesting to see how such a direct algorithm would work.Secondly, the SCT algorithms are exponential in the number of variables.Creating difference variables in advance squares the exponent, which is bad.Finally, we shall employ one version of the direct algorithm in proving the completeness of our termination criterion.4.2.2.The General Case.Dropping the stability does not complicate the statement of the termination condition very much.Instead of threads, we have to consider paths of any form (even such that repeat arcs).Definition 4.8.MCS A satisfies Condition G if in any infinite multipath M (with variables denoted by x[i, j]) there is an up-path (x[L j , l j ]) j=0,1,... and a down-path (x[H j , h j ]) j=0,1,... such that at least one of the paths has infinitely many strict arcs.Moreover, for infinitely many values of k, there is a path from Theorem 4.9.Condition G is a sound condition for Z-termination.
Proof.Suppose that Condition G is satisfied and that some infinite multipath M is satisfiable.Then the paths described in Condition G exist and imply that the sequence of differences ).This is impossible, hence no infinite multipath is satisfiable, or equivalently, the MCS Z-terminates.Theorem 4.10.Conditions G and S are equivalent for a stable system.
Proof.Condition S is a special caes of Condition G, so all we have to prove is that if Condition G is satisified, so is Condition S. Suppose, then, that Condition G holds, and we have the paths (x[L j , l j ]) j=0,1,... and (x[H j , h j ]) j=0,1,... , as above.It is easy to see that since for infinitely many values of k, there is a path from it is also true that for any k and j, there is a path from x[H k , h k ] to x[L j , l j ] (the path may use parts of the up-path and down-path themselves).
To each path, we can apply Lemma 3.2 to obtain a thread whose nodes are a subset of the nodes of the path; an up-thread (x[t, l jt ]) t≥t 0 and a down-thread (x[t, h kt ]) t≥t 0 .At least one of the threads is infinitely often strict.
From the previous observation, we know that there is, for every t, a path from x[t, h kt ] to x[t, l jt ].Applying Lemma 3.3, we cam show that the relation x[t, h kt ] ≥ x[t, l jt ] must be included in the invariant for the corresponding flow-point.
Condition G is also a complete criterion for termination; the proof is based on stabilizing the system and the equivalence of Conditions G with Condition S in the stable one.The details are omitted as they are tedious and give no new insight.

4.3.
A Closure Algorithm for Stable Systems.We next present an algorithm to decide termination of stable Integer MCS by computing a composition-closure and applying a certain test to the elements of the closure set.This algorithm is based on the Closure Algorithm for the well-founded model [24,13,17,23,6], and is theoretically related to the Disjunctive Well-Foundedness principle [19].An algorithm sans stability is presented later for completeness; but our analysis of the algorithms and their correctness makes substantial use of stability (note the previous paragraph).
The following definitions are essentially from [6]: , is a MC with source f and target h, which includes all the constraints among s, s ′ implied by Composition is similar to logical closure and can be implemented by a DFSbased algorithm in O(n 3 ) time.

Definition 4.12 (collapse). For a finite multipath
Applying composition together with logical closure, we can easily compute of M for a given M .Definition 4.13.Given an MCS A, its closure set cl(A) is The closure set can be computed by a routine least-fixed-point procedure, as in [5].Definition 4.14 (cyclic MC).We say that a MC G is cyclic if its source and target flow-points are equal.This is equivalent to stating that GG is a valid multipath.Definition 4.15 (circular variant).For a cyclic G, the circular variant G • is a weighted graph obtained by adding, for every variable x i , an edge x i ↔ x ′ i .This edge is treated as a pair of no-change arcs, but is distinguished from edges already present in G.These additional edges are called shortcut edges.Definition 4.16 (types of cycles).Let G be a cyclic MC.A cycle in G • is a path commencing and ending at the same node.It is a forward cycle if it traverses shortcut edges only in the backward direction (from x ′ i to x i ) 2 .It is a backward cycle if it traverses shortcut edges only in the forward direction.This test resembles Sagiv's local test for the well-founded case [24], and likewise can be implemented as a DFS-based algorithm in linear time, on which we will not elaborate.Figure 3 illustrates the test.Proof.Suppose first that M ′ satisfies Condition S. The down-thread in M ′ can be mapped back to M , where it consists of variables is actually an arc of M i+1 , and reflects (by the definition of composition) a path in M i+1 .By Lemma 3.2, this path can be assumed to be a thread.We thus obtain an infinite down-thread that passes through the variables x[k i , h i ].Similarly, we obtain an infinite up-thread through the variables For the converse implication, we assume that M satisfies Condition S and we are to prove it for M ′ : this is symmetric, but simpler than the above argument, and so is left to the interested reader.
Proof.(of Theorem 4. 19) We suppose that every cyclic MC in cl(A) passes the LTTS.Let M = G 1 G 2 . . .be any infinite A-multipath.
Consider the set of positive integers, and label each pair (t, t ′ ) , where t < t ′ , by By assumption, G I passes the LTTS.Let F be the forward cycle.Due to consequence-closure, we can shrink each segment of F that consists of ordinary arcs (not shortcuts) into a single arc, so that without loss of generatlity we may assume that the cycle alternates source (unprimed) with target (primed) variables.We can thus choose indices h 1 , h 2 , . . .such that the nodes of the cycle are and so on up to x ′ hs for some s > 0, with h s = h 0 .We can do the same for the backward cycle B, denoting the variables by x l j and x ′ l j , for 0 ≤ j < ŝ, where ŝ is the length of that cycle.By LTTS, there is also an arc from a node of F to a node of B; suppose that they are both source nodes; then, without loss of generality (a cycle can be begun at any point), we can assume that G ⊢ x h 0 ≥ x l 0 .In fact, there is no loss of generality in assuming that the related nodes are source nodes, either; suppose, for example, that we have G ⊢ x ′ h 1 ≥ x l 0 ; then G ⊢ x h 0 ≥ x l 0 is implied.Other situations can be handled similarly.
To show that Condition S is satisfied, we map the cycles onto infinite threads in (G I ) ω .The kth node of the down-thread is x[k, h k mod s ].The kth node of the up-thread is x[k, l (ŝ−k) mod ŝ] (indexing the backward cycle with ŝ − k rather than k yields an up-thread).Either the infinite down-thread or the infinite up-thread (or both) is infinitely often strict.
According to our assumptions, for all q we have the constraint since we have the following path: traversing part of the up-thread from x[k, h k mod s ] to x[qsŝ, h 0 ] for some q such that qsŝ ≥ k, then using x[qsŝ, h 0 ] ≥ x[qsŝ, l 0 ] which we have by assumption, and then traversing the down-thread in the reverse direction from x[qsŝ, l 0 ] to x[k, l k mod ŝ].By Lemma 3.3, the deduced constraint must explicitly appear in in the multipath.
We conclude that Condition S is satisfied by (G I ) ω .
4.4.The Role of Idempotence.We call G idempotent if G is cyclic and G; G = G.Following [12] (and similar results in [17,23]), we claim: (1) In the closure algorithm, it suffices to test only idempotent members of cl(A).
(2) The local test becomes simpler with idempotent graphs.
The first claim is easy to justify by studying the argument in the soundness proof: the graph G I whose existence is established there is clearly idempotent.For the second, let us describe the simple test and justify it.
, where at least one of the last two inequalities is strict.Lemma 4.22.Let A be a stable MCS and G an idempotent, cyclic MC in cl(A).Then G passes the LTTS if and only if it passes the LTT1.
Proof.One direction of this equivalence is easy: if G passes the LTT1, it has the cycles x h → x ′ h → x h and x l → x ′ l → x l , that satisfy the LTTS.For the other direction, suppose that G passes the LTTS.Repeating the analysis in the proof of Theorem 4.19, and re-using the notation, we let 2s be the length of the forward cycle (assuming it alternates shortcut and ordinary arcs) and 2ŝ the length of backward cycle (under a similar assumption), and consider the multipath l , that one of these relations is strict, and that G ⊢ x l ≤ x h .Therefore, G passes the LTT1.
We obtain the following version of the closure algorithm: Though this algorithm makes fewer local tests, it does not seem to be practically better than the previous, since the local test is quite efficient.On the contrary, applying the test to every graph in the closure allows for early discovery of failure.More importantly, it allows for reducing the size of the set by subsumption (consider [8,18] and others).4.5.Complexity.The closure algorithm, regardless of minor savings based on idempotency or subsumption, has an exponential worst-case for time and space.This follows from the fact that the closure set can be exponential.An easy upper bound is this: for any pair of flow points f, g, an MC relates the 2n variables in the source and target states.The number of such MCs is easily bounded by 3 4n 2 as an MC is completely specified by choosing either ≤, < or "nothing" for every ordered pair of variables.The complexity of the whole data structure, and the time of the algorithm, are thus poly(m) • 2 O(n 2 ) where m is the number of flow-points 3 .
In Section 5, a polynomial-space algorithm will be described, just to make the theoretical classification of the problem in PSPACE.Practically, the polynomialspace version is not attractive because its running time gets worse.On the other hand, in Section 4 we show that the exponent in the running time can be brought down to O(n log n).But this, too, seems to be an improvement only in a highly theoretical sense.4.6.Completeness.This section proves the completeness of Condition S, as well as the closure algorithm, by proving that if an idempotent MC in a stable system does not satisfy the LTTS, the system fails to terminate.
To show that the system does not terminate, we exhibit a satisfiable infinite multipath.
Lemma 4.24.Let M be a finite, cyclic, satisfiable multipath and Proof.Suppose that (G) ω is satisfiable.That is, a satisfying assignment σ exists such that σ[t, i] is the value of x[t, i].Consider (M ) ω .For distinction, let us denote its variables by x ′ [ , ].Let ℓ be the length of M ; the variables x ′ [ℓt, i] represent the borders of the copies of M , and correspond to the source and target variables of G. Recall that i varies between 1 and n, the number of variables.Set σ ′ [ℓt, i] = n(ℓ + 1)σ[t, i].We claim that σ ′ can be extended to a satisfying assignment for (M ) ω .The construction is illustrated in Figure 4.
When considering the assignment to a particular copy of M , it is possible to ignore all others, since all nodes on its boundary are already assigned.Thus, suppose that we are given a copy of M , say the p th copy, with an assignment to its boundary nodes given by σ ′ [pℓ, ] and σ ′ [(p+1)ℓ, ].Consider M as a weighted graph; the graph has no negative-weight cycles, or M would be unsatisfiable.
Let µ be the biggest value assumed by σ ′ over the boundary nodes of M .Add an auxiliary node z to M and arcs from z to all M 's nodes, weighted as follows: an arc to a boundary node x ′ [(p + j)ℓ, i] is weighted by σ ′ [(p + j)ℓ, i].All other arcs have weight µ + n(ℓ + 1) (note that n(ℓ + 1) bounds the length of any simple path in M ).Let δ z (j, i) be the weight of the lightest path from z to x ′ [j, i].This is well-defined, due to the absence of negative cycles.
If there is an arc of weight w from x ′ [j, i] to x ′ [j ′ , i ′ ], then δ z (j ′ , i ′ ) ≤ δ z (j, i) + w.Recalling that non-strict arcs have a weight of 0 and strict arcs, of −1, it is easy to see that assigning δ z (j, i) to x ′ [j, i] is a satisfying assignment for M .
It rests to show that this assignment agrees with σ ′ .To this end, let x[(p+j)ℓ, i] be a boundary node.By construction, δ z ((p + j)ℓ, i) ≤ σ ′ [(p + j)ℓ, i].A strict inequality can only arise if there is a path from z to x ′ [(p + j)ℓ, i], lighter than the immediate arc.It can be assumed to be a simple path; it begins with an arc z → x ′ [r, s] and then rests within M .Let P be the segment within M ; since it is simple, its weight w is bigger than −n(ℓ + 1).Using this, one can easily eliminate the possibility that the path begins with an arc z → x ′ [r, s] where x ′ [r, s] is not a boundary node.Suppose, then, that x ′ [r, s] is a boundary node, and can be written as x ′ [(p + k)ℓ, s].Then, we have We now distinguish two cases.If σ[p + k, s] > σ[p + j, i], we get (multiplying by n(ℓ + 1)): We conclude that δ z ((p + j)ℓ, i) = σ ′ [(p + j)ℓ, i], so we have a satisfying assignment that extends σ ′ , as desired.Lemma 4.25.Let A be a stable MCS and G ∈ cl(A) be an idempotent MC that does not pass the Local π-Termination Test for Stable Systems.Then A has a satisfiable, infinite multipath.
Proof.We will show that (G) ω is a satisfiable multipath.Then, the conclusion will follow by Lemma 4.24.
The first step is to add a new variable x 0 ("the zero line") with constraint x 0 = x ′ 0 .Next, we make sure that every other variable is related to x 0 .We do this as follows: (1) For each If there is a variable x i which is still unrelated to x 0 , we add x i > x 0 and x ′ i > x ′ 0 .This is repeated until all variables are related to x 0 or x ′ 0 .It is not hard to verify that G remains idempotent throughout this process.G also remains satisfiable, since the above additions are non-contradictory: It is easily seen that in the first stage, the additions cannot be contradictory-they cannot form a directed cycle; the additions in the second stage cannot be contradictory among themselves, and they cannot form a contradiction with the additions of the first stage, because, by assumption, we cannot have x i < x ′ i in G together with x j > x ′ j and x j ≥ x i (or x ′ j > x ′ i ).In the third stage, it is obvious that no contradictions can arise.
Let G denote the extended MC; we will show that ( G) ω is satisfiable.Let V be the set of variables of ( G) ω .We define an assignment σ : V → Z as follows: • For all t, σ(x[t, 0]) = 0. We shall refer to these variables collectively as 0 (note that they are all related by equalities so if a variable is related to one of them, it is related to all).• For all v ∈ V such that there is a directed path from v to 0, let σ(v) be the maximum number of strict arcs on such a path (note that only simple paths need be considered, since there are no strict cycles).• For all v ∈ V such that there is a directed path from 0 to v, let σ(v) be the negation of the maximum number of strict arcs on such a path.Note that since every variable in G is related to x 0 (or x ′ 0 ), we have covered all cases.Why are the assignments well-defined?The only problem to worry about is the existence of a node v such that its distance from 0 is unbounded.
Suppose that such v exists and that there is a path from v to 0 (the other case, a path from 0 to v, is symmetric).Thus, there are infinitely many paths P i from v to 0, such that P i has at least i strict arcs.For each such path, we can assume that only one 0 appears on the path; otherwise we can cut the path at the first occurrence (there can be no strict arcs among occurrences of 0).
The pigeon-hole principle shows that for sufficiently large i, P i must visit a certain state-variable x j twice, say as x[t, j] first and x[t ′ , j] later, with a strict arc in-between.Moreover, by choosing i big enough, we can enforce the condition t ′ > t.Then, by idempotence of G, we have G ⊢ x j > x ′ j .But then, x j < x 0 is in G; the rest of P i implies that there is a path from x[t ′ , j] to 0, so we also have G ⊢ x ′ j ≥ x 0 , a contradiction.
We conclude that our assignment σ is well defined; and the fact that it satisfies all constraints is easy to prove by its construction.Since it satisfies ( G) ω , it also satisfies (G) ω .Theorem 4.26.If a stable MCS does not satisfy Condition S, it is not π-terminating.
Proof.Let A be such a system; suppose that every idempotent MC in cl(A) passes the LTT1.The Condition S is satisfied, contradictory to assumption.So there has to be an idempotent MC which fails the LTTS, and by the last lemma, a nonterminating run exists.
Corollary 4.27.Condition S is a equivalent to π-termination of a stable MCS, and the closure algorithm is a sound and complete decision procedure.4.7.Codish, Lagoon and Stuckey's Algorithm.Codish, Lagoon and Stuckey [12] also gave (albeit implicitly) an algorithm to decide termination of an integer MCS, under the assumption that the data represented are non-negative integers (so termination follows either by descent towards zero, or by approaching variables).The algorithm is closely related to Algorithms 4.18 and 4.23.

Definition 4.28 (balanced constraint, [12]). A cyclic monotonicity constraint
The balanced extension G B of G is the weakest monotonicity constraint which is at least as strong as G and is balanced.
To compute the balanced extension, Codish, Lagoon and Stuckey suggest a fixed-point computation: Define bal(G) They observe that there always is a p such that bal (p) (G) is balanced and equals G B (it is then a fixed point of bal).Since there are at most 4n(n − 1) constraints that can be added by bal, p ≤ 4n(n − 1) (according to [12], there are tighter bounds).Hence, G B can be computed from G in polynomial time.The CLS algorithm relies on the balancing procedure to compensate for lack of stability in A. In fact, the significance of G B can be related to stability.Consider the MCS {G}, consisting of a single cyclic MC.Let S{G} be the smallest stable system bisimulating {G} It is not hard to prove that in S{G} there is a single cyclic graph, namely G B .
Soundness and completeness of Algorithm 4.29 are quite similar to those given for Algorithms 4.18 and 4.23.Codish et al. give a partial completeness proof, specifically they prove that if G B fails the test than {G} does not terminate.The piece missing for proving non-termination of A is precisely Lemma 4.24.

4.8.
A General Closure Algorithm.We next present an algorithm which computes the composition-closure and applies a local test, which does not rely on stability.In essence, it corresponds to Algorithm 4.18 in the way that Condition G (Section 4.2.2) corresponds to Condition S; as Condition G refers to general paths instead of (up or down) threads, so will this test refer to cycles in the graph that may have a more complicated form than those used by Algorithm 4.18.Since this is a strict generalization and does not conflict with the prior definitions, we use the same terminology for cycles, redefined as follows.

Definition 4.30 (types of cycles, generalized). Let G be a cyclic MC. A cycle in G
• is a forward cycle if it traverses shortcut edges more often in the backward direction (from x ′ i to x i ) than it does in the forward direction; a backward cycle, if it traverses shortcut edges more often in the forward direction; and a balanced cycle if it traverses shortcut edges equally often in both directions.
Figure 5 (a-c) illustrates a forward cycle in the extended sense.Definition 4.31 (Local Termination Test, General Case).For a cyclic G, we say that G passes the Local π-Termination Test, or LTT, if G • either has a balanced strict cycle, or both a forward cycle f and a backward cycle b, at least one of which is strict, and a path from a node of f to a node of b.The proof of this algorithm much alike the proof of a similar algorithm for the well-founded model [6], but rather tedious and is omitted.4.9.Summary.In this section we have presented a path-based condition for termination, its soundness and completeness, and sound and complete decision procedures based on it.The condition comes in two flavours: there is a version for general MCSs and a version for stable ones.We concentrated on the latter.Stabilization may be costly (the worst case incurs exponential blow-up), and hence the algorithms that do not require this preprocessing may be more efficient in practice (at least, if all we require is to decide termination).We also included Codish, Lagoon and Stuckey's algorithm, which is similar to the new algorithms proposed here.The contribution of the new algorithms may be mostly theoretical-a contribution to the understanding of MCS termination, as they are directly related to the path-based criteria.In addition, we have closed a gap in the completeness proof of [12].In the sequel, an entirely different algorithm will be proposed, which constructs an explicit global ranking function.If only the decision problem is of interest, the last (without stabilization) is probably the most efficient, except for simple cases (such a simple case is SCT transition systems, since they are always stable).

Full and Partial Elaboration
In [6], some of the results were proved using the following observation: for a finite number of variables, there are only finitely many orderings of their values.It is thus possible to exhaustively list all possibilities and create an explicit representation of how transitions will affect each one.This is called full elaboration of an MCS.It served two purposes in [6] (and so it will in the current paper): first, since it generates a stable system, it gives an easy route to a decision procedure-one which is inefficient regarding time but can be used to prove that the problem is decidable in polynomial space.The second purpose was the algorithm to construct a global ranking function; the fully-elaborated system has some structural properties that the construction was based on.In this paper, too, we use full elaboration in that way.The current section presents full elaboration as defined in [6], and infers PSPACEcompleteness of the termination problem; then, partial elaboration is introduced, as a tool to be used in the subsequent section.
Z: The idea of full elaboration is taken from [6] , and Theorem 5.4 is a straight-forward application, as it was in the previous paper.The idea and details of partial elaboration are new definitions that are necessary for the new algorithm in the following section.
Definition 5.1 (full elaboration).An MCS A is fully elaborated if the following conditions hold: (1) Each state invariant fully specifies the relations among all variables.That is, for i, j ≤ n, one of the relations x i = x j , x i < x j or x i > x j is specified by I f .(2) Each MC is closed under logical consequence.
(3) Each MC in A is satisfiable.
Since the state invariant fully determines the relations among all variables, we can re-index the variables into sorted order, so that the invariant becomes Of course, the re-indexing has to be incorporated also in MCs incident to this flowpoint, but this is straight-forward to do.Indexing the variables in sorted order has some convenient consequences, such as the having the property: The number of possible orderings of n variables, hence the maximum number of copies we may need to make of any flow-point to achieve full elaboration, is the the nth ordered Bell number B n , already mentioned.We denote the set of these orderings by Bell n , and assume that we fix some convenient representation so that "orderings" can be algorithmically manipulated.
The algorithm of full elaboration follows almost immediately from the definitions, and here it is, quoted from [6]: Algorithm 5.3.(full elaboration) Given an MCS B, this algorithm produces a fully-elaborated MCS A, along with mappings φ and ψ, such that A ∼ φ,ψ B.
(1) For every f ∈ F B , generate flow-points f π where π ranges over Bell n .Define the variable renaming function ψ fπ,f so that ψ fπ,f (i) is the ith variable in sorted order, according to π.Thus, I fπ will have exactly the form (5.1).
(2) Next, for every MC G : f → g in B, and every pair f π , g ̟ , create a size-change graph G π,̟ : f π → g ̟ as follows: (a) For every arc x → y ∈ G, include the corresponding arc in G π,̟ , according to the variable renaming used in the two A flow-points.(b) Complete G π,̟ by closure under consequences; unsatisfiable graphs (detected by the closure computation) are removed from the constructed system.
Since a fully elaborated system is stable, full elaboration allows termination to be checked by a closure algorithm as previously described.However, full elaboration will often be costlier than stabilization by fixed-point computation.Therefore, it is not worthwhile-unless we are interested in worst-case complexity!The complexity of the closure algorithm has an exponent of n 2 , while full elaboration only introduces an exponent of n log n and can subsequently be tested for termination by an algorithm of the same exponent, as the next section will show.Full elaboration is also a convenient means to justify the PSPACE upper bound.
Proof.It is known [23] that the SCT Termination problem is PSPACE-hard, which also applies to MCS because SCT is a special case (to reduce an SCT problem, which assumes well-foundedness, to a π-termination problem, include a "bottom" variable and constrain all others to be bigger.This is like restricting the domain to the positive integers).
To show that the problem is in PSPACE, we will outline a non-deterministic polynomial-space algorithm for the complement problem, that is, non-termination.The result will follow since (by Savitch's theorem) coNPSPACE = NPSPACE = PSPACE.
Algorithm 4.18 can be seen as a search for a counter-example-a cycle in the CFG that fails the test.The non-deterministic algorithm guesses such a cycle.In each step, it adds a transition to the cycle while composing the transition's MC with an MC that represents the CFG path traversed so far.Only this MC, along with the initial and current flow-point, have to be maintained in memory.Whenever the current flow-point is the same as the initial one, the local termination test is applied.If at some point, an unsatisfiable MC results, the algorithm has failed to find a counter-example.Otherwise it continues until finding one.
Given an input MCS B, we apply the Closure Algorithm to the fully elaborated system A equivalent to B. To achieve the polynomial space bound, A is never constructed explicitly.In fact, to represent a flow-point f π of A, we just maintain the B flow-point f along with the ordering π (we do not re-index the variables).If the next flow-point is chosen to be g ̟ (both the flow-point and the ordering are chosen non-deterministically), the MC G π,̟ is computed on the spot.
It should be easy to see that the algorithm only needs access to the original MCS B and to an additional linear amount of memory.
In the next section we will have a situation where we require information about the ordering of variables which is not present in the given flow-point invariant, but we do not need the whole ordering.We gain efficiency by only performing a partial elaboration, defined generally as follows: Definition 5.5.Let f be a flow-point in an MCS and let I 1 , . . ., I k be conjunctions of order constraints that are mutually exclusive and satisfy A partial elaboration step applied to f, I 1 , . . ., I f splits f into k flow-points, f i having the invariant I i , and accordingly replicates every MC from f (or into f ).Every such MC is consequence-closed under the new source (or target) invariant, and eliminated if unsatisfiable.
Again, it should be obvious that partial elaboration only refines the abstract program; it does not lose or add possible runs, up to the renaming of flow-points.But it makes the program easier to analyse.As described, it makes the system possibly unstable.Stabilizing the system again may require additional flow-point splitting.For example, if we split f according to the three possible relations among x 1 and x 2 , and there is an MC f → g with constraints x = x ′ ∧ y = y ′ , we will be forced to split g as well.An important case in which we avoid this complication is SCT constraints, and in fact we can allow a bit more: Definition 5.6.A semi-SCT system is one in which there are no constraints of the form x < y ′ or x ≤ y ′ .This definition generalizes SCT because flow-point invariants are allowed.Lemma 5.7.If A is semi-SCT and stable, applying a partial elaboration step to A results in a system A ′ which is stable as well.
Proof.It is not hard to see that changing the flow-point invariant of f in a semi-SCT system does not imply any consequences for the ordering of variable values at other flow-points.
In the next section we have to handle a situation where it is necessary to know which variable has smallest value among k unrelated variables, say x 1 , . . ., x k .The reader may verify that it is possible to create k mutually exclusive invariants such that in I i , x i is minimum (with some arbitrary breaking of ties).

Ranking Functions for Integer MCSs
In this section we develop the algorithm to construct global ranking functions for Integer MCSs.The algorithm will process an MCS and either report that it is non-terminating, or provide an explicit global ranking function.This problem has been solved in the well-founded setting in [6], improving on a previous solution for SCT [22].Assuming stability, it is possible to solve the problem in the integer domain by a reduction to the well-founded setting (creating difference variables).This solution is not satisfactory, due to the potential squaring of the number of variables, figuring in the exponent of the complexity.This motivates the development of a specialized algorithm.The algorithm will achieve optimal results-in fact, a complexity similar to that obtained in the well-founded case.Achieving this results required dealing with some complications that will be pointed out in the sequel.
In preparation, let us recall the definitions and result of [6].
Definition 6.1.A global ranking function for a transition system T with state space S t is a function ρ : S t → W , where W is a well-founded set, such that ρ(s) > ρ(s ′ ) for every (s, s ′ ) ∈ T .
A ranking function for a MCS A is a ranking function for T A .Namely, it satisfies G ⊢ ρ(s) > ρ(s ′ ) for every G ∈ A.
Remarks: (1) The qualifier global may be omitted in the sequel, since we do not deal with the notion of local ranking functions.(2) The definition highlights the role of the transition system T A .In fact, to find a ranking function for an MCS, we transform it into other MC systems that represent the transition system in a refined manner.Therefore the ranking function obtained will be correct with respect to the original MCS.Definition 6.2 (vectors).Let V be a set of variables.We define V to be the set of tuples v = v 1 , v 2 , . . . of even length, where every even position is a variable of V , such that every variable appears at most once; and every odd position is non-negative integer constant.Definition 6.3.The value of v ∈ V in program state (f, σ), denoted vσ, is a tuple of integers obtained by substituting the values of variables in v according to σ. Tuples are compared lexicographically.Theorem 6.4 ([6]).Suppose that MCS B is terminating in the well-founded model, and has variables V = {x 1 , . . ., x n }.There is a ranking function ρ for B where ρ(f, σ) is described by a set of elements of V , each one associated with certain inequalities on variables, which define the region where that vector determines the function value.The complexity of constructing ρ is O(|B| • n 2n+1 ).
Here is an example, just to illustrate the form of the function: Later, to simplify the presentation and the manipulation of such functions, we can omit σ and write, for example We are thus dealing with functions that associate a symbolic tuple (or set of tuples selected by order constraints) to a flow-point.Under the assumption of a wellfounded domain, the set of tuples is also well-founded by the lexicographic order.The theorem can be easily translated to a theorem for Integer MCS, based on using pairs of variables whose difference is non-negative and forming a tuple over N (so again we have well-foundedness).This is formalized next, and yields our first (non-optimal, but simple to describe) solution.
6.1.The Difference MCS.Let D = {(i, j) | 1 ≤ i < j ≤ n}.We introduce a variable x (i,j) , with (i, j) ∈ D, to represent each difference x j − x i .Definition 6.5 (difference MCS).Let A be a fully elaborated system, with n variables in each flow point, indexed in ascending order of value.The initial difference MCS of A is an MCS A ∆ 0 where: (1) The set of flow-points is as in A. The variables are V ∪ W , where V = {x 1 , . . ., x n } and W = {x (i,j) : (i, j) ∈ D}.
(2) For every flow point f , the state invariant I ∆ f includes I f plus any constraints that can be deduced from the constraints in A, using the rule: (3) To every MC G ∈ A, there is a corresponding MC, G ∆ , in A ∆ 0 .It includes the constraints in G plus any constraints that can be deduced from the constraints of G using the rules Observe that A ∆ 0 can be derived from A by a straight-forward, polynomial-time algorithm.It is called initial because in the algorithm presented later it will be iteratively refined.But at this stage it suffices.We reproduce the observation from Section 4.2.1:Observation 6.6.Satisfaction of Condition S by A is equivalent to satisfaction of the SCT condition by A ∆ 0 , restricted to the difference variables.This allows us to find a ranking function based on the difference variables.The original variables (V ) will not be used in it.We keep them in the system, however, as an aid to the forthcoming, more efficient, algorithm.Applying Theorem 6.4 yields Corollary 6.7.Suppose that MCS B is π-terminating, and has variables x 1 , . . ., x n .There is a ranking function ρ for B where ρ(f ) is given as a set of elements of W , each one associated with certain inequalities on differences of variables.These inequalities define the region where that vector determines the function value.There are at most B n(n−1)/2 different vectors for any flow-point.The complexity of constructing To present the function in a readable way, we will replace the difference variables by expressions x i − x j , so we obtain a function like this: (the example is only meant to illustrate the form) But this is an unsatisfactory result, because of the n 2 exponent and the fact that tuples may include up to n(n − 1)/2 variable positions (or at least, this is the bound that the theorem gives).The challenge tackled in the rest of this section is how to reduce the complexity to n O(n) and the number of variables in each tuple to n − 1, by solving the problem specifically rather than reducing it to the well-founded case.This brings the upper bound close to lower bounds (for the length of the tuples, the worst-case lower bound is matched exactly) based on the results of [9].
6.2.Overview.The construction below follows the same basic outline as the one in [6], which is also similar to other global ranking-function algorithms such as [7,2].The construction is iterative, based on the notions of a quasi-ranking function and a residual transition system.Definition 6.8.Let T be a transition system with state space St.A quasi-ranking function for T is a function ρ : S t → W , where W is a well-founded set, such that ρ(s) ≥ ρ(s ′ ) for every (s, s ′ ) ∈ T .The residual transition system relative to ρ, denoted T /ρ, includes all (and only) the transitions of T which do not decrease ρ.
The outline of the algorithm is: find a quasi-ranking function, generate a representation of the residual system, repeat as long as the system is not vacant (i.e., has transitions).If the quasi-ranking functions found are tuple-valued functions ρ 1 , ρ 2 , . . ., ρ k , it is easy to see that ρ 1 • ρ 2 • . . .• ρ k is a ranking function, where • is tuple concatenation, extended naturally to functions (it is tacitly assumed that care is taken to maintain the correct structure regarding even and odd positions in the tuples).
What are the quasi-ranking functions and how are they found?We have two major cases, depending on the connectivity of the control-flow graph.If it is not strongly connected, there are flow-points that can only occur in a particular order, and we obtain the quasi-ranking function just by assigning suitable numbers to flow-points.This is the easy case.The case of a strongly-connected system is the important one.In [6], it was shown that, thanks to full elaboration, it is always possible to identify a single variable x i f for each flow-point f so that the function ρ(f ) = x i f is quasi-ranking.The proof of the existence of such a variable, and the algorithm to find it, make essential use of the fact that the n variables are totally ordered by the flow-point invariant.In the current setting, we have a total order on the original n variables, but this does not induce a total order on the n(n − 1)/2 difference variables, and it is them that will constitute the quasi-ranking functions.So, to obtain the results below, the main effort (given the results of [6]) has been to find a way to deal with the partially-ordered set of difference variables without resorting to fully ordering them (as that would create an n 2 exponent again).
Throughout the rest of this section, A denotes a fully-elaborated MCS that satisfies Condition S, and A ∆ 0 the initial difference MCS.The algorithm begins with A ∆ 0 , and then, iteratively, refines and restricts it, while constructing quasi-ranking functions, so that in general, the sub-algorithm for finding a q.r.f.works on an MCS that has already changed from the initial one.We define a difference MCS to be any MCS A ∆ obtained from A ∆ 0 by a series of partial elaboration steps, as defined in Section 5, and restrictions.Thus A ∆ is one of a sequence of MC systems A ∆ j , starting with A ∆ 0 , so that So, for all j, A ∆ j ⋐ φ A ∆ 0 for an appropriate φ.The goal of each elaboration step is to allow for finding a q.r.f., and the subsequent restriction represents the residual transition system relative to the current quasi-ranking function.Note that the elaboration steps do not involve a re-indexing of variables-this is important since we rely on the indexing of the original elaborated MCS A.

6.3.
Preparations for the construction.We begin with a few definitions and properties that the algorithm relies on.These definitions are taken (with some adaptation) from previous work on SCT, and therefore refer as threads to what we have named down-threads.Since our analysis of the difference variables is SCT analysis-only down-threads are considered-let it be understood that in the context of difference variables, a "thread" is a down-thread.Definition 6.9 (thread preserver).Given difference MCS A ∆ , a mapping P : It is easy to see that the set of thread preservers is closed under union.Hence, there is a unique maximal thread preserver, which we denote by MTP(A ∆ ).Given a standard representation of A ∆ , MTP(A ∆ ) can be computed in linear time [8].
We also need the following definition and results: Definition 6.10 (complete thread).A thread in a given multipath is complete if it starts at the beginning of the multipath, and is as long as the multipath.
Lemma 6.11.Let M ∞ be an infinite multipath.If every finite prefix M of M ∞ contains a complete thread, then M ∞ contains an infinite thread.
Proof.The proof is a straight-forward application of König's Lemma.Lemma 6.12.If a strongly connected MCS satisfies SCT, every finite multipath includes a complete thread.
The proof is straight-forward and left out.Definition 6.13 (thread-safe).We call a variable thread-safe at flow-point f if every finite multipath, starting at f , includes a complete thread starting at that variable.
6.4.Finding a singleton thread-preserver.The role of this part of the algorithm is to single out a variable x α f for every flow point, such that these variables constitute a singleton thread-preserver (i.e., P (f ) = {α f } be a thread preserver).
Observe that this induces a quasi-ranking function, namely ρ(f ) = x α f .We assume, until further notice, that we are dealing with a strongly-connected MCS; the complete algorithm will provide for the non-strongly-connected case.Definition 6.14 (ordering of D).We write (i, j) ⊆ (i ′ , j ′ ) for containment of the interval {i, . . ., j} in the interval {i ′ , . . ., j ′ }.
Recall that indexing the variables in ascending order of value, during full elaboration, provided a useful downward closure property.In particular, the lowestnumbered variable among a set of variables has the smallest value.This was crucial in the construction of [6], and here, we give as a substitute the following (more subtle) lemma for the difference variables.Lemma 6.15.Let A ∆ be a difference MCS for a fully elaborated A. Each MC, G ∆ , of A ∆ has the following properties: We prove only the second claim (being a bit more involved).Let α = (a l , a h ), β = (b l , b h ) and γ = (c l , c h ).The inequality and similarly for the second inequality, so we have: That is, x α ≥ x β⊔γ , which entails the conclusion.
Lemma 6.16.Assume that A ∆ is strongly connected and satisfies SCT in the difference variables.For every f , let S(f ) be the set of indices of difference variables that are thread-safe at f in A ∆ .Then S(f ) is not empty for any f ∈ F A ∆ and S = MTP(A ∆ )4 .
Proof.Let M be any finite A ∆ -multipath starting at f .Since A ∆ satisfies SCT and is strongly connected, there must be a complete thread in M , say starting at x α .But then x (1,n) can also start a thread.It follows that (1, n) ∈ S(f ), so S(f ) is not empty.
We now aim to show that S is a thread preserver.Let α ∈ S(f ), and let G ∆ : f → g.Let H ∆ be any MC with source point g, M a finite multipath starting with H ∆ and consider the multipath G ∆ M = G ∆ H ∆ . . . .By definition of S(f ), it has a complete thread that begins with an arc from x α , say x α → x ′ β M , followed by an arc of H ∆ , say x β M → x ′ γ M .Let B be the set of all such indices β M (where M ranges over all multipaths starting with H ∆ ), and κ = B. Then x α → x κ is an arc of G ∆ by Lemma 6.15 (2); and by 6.15(1) one can see that, for each M , H ∆ has an arc x κ → x ′ γ M .Thus, M has a complete thread beginning with x κ , and κ is, by definition, in S(g).We have proved that S has the thread-preservation property.On the other hand, it is easy to see that if P is a thread preserver such that P (f ) = ∅, then the variables indexed by P (f ) are thread-safe at f .Thus every thread preserver is contained in S, and we conclude that S = MTP(A ∆ ).Lemma 6.17.Assume that A ∆ is strongly connected and satisfies SCT in the difference variables.Let P be a thread preserver (in difference variables) and suppose that for every f ∈ F A ∆ , invariant I ∆ f implies that a certain variable x α f has smallest value among the variables of P (f ).Then every G ∆ : f → g includes x α f → x ′ αg .In other words, {α f } constitutes a singleton thread preserver.
Proof.By the definition of a thread-preserver, each MC G ∆ : f → g must have an arc x α f → x ′ β for some β ∈ P (g); so by Lemma 6.15 (2), Since the lemma applies to any thread preserver, the easiest implementation is to use the MTP, just because it can be found efficiently.The difficulty in applying the lemma is that the difference variables are only partially ordered, so in a given set of variables there may be no variable that is necessarily of smallest value.In order to make the lemma applicable, we shall use partial elaboration.Specifically, observe that given P (f ), there can be at most n − 1 candidates for the variable of smallest value.This is so because in the poset of intervals there is no antichain bigger than n − 1. Suppose that for flow-point f , the set of potential smallest variables in P (f ), P min (f ), has more than a single element.We will then create a duplicate f α of f for each α ∈ P min (f ), and add different constraints to each one, such that in f α , x α will be minimum, as required by the lemma.This is a case of partial elaboration, as described in Section 5, and due to the fact that the constraints on difference variables are semi-SCT, the duplication does not trigger a cascade of duplications of other flow-points (Lemma 5.7); we thus increase the size of the system at most (n − 1)-fold.After this processing, Lemma 6.17 can be applied.
In the following lemma we formulate the conclusion in a somewhat generalized manner, which will be useful later.Recall that D is the set of indices of all difference variables.Lemma 6.18.Let A ∆ be a strongly connected difference MCS, that satisfies SCT restricted to a certain subset of the difference variables at each flow-point f , given by T (f ) ⊆ D, such that T (f ) is closed under ⊔.Procedure SingletonTP(A ∆ , T ) below finds a singleton thread preserver within T , while (possibly) modifying the MCS by partial elaboration.The partial elaboration involves duplicating each point f at most n − 1 times.Algorithm 6.19.SingletonTP(A ∆ , T ) (1) Compute P = MTP(A ∆ , T ), the MTP of A ∆ restricted to the variables T (f ) for each f .If empty, the procedure fails.(2) For each f ∈ F A ∆ , identify the minimal elements of P (f ), based on the flowpoint invariants.Suppose that there are k > 1 minima, x α 1 , . . ., x α k .Let I be the invariant of f ; create mutually exclusive invariants I 1 , . . ., I k such that I i includes I with added constraints x α i < x α j for j < i, and x α i ≤ x α j for i ≤ i ≤ k.Perform partial elaboration, replacing f by k copies with the respective invariants.Choose x α i for the thread preserver at the i'th copy of f .Note that the results of the procedure (unless it fails) are a possibly modified MCS and its thread preserver.6.5.Systems with frozen threads.Having found a quasi-ranking function, our next step is to modify to A ∆ so that it expresses the residual system.This includes the following changes (1) Transitions in which the quasi-ranking function strictly decreases (that is, we have G ∆ ⊢ x α f > x αg ) are removed.(2) In transitions where the quasi-ranking function was not known to decrease strictly (that is, we only had G ∆ ⊢ x α f ≥ x αg ) it is now required not to change.
We now recall another idea from [6], freezers.A freezer is a singleton threadpreserver where the values are "frozen," that is, constrained not to change.Definition 6.20 (freezer).Let A be an MCS and C : F A → {1, . . ., n} a function that associates one original variable (technically, the index of one such variable) to to each flow-point.Such C is called a freezer if for every G ∈ A, G ⊢ x C(f ) = x ′ C(g) .In our case, we have a thread of difference variables x α f that we wish to constrain not to change.Suppose that G ∆ ⊢ x α f ≥ x αg , where α f = (l, h) and α g = (i, j).In order that the differences before and after the transition be the same, we must have both x l = x ′ i and x h = x ′ j .Therefore, every arc like that, participating in the singleton thread-preserver found, implies that two inequalities in original variables are restricted to equalities, creating two freezers.
Assuming that there still are cycles in the MCS, we need to look for an additional quasi-ranking function.We have to restrict the search in order not to find the same quasi-ranking function again (which, albeit "frozen," is still a q.r.f.).This requires a bit further analysis.
The following observation comes easily from full elaboration: Observation 6.21.Freezers are consistently ordered by the relations among their variables.That is, if C L and C H are freezers and for some flow-point f , then this relation holds in every flow-point and we write C L < C H .
Note that due to the re-indexing in full elaboration, the order relation among the freezers matches the relation among the indices C L (f ) and C H (f ).The case of variables related by an equality constraint at a flow-point is less obvious but, in fact, if variable x 1 , say, is "frozen" and I f ⊢ x 1 = x 2 , then x 2 is also "frozen".To make a long story short, the algorithm below has the property that if two variables are constrained by equality, once one of them has been used for a thread-preserver and thereafter put into a freezer, the other can safely (and advantageously) be ignored (yet we ignore this situation in the description of the algorithm, to simplify presentation).Lemma 6.22.Suppose that A ∆ is strongly connected, and has some freezers, among which C L is lowest and C H highest.And suppose that A ∆ terminates.Divide the indices of original variables, for every flow-point f , into three regions: the lower region V 0 (f ) = {1, . . ., C L (f )}, the middle region V 1 (f ) = {C L (f ), . . ., C H (f )}, and the upper region V 2 (f ) = {C H (f ), . . ., n}.Then every infinite A ∆ -multipath has an approaching pair confined to one of the regions.
Proof.Let M be an infinite multipath of A, M = f 0 . .Suppose that M has an approaching pair: the low up-thread (x[k, l k ]) k=0,1,... and the high downthread (x[k, h k ]) k=0,1,... .At least one of the low and high threads has to be infinitely often strict; let us suppose that it is the high thread (the other case is similar).This thread cannot intersect any of the the frozen threads infinitely often (or we would have an unsatisfiable section of the multipath, contradicting Lemma 3.4); so in an infinite tail of the multipath (which is all that matters) it lies either always above C H , or below C L , or between them; to avoid a trite case analysis, let us pick just one of the cases, and suppose that the thread uses variables above C H , that is, from V 2 .Now, we can let C H play the part of the low thread, to obtain an approaching pair within the upper region (V 2 ).Corollary 6.23.Under the assumptions of the last lemma, define regions of difference variables: then in every infinite A ∆ -multipath there is an infinitely-descending thread of difference variables within one of these regions.
Lemma 6.24.Under the assumptions of the last lemma, there is a region D r that contains an infinite thread (corresponding to a weakly approaching pair in V r ) in every infinite A ∆ -multipath.
Note the change in the order of quantification: the region is selected before the multipath, at the expense of not guaranteeing strict descent in every multipath.
Proof.Assume to the contrary that for each of r = 0, 1, 2 there is an infinite multipath in which Region D r contains no infinite thread.By Lemma 6.11, there are finite multipaths M 0 , M 1 , M 2 such that M i has no complete thread in region i.Since our MCS is strongly connected, one can form a multipath (M 0 . . .M 1 . . .M 2 . . . ) ω , which will have no infinite thread in any of the regions, contradicting Corollary 6.23.
Let r be such that there is always an infinite thread in D r .We can use the strategy of the previous subsection to find a singleton thread preserver, thus making progress in our construction.But is it progress?There is a pitfall: in the case of the middle region, our procedure may find a pair of variables that was already frozen (they constitute a weakly approaching pair, but they really never approach).However, the middle region can be treated in a special way that avoids the pitfall and is also more efficient.Lemma 6.25.Under the assumptions of Lemma 6.22,An infinite multipath M contains an approaching pair within the middle region (V 1 ) if and only if this region contains a thread-either a down-thread or an up-thread-which is infinitely often strict.Such a thread is disjoint from the two freezers delimiting this region.
Proof.The non-trivial implication is the "if," but it is also quite easy: suppose that the region contains an infinitely-often strict down-thread (up-thread).It can be complemented to an approaching pair by using C L (C H ) for the other thread.
From this lemma we conclude that the middle region can be reduced to the following two subsets of difference variables: .5) Both sets of intervals are closed under ⊔ and Lemma 6.18 applies.Moreover, these sets of intervals are totally ordered, which means that no elaboration steps will be needed when looking for a singleton thread-preserver among them. of flow-points can occur at most n − 1 times, leading to the upper bound on the length of the vectors.Since the number of variables participating in the search for quasi-ranking functions diminishes in each iteration, we obtain a bound of |F A | • n! on the size of the resulting expression, which associates a vector with each of the flow points of the mostly elaborated system obtained.The running time is further multiplied by a (low order) polynomial expressing the complexity of the procedures at each level of the recursion.Theorem 6.29.Let B be a π-terminating MCS, with n variables per point.A ranking function ρ for B where ρ(f ) is given by a case expression with inequalities among differences for guards; the value in each case is given by a vector in W , that includes at most n − 1 difference variables.The complexity of construction of ρ, as well as the size of the expression, are Õ(|B| • 2 n (n!) 2 ).
Proof.First, fully elaborate B, yielding an MCS of size at most |B|•B n ≤ |B|•2 n (n!), then use the last theorem.
The algorithm could, in principle, be used just to determine if a system is terminating, and with an exponent of O(n log n), better than the O(n 2 ) exponent given in Section 4.However, the use of full elaboration makes it unattractive in practice because it blindly generates the worst case (all possible ordering of variables) for every input instance.In contrast, the algorithms of Section 4 will often perform much better than their worst-case behaviour.

Rooted Versus Uniform Termination
Up to this point, the notion of termination used was uniform termination, which means that there must be no cycles in the whole state space of the modeled transition system.Practically, what we usually require is rooted termination, when only computation paths beginning at a given initial point f 0 are considered.
Z: There is no difference between the treatment of this subject in the well-founded case and here, but the examples below should illustrate that the issue is doubly important in the current setting.
Here is a little C example to show the importance of rooted termination: if (x<0) while (y > 0) y = y+x Consider an abstraction that represents the command y=y+x by three parallel MCs, as discussed in Example 2.11.It can be shown to terminate when only paths from the top of the program are considered.The example could also be solved by a preprocessing that calculates state invariants, such as x < 0 inside the while, as is often done in program analysers.But this can get complicated: the following example would require an invariant that specifies the dependence of variable b on x.This kind of invariant that is not found in common invariant generators (namely those that describe a state by a conjunction of linear constraints).However with rooted termination, no invariants are necessary other than the direct translation of the conditionals to monotonicity constraints.We conclude that it is desirable, practically, to account for rooted termination.Up to this point, this was avoided only in favor of simplicity of presentation.However, it is very easy to do: with a stable system, unreachable states will be represented by flow-points that are inaccessible from f 0 , due to Lemma 3.4.Thus, all that is necessary is to remove inaccessible parts of the CFG, or better yet, never generate them in the first place, by creating the stabilized (or fully elaborated) system in the manner of a graph exploration (say, DFS) starting at the initial point, only covering the reachable state space.This can occasionally have a significant effect on efficiency (in particular with full elaboration), as confirmed by our experience with implementing full elaboration [31].
Example 7.1.To conclude this section, here is another example which illustrates the effectiveness of the MCS abstraction in expressing disjunctions, besides the need for rooted termination.Disjunction is used in expressing the condition x != 0, as well as representing the command x := x-1.assert x > 0 while (x != 0) x := x-1 Abstraction: unlike previous examples, we will not merge this time the loop guard with the loop body, in order to clarify the transformation.We will thus have three flow-points, 0 (initial), 1 (loop header) and 2 (loop body).

Some Related work
The field of termination analysis is well developed and it is infeasible to survey it extensively here.This section will point out some works that are related inasmuch as they base a termination analysis on the behavior of integer variables.The following questions are asked when considering such works: (1) Does the proposed algorithm or tool work on an abstract transition system, or on concrete programs?Clearly the case that can be best related to the current work is the former.Therefore, much work of the second kind is ignored here; but it is not hard to find.
(2) What abstraction is used?In particular, are monotonicity constraints used?
(3) What is the main technique?Is it complete for the given abstraction?(It is also possible to ask if there would have been completeness, had the method been applied to MCS.I have tried to answer this question, though some of the methods are not fully described in the publications, so it is difficult to be precise.) We start with those works which mostly resemble the current paper.(1) Manolios and Vroon [27] describe a termination analysis implemented in the ACL2 theorem prover.It works on concrete programs using the SCT abstraction.It handles termination arguments involving integers by introducing the difference of two concrete integer variables as an abstract variable, when it can be determined (using theorem proving techniques applied to the source program) to be non-negative.Of course, it may also include a single integer variable if it is determined to be lower-bounded.Since concrete programs are the subject, no completeness claim is made.It would be possible to represent an MCS as a program and apply the tool, but completeness is still unlikely because, as previously remarked, this reduction to SCT has to be combined with stabilization to achieve completeness.
(2) Avery [3] describes a tool to analyze C programs by first abstracting them to a constraint transition system of the following form: transition constraints use inequalities (≥, >, ≤, <) to relate source and target variables; flow-point invariants are polyhedral ones, that is, conjunctions of linear inequalities in state variables and constants.This is clearly a generalization of MC transition systems, however one expressive enough to represent counter programs, which means that termination is undecidable.The (sound but incomplete) algorithm is based on closure computation, where the composition operation used to form the closure takes into account only the variants (source-to-target relations, which are MCs) and not the invariants.For each idempotent graph in the closure, the invariants are taken into account when deciding which variables would imply termination if they descend.Clearly, the algorithm could be applied to MCs.What bars it from achieving completeness in this case is the fact that the control-flow graph is not refined (i.e., no stabilization).Here is an example to illustrate this limitation (the program consists of a single loop with the following description) Note that the only invariant which is valid whenever the transition is entered is y > w, which is not very helpful.
(3) Termilog [24] was a termination analyzer for Prolog, that made use of an abstraction to monotonicity constraints and a closure computation plus a local test, which is sound but incomplete for the MC constraint domain, as pointed out in [12].The variables of the abstraction represent certain norms of symbolic terms in the Prolog program.They are, therefore, non-negative integers and the termination proof only looks for descent towards zero.We should remark, however that they do not use "abstract compilation" as in our examples.Instead, an abstract interpreter is used to compute the closure set.This may be more precise with respect to the semantics of the subject program, see [19].
In [17], Dershowitz et al. reformulated the principles underlying the usage of monotonicity constraints in Termilog, and also proposed an extension to handle programs with integer variables and arithmetics.Their proposal is based on creating a "custom-tailored" domain for abstraction of the integer variables, based on constraints extracted from the program.Their algorithms are Prologspecific, and do not analyze a contraint-based abstract program, but it seems that it could be applied to MC transition systems (appropriately represented) and that the proposed abstraction process may actually compute a (partial) elaboration and obtain a stable system.It will further attempt to prove termination for every cyclic MC by "guessing" a local ranking function.The functions they propose to "guess" are differences (x i − x j ), which we know to suffice for Idempotent cyclic MCs (See Definition 4.21: the function is x h − x l ).However, such functions do not suffice for all cyclic MCs [12].We conlcude that it would be desirable to apply the idempotence-based algorithm with their framework (which, in fact, they do in the part that deals with symbolic variables and norms).
(4) Terminweb [13] is a termination analyzer for Prolog.It uses a procedure which tries to prove termination of an abstract program, and there are two kinds of abstractions used.In the first, transitions are described by polyhedra.In the second, by monotonicity constraints.In both cases, the data are non-negative integers and the termination proof sought is based on descent towards zero.As for the methods, closure computation and a local termination test are used; in the polyhedral case, the closure is approximated (using widening) for otherwise it might be infinite.For the monotonicity-constraint abstraction, the closure computation is precise, but the local termination test is incomplete, as pointed out in [12].
(5) Mesnard and Serebrenik [28] show that for abstract programs with transitions defined by polyhedra (conjunctions of linear inequalities), when the data are rationals or real numbers, it is possible to determine in polynomial time (using linear programming) whether there is a global ranking function that associates an affine combination of the variables with each flow-point.This is an extension of the idea previously presented by Sohn and van-Gelder [32].The existence of such a function is, of course, a sound (but incomplete) criterion for termination, and restricting the data to integers maintains its soundness.
(6) The BinTerm analyzer of Spoto, Mesnard and Payet analyzes abstract programs and serves as a back-end to the Java Bytecode termination analyzer Julia [33].The abstraction that it uses is a transition system with polyhedral constaints, and it applies a selection of strategies, which it tries one by one.The first two correspond to the two methods of Terminweb, slightly modified since the domain is now the integers.Thus, both for polyhedral transitions and for MCs, its local test is based on a search for an affine ranking function.In the MC domain, such a test would be complete in the stable case, but is not complete in general.The third method used is the method of Mesnard and Serebrenik.
(7) Colón and Sipma [14] is representative of a series of works that ostensibly target imperative programs, but work, in fact, on a constraint-transition system with linear (affine) constraints (the domain may be assumed to be the rationals, the reals or the integers) and search for global ranking functions of the lexicographiclinear type, using linear programming techniques.Alias et al. [2] use the same general approach, but their class of ranking functions is more general (specifically, each q.r.f.associates a linear expression with every flow-point, whereas in [14], a q.r.f. is a single expression throughout a SCC).The lexicographic approach is, of course, more general than just looking for a single affine global ranking function (as in [28]), but still does not guarantee completeness for MCSs, where the ranking function sometimes has to depend on the order relations of the variables, and so is not linear (a simple example is a ranking function min(x, y)).
Both methods rely on polyhedral invariants associated with a flow-point (in [2], they are part of the abstract program, and would be generated by a front-end; in [14], they are recomputed in each stage of the algorithm, which may improve its precision).(8) Noting that monotonicity constraints are a special case of polyhedral constraints, it is natural to look for other interesting subclasses, possibly richer than monotonicity constraints.The class of difference constraints is defined by constraints of the form x−y ≤ c.Termination of such constraint transition systems is shown undecidable in [4].Decidability in PSPACE is proved for a restricted subclass, called fan-in free δSCT.This class is incomparable to MCSs (their intersection is fan-in free SCT).
(9) There are several published works that address a special subclass of constraint transition systems: simple loops, namely transition systems with only one control location (flow point).Moreover, some of them consider a single-path loop, consisting of one abstract transition only.This appears like a far-fetched restriction, but nonetheless, such simple loops can be complex enough to merit theoretical interest, and practically, an algorithm to decide termination of such a loop can be used as the local test in a closure-based algorithm, or an algorithm based on counter-example based search (see [16] for a well-known example of the approach).Single-path loops, represented with polyhedral constraints, are handled using linear ranking functions in [29].Bradley, Manna and Sipma [10] extend this to a multi-path loop, and show how to find a lexicographic-linear ranking function.In [11], the approach is generalized so that the components of the ranking tuple are not required to be quasi-ranking functions, but only "eventually" quasiranking, that is, they may ascend initially but must eventually descend (as in Example 2.11).
A few of the works mentioned also generate global ranking functions.[2] generates lexicographic-linear ranking functions.This is also the case with [14], although they are not explicit about it, and their class of functions is more restricted.In [28], the class is restricted to affine functions.All the works mentioned for analyzing simple loops are ranking-function based, but only those in [10,11] may be truly called "global" since they apply to all the paths of a multi-path loop.

Conclusion and Research Questions
We studied the MCS abstraction, an appealing extension of the Size-Change Termination framework, that can be used for termination analysis in the integer domain.We showed how several elements of the theory developed in the well-founded model can be achieved in the integer case: sound and complete termination criteria, closurebased algorithms and the construction of ranking functions in singly-exponential time.Global ranking functions may be useful for certified termination [21,15,20] and cost analysis [1,2], and the complexity achieved here is better than what has been published before for SCT.
Hopefully, this paper will trigger further research, moving towards the practical application of the theory presented.Some of the systems mentioned in the last section can gain an increase in precision by incorporating a complete decision procedure for monotonicity constraints, and it is encouraging that abstraction of a concrete program to monotonicity constraints either exists already in these systems or can be added with very little effort, typically because richer domains are already used (such as affine relations).
The algorithms in this article were aimed at getting the theoretical results with a minimum of complications.They can certainly be improved in practice (as discussed in the conclusion of [6]).
Cases like Example 2.10 suggest that it may be worthwhile to treat Boolean variables as such, so that they do not get entangled with the integer variables in the course of elaboration, creating an unnecessary combinatorial explosion.A better idea is to extend the MCS abstraction to include Boolean variables and extend the termination criteria and algorithms to account for them precisely.This may be a useful extension in practice, and moreover, it allows for adding information that does not come straight-forwardly from the program, in the form of "invented" Boolean variables-leveraging abstraction techniques used in the area of model checking.
Here are a few other directions for extension of this work: (1) Investigating extensions of the constraint domain, particular to the integers (i.e., not appropriate for general SCT).An example is difference constraints (mentioned in the last section).(2) Proceeding from termination analysis to analysis of a program's complexity [1,2].(3) The idea of using multiple abstractions (one may speak of abstractions of varying refinement) in a single tool in quite enticing.One can also consider an abstraction-refinement loop [16] which allows for eliminating spurious counterexamples by specialized tools, while using size-change analysis as a backbone.

Figure 1 :
Figure 1: MCs of Example 2.11 as graphs.The left-hand side is the source.Broken arcs represent non-strict descent.

4. 2 . 1 .
The Stable Case.Definition 4.6.A stable MCS A satisfies Condition S if in any infinite multipath M (with variables x[t, i]) there are an infinite down-thread (x[k, h k ]) k=k 0 ,k 0 +1,... and an up-thread (x[k, l k ]) k=k 0 ,k 0 +1,... , such that all the constraints x[k, l k ] ≤ x[k, h k ] are present in M .In addition, at least one of the threads has infinitely many strict arcs.

Figure 3 :
Figure 3: (a) An MC G, (b) its circular variant G • ; (c) the directions of shortcut edges are set to highlight the two cycles required by the LTTS. Definition

Algorithm 4 .
18. (The Closure Algorithm) (1) Build cl(A).(2)For each cyclic G in cl(A), apply the LTTS.Pronounce failure (non-termination) if a graph that fails the test is found.(3) If the previous step has completed, the MCS terminates.

Theorem 4 .
19 (closure algorithm-soundness). Let A be a stable MCS.If every cyclic MC in cl(A) passes the Local π-Termination Test for Stable Systems, A satisfies Condition S. The proof will use the next lemma.

Lemma 4 . 20 .
Consider an infinite multipath M of a stable system, represented as the concatenation of finite segments M 1 M 2 . . ., and let M ′ = (M 1 )(M 2 ) . . . .Then M ′ satisfies Condition S if and only if M does.

Definition 4 . 21 (
Local π-Termination Test for Idempotent MCs).We say that G passes the Local π-Termination Test for Idempotent MCs, or LTT1, if it is idempotent, and for some 1

Algorithm 4 .
23. (Closure Algorithm with Idempotence) (1) Build cl(A).(2) For each cyclic G in cl(A), if it is idempotent apply the LTT1 to G. Pronounce failure (non-termination) if a graph that fails the test is found.(3) If the previous step has completed, the MCS terminates.

Figure 4 :
Figure 4: An illustration for the proof of Lemma 4.23: (a) A multipath M ; (b) G = M ; (c) G with an assignment σ; (d) M with its boundary values set (note that n(ℓ + 1) = 3 • 4 = 12); (e) the assignment to M completed by a lightest-path computation.

Algorithm 4 .
29. (CLS Algorithm)Input: an MCS A, not necessarily stable.(1)Build cl(A).(2)For each cyclic G in cl(A), apply the LTTS to G B .Pronounce failure (non-termination) if a graph that fails the test is found.(3) If the previous step has completed, the MCS terminates.

Figure 5 :( 1 )
Figure 5: (a) An MC G, (b) its circular variant G • ; (c) the directions of shortcut edges are set to form a forward descending cycle, (d) a walk in a prefix of G ω , corresponding to the cycle.The notation x t i is a shorthand for x[t, i].(Example after Codish, Lagoon and Stuckey) Satisfaction of a predicate e with free variables x 1 , . . ., x n (for example, x 1 > x 2 ) by an assignment σ is defined in the natural way, and expressed by σ |= e.If e is a predicate involving the 2n variables x 1 , . . ., x n , x ′ 1 , . . ., x ′ n , we write σ, σ ′ |= e when e is satisfied by setting the unprimed variables according to σ and the primed ones according to σ ′ .Definition 2.3 (transitions).A transition is a pair of states, a source state s and a target state s 2.2.Semantics.Definition 2.2 (states).A state of A (or an abstract state) is s = (f, σ), where f ∈ F A and σ : {1, . . ., n} → Z represents an assignment of values to the variables.
since this multipath is satisfiable (Lemma 3.4).By Ramsey's theorem (in its infinite version), there is an infinite set of positive integers, I, such that all pairs (t, t ′ ) with t, t ′ ∈ I carry the same label G I .Thus for any t, t′ ∈ I with t < t ′ , G t ; G t+1 ; • • • G t ′ −1 = G I .By Lemma 4.20, it now suffices to show that multipath (G I ) ω (infinite sequence of G I 's) satisfies Condition S.