Deciding Conditional Termination

We address the problem of conditional termination, which is that of defining the set of initial configurations from which a given program always terminates. First we define the dual set, of initial configurations from which a non-terminating execution exists, as the greatest fixpoint of the function that maps a set of states into its pre-image with respect to the transition relation. This definition allows to compute the weakest non-termination precondition if at least one of the following holds: (i) the transition relation is deterministic, (ii) the descending Kleene sequence overapproximating the greatest fixpoint converges in finitely many steps, or (iii) the transition relation is well founded. We show that this is the case for two classes of relations, namely octagonal and finite monoid affine relations. Moreover, since the closed forms of these relations can be defined in Presburger arithmetic, we obtain the decidability of the termination problem for such loops.


Introduction
The termination problem asks whether every computation of a given program ends in a halting state. The universal termination problem asks whether a given program always terminates for every possible input configuration. Both problems are among the first ever to be shown undecidable, by A. Turing [43]. In many cases however, programs will terminate when started in certain configurations, and may 1 run forever, when started in other configurations. The problem of determining the set of configurations from which a program terminates on all paths is called conditional termination.
In this paper we focus on programs that handle integer variables, performing Presburger arithmetic tests and (possibly non-deterministic) updates. A first observation is that the set of configurations from which an infinite computation is possible is the greatest fixpoint of the pre-image pre R of the program's transition relation 2 R. This set, called the weakest recurrent set, and denoted wrs(R) in our paper, is the limit of the descending sequence pre 0 R (true), pre 1 R (true), pre 2 R (true), . . ., i.e. wrs(R) = ∞ i=1 pre n R (true), if either (i) the pre-image of the transition relation is continuous (this is the case, for instance, when the transition relation is deterministic), (ii) the descending Kleene sequence that overapproximates the greatest fixpoint eventually stabilizes, or (iii) the relation is well founded, i.e. wrs(R) = ∅. If, moreover, the closed form defining the infinite sequence of precondition sets {pre n R (true)} n≥1 can be defined using a decidable fragment of arithmetic, we obtain decidability proofs for the universal termination problem.
Contributions of this paper. The main novelty in this paper is of rather theoretical nature: we show that the non-termination preconditions for integer transition relations defined as either octagons or linear affine loops with finite monoid property are definable in quantifier-free Presburger arithmetic. Thus, the universal termination problem for such program loops is decidable. However, since quantifier elimination in Presburger arithmetic is a complex procedure, we have developed alternative ways of deriving the preconditions for non-termination, and in particular: • for octagonal relations, we use a result from [10], namely that the sequence {R i } i≥0 is, in some sense, periodic. Based on this, we develop an algorithm that computes the weakest non-termination precondition of R in time polynomial in the size of the binary representation of R. Moreover, we investigate the existence of linear ranking functions and prove that for each well-founded octagonal relation, there exists an effectively computable witness relation for R, i.e. a relation that is well-founded if and only if the original relation is well-founded and, in this case, it also has a linear ranking function. • for linear affine relations, weakest recurrent sets can be defined in Presburger arithmetic if we consider several restrictions concerning the transformation matrix. If the matrix A defining R has eigenvalues which are either zeros or roots of unity, all non-zero eigenvalues being of multiplicity one (these conditions are equivalent to the finite monoid property of [5,21]), then wrs(R) is Presburger definable. Otherwise, if all non-zero eigenvalues of A are roots of unity, of multiplicities greater or equal to one, wrs(R) can be expressed 1 using polynomial terms. In this case, we can systematically issue Presburger termination preconditions, which are safe under-approximations of the complement of the wrs(R) set. Unfortunately, in practice, the cases in which the closed form of the sequence of preconditions {pre n R (true)} n≥0 is definable in a decidable fragment of arithmetic, are fairly rare. All relations considered so far are conjunctive, meaning that they can represent only simple program loops of the form while(condition){body} where the loop body contains no further conditional constructs. Whereas in reality such simple programs are rare, our results can be used as building blocks of other termination proof methods [17], which discard lasso-shaped non-termination counterexamples one by one. Our method can be used for proving non-termination as well, by embedding it into general algorithms, such as [24].
In order to deal with more complicated program loops, we use the method of transition invariants [34] to compute safe under-approximations of the strongest termination preconditions. Concretely, we compute a transition invariant, which is an over-approximation of the transitive closure of the transition relation of the program, restricted to the states reachable from some set of initial configurations. If one can find a finite union R # 1 ∪ . . . ∪ R # m of octagonal relations that is a transition invariant, then we can compute an over-approximation of the weakest non-termination precondition as wrs(R # 1 ) ∪ . . . ∪ wrs(R # m ). The required termination precondition is the complement of this set.
This method can infer non-termination preconditions for programs without procedure calls. It is moreover shown to be complete, and to yield the precise result for a class of programs without nested loops, called flat. Moreover, we studied a restriction of flat programs in which all transitions within loops are labeled with octagonal constraints, and found that, for this restricted class, the problem of existence of infinite runs is NP-complete.
We have implemented the computation of transition invariants and procedure summaries in the Flata tool for the analysis of integer programs. Several experiments on inferring non-termination preconditions have been performed, and reported.
Roadmap. The paper is organized as follows. Section 2 introduces the notation and some basic concepts needed throughout the paper. Section 3 defines weakest recurrent sets as greatest fixpoints of the pre-image of the transition relation. Sections 4 and 5 apply this definition to the computation of weakest recurrent sets for octagonal and linear affine relations. Section 6 extends the computation of weakest termination preconditions from simple conjunctive loops to integer programs, and Section 7 reports on the implementation and experiments performed on several integer programs. Finally, Section 8 concludes.
The core results presented in this paper have been reported in [11]. In addition to the work presented in [11], here we improve the time complexity upper bound for the computation of weakest non-termination preconditions for octagonal relations, and give a polynomial time algorithm. Moreover, we extend the results from [11] from simple conjunctive program loops to computing non-termination preconditions for full integer programs (whose transition rules are defined using quantifier-free Presburger arithmetic), by giving a decidability result to the universal termination problem, for a class of flat programs, i.e. without nested loops, and no branching within loops.
1.1. Related Work. The literature on program termination is vast. Most work focuses however on universal termination, i.e. the question if a program will always terminate on all inputs, such as the techniques for synthesizing linear ranking functions of Sohn and Van Gelder [40] or Podelski and Rybalchenko [33], and the more sophisticated method of Bradley, Manna and Sipma [13], which synthesizes lexicographic polynomial ranking functions, suitable when dealing with disjunctive loops. However, not every terminating program (loop) has a linear (polynomial) ranking function. In this paper, we show that for an entire class of non-deterministic linear relations, defined using octagons, termination is always witnessed by a computable octagonal relation that has a linear ranking function.
A closely related work direction investigates the termination of programs abstracted using size-change graphs, i.e. graphs in which nodes are variables and edges indicate the decrease of values in a well-founded domain. In [3] the size-change termination problem is investigated for graphs annotated with difference bounds constraints. It is shown that, even if the general problem is undecidable, the restriction to size-change graphs with at most one incoming size-change arc per variable is PSPACE-complete. Our results are incomparable, since we consider multiple incoming size-change arcs, but restrict the control structure of the decidable class of programs to be flat, i.e. no nested loops are allowed. Moreover, we focus on the problem of computing the weakest non-termination precondition for simple loops labeled with octagonal relations, and solve it using a PTIME algorithm.
Another line of work considers the decidability of termination for simple (conjunctive) linear loops. Initially, Tiwari [42] showed decidability of termination for affine linear loops interpreted over reals, while Braverman [14] refined this result by showing decidability over rationals and over integers, for homogeneous relations of the form C 1 x > 0 ∧ C 2 x ≥ 0 ∧ x ′ = Ax. The non-homogeneous integer case seems to be much more difficult as it is closely related to the open Skolem's Problem (see, e.g. [31] for a discussion on this problem): given a linear recurrence {u i } i≥0 , determine whether u i = 0 for some i ≥ 0. The related problem of existence of linear ranking functions for linear affine loops has been studied in [4]. This problem has been found to be in PTIME when the program variables range over mathematical reals, and coNP-complete when they range over integers.
To our knowledge, the first work on proving the existence of non-terminating computations is arguably [32], in the context of Constraint Logic Programming. Another important contribution, which considers simple imperative loops, is reported in [24]. The notion of recurrent sets occurs in this work, however, without the connection with fixpoint theory, which is introduced in the present work. Finding recurrent sets in [24] is complete with respect to a predefined set of templates, typically linear systems of rational inequalities.
The work which is closest to ours is probably that of Cook et al. [16]. In that paper, the authors develop an algorithm for deriving termination preconditions by first guessing a ranking function candidate (typically the linear term from the loop condition) and then inferring a supporting assertion which guarantees that the candidate function decreases with each iteration. The step of finding a supporting assertion requires a fixpoint iteration in order to find an invariant condition. Unlike our work, the authors of [16] do not address issues related to completeness: the method is not guaranteed to find the weakest precondition for termination, even in cases when this set can be computed. On the other hand, it is applicable to a large range of programs extracted from real-life software. To compare our method with theirs, we tried the examples available in [16]. For those which are polynomially bounded affine relations, we used our under-approximation method and have computed termination preconditions, which turn out to be slightly more general than the ones reported in [16]. DECIDING CONDITIONAL TERMINATION 5

Preliminary Definitions
We denote by Z, N and N + the sets of integers, positive (including zero) and strictly positive integers, respectively. We denote by Z ∞ and Z −∞ the sets Z ∪ {∞} and Z ∪ {−∞}, respectively. In this paper we use a set of variables x = {x 1 , x 2 , . . . , x N }, for a given integer constant N > 0. The set of primed variables is x ′ = {x ′ 1 , x ′ 2 , . . . , x ′ N }. These variables are assumed to be ranging over Z. For a set S ⊆ Z of integers, we denote by min S the smallest integer s ∈ S, if one exists, and by inf S the largest element m ∈ Z −∞ such that m ≤ s, for all s ∈ S. If S = ∅, we convene that min S = inf S = ∞.
A linear term t(x) over a set of variables in x is a linear combination of the form a 0 + N i=1 a i x i , where a 0 , a 1 , . . . , a N ∈ Z. Presburger arithmetic is the first-order logic over atomic propositions of the form t(x) ≤ 0. Presburger arithmetic has quantifier elimination and is decidable [35]. Moreover, the satisfiability of its quantifier-free fragment is NPcomplete in the size of the binary representation of the formula [44]. For simplicity, we consider only formulas in Presburger arithmetic in this paper.
For a first-order logical formula ϕ, let F V (ϕ) denote the set of its free variables. By writing ϕ(x) we imply that F V (ϕ) ⊆ x. For a formula ϕ(x), we denote by ϕ[t 1 /x 1 , . . . , t N /x N ] the formula obtained from ϕ by syntactically replacing each free occurrence of x 1 , . . . , x N with the terms t 1 , . . . , t N , respectively. For a first-order logical formula ϕ, let Atom(ϕ) denote the set of atomic propositions in ϕ.
A valuation of x is a function ν : x − → Z. The set of all such valuations is denoted by Z x . If ν ∈ Z x , we denote by ν |= ϕ the fact that the formula obtained from ϕ by replacing each occurrence of x i with ν(x i ) is valid. Similarly, an arithmetic formula φ R (x, x ′ ) defining a relation R ⊆ Z x × Z x is evaluated with respect to two valuations ν 1 and ν 2 , by replacing each occurrence of x i with ν 1 (x i ) and each occurrence of x ′ i with ν 2 (x i ). The satisfaction relation is denoted (ν 1 , ν 2 ) |= φ R . By |= ϕ we denote the fact that ϕ is valid, i.e. logically equivalent to true. We say that an arithmetic formula ϕ(x) is consistent if there exists a valuation ν such that ν |= ϕ. We use the symbols ⇒, ⇔ to denote logical implication and equivalence, respectively. The consistency of a formula ϕ is usually denoted by writing ϕ ⇔ false. In the following, we will sometimes abuse notation and use the same symbols for relations (sets) and their defining formulas.
The composition of two relations R 1 , The identity relation on x is defined as I x = {(ν, ν) | ν ∈ Z x }. For any relation R ⊆ Z x , we define R 0 = I x and R i+1 = R i • R, for all i ≥ 0. The relation R i is called the i-th power of R in the sequel. With these notations, R + = ∞ i=1 R i denotes the transitive closure of R, and R * = R + ∪ I x denotes the reflexive and transitive closure of R. A relation R ⊆ Z x × Z x is said to be deterministic if and only if (ν, ν ′ ) ∈ R and (ν, ν ′′ ) ∈ R implies ν ′ = ν ′′ , for all ν, ν ′ , ν ′′ ∈ Z x . Let pre R : 2 Z x → 2 Z x be the pre-image function defined as pre R (S) = {ν | ∃ν ′ ∈ S . (ν, ν ′ ) ∈ R}, for any S ⊆ Z x .
A function F : 2 Z x → 2 Z x is said to be monotonic if and only if S ⊆ T implies F (S) ⊆ F (T ), for any two sets S, T ⊆ Z x , and ∩-continuous if and only if F The greatest fixpoint F is the largest set S such that F (S) = S, and is denoted gfp(F ).

Weakest Preconditions for Non-termination
This section is concerned with the definition of weakest preconditions for non-termination, and the characterization of such preconditions as greatest fixpoints of the pre-image function. We also give certain conditions under which these fixpoints are computable as limits of descending Kleene sequences, and finally, define them using first-order integer arithmetic.
In the rest of this section, let x = {x 1 , . . . , x N } be a set of variables ranging over integers, for some constant N > 0. We start by proving several properties of the pre-image function.
Proposition 3.1. Let R, R ′ ⊆ Z x × Z x be relations and S, S ′ ⊆ Z x be sets of valuations. The following hold: . Monotonicity of pre R follows by taking R ′ = R.
(2) We have: Hence the sequence {pre n R } n≥1 is descending. We next define the notions of * -consistent and well-founded relation.
Notice that if a relation is not * -consistent, then it is also well founded. However the dual is not true. For instance, the relation R = {(n, n − 1) | n > 0} is both * -consistent and well founded. Also notice that a relation R is * -consistent if and only if R i is consistent for all i ≥ 1.
If S 0 , S 1 , . . . are all non-termination preconditions for R, then the (possibly infinite) union i=0,1,... S i is a non-termination precondition for R as well. The set wnt(R) = {S ∈ Z x | S is a non-termination precondition for R} is called the weakest non-termination precondition for R. A relation R is well founded if and only if wnt(R) = ∅. A set S such that S ∩ wnt(R) = ∅ is called a termination precondition.
Notice that if S is a recurrent set for a relation R, then for each ν ∈ S there exists ν ′ ∈ S such that (ν, ν ′ ) ∈ R.
Proposition 3.5. Let S 0 , S 1 , . . . ∈ Z x be a (possibly infinite) sequence of sets, all of which are recurrent for a relation R ∈ Z x × Z x . Then their union i=0,1,... S i is recurrent for R as well.
The set wrs(R) = {S ∈ Z x | S is a recurrent set for R} is called the weakest recurrent set for R. By Proposition 3.5, wrs(R) is recurrent for R. The following lemma shows that in fact, wrs(R) is exactly the set of valuations from which an infinite iteration of R is possible and, equivalently, the greatest fixpoint of the transition relation's pre-image.
The following lemma gives sufficient conditions under which wrs(R) can be computed as the limit n≥1 pre n R (Z x ) of the infinite descending Kleene sequence: be a relation such that at least one of the following holds: (2) holds. Proof. By Lemma 3.6, wnt(R) = wrs(R) = gfp(pre R ). Since gfp(pre R ) is a fixpoint, it follows that gfp(pre R ) = pre n R (gfp(pre R )) for each n ≥ 1. Since gfp(pre R ) ⊆ Z x , it follows that pre n R (gfp(pre R )) ⊆ pre n R (Z x ) for each n ≥ 1, by monotonicity of pre R (Proposition 3.1). Hence we obtain that gfp(pre R ) ⊆ pre n R (Z x ) for each n ≥ 1 and consequently: We distinguish between the three cases from the hypothesis: 3 We use the version given as Prop. A.10 in [30], pg. 400. (1) We have ∅ ⊆ wrs(R) ⊆ n≥1 pre n R (Z x ) = ∅. Hence, in this case we obtain wrs(R) = n≥1 pre n R (Z x ) = ∅. (2) Since pre R is a monotonic function, the sequence {pre n R (Z x )} n≥1 is descending: , for all n ≥ n 1 , i.e. pre n 1 R (Z x ) is a fixpoint of pre R , and thus we obtain: Since gfp(pre R ) ⊆ n≥1 pre n R (Z x ), we obtain: , by Kleene Fixpoint Theorem [26].
In the next section, we show that Lemma 3.7 is applicable, for different reasons, to both octagonal (Definition 4.20) and finite-monoid affine (Definition 5.1) relations: octagonal relations are either well founded (1), or their descending Kleene sequences stabilize (2), and linear affine relations are ∩-continuous (3). Thus one can compute the weakest nontermination precondition for these classes as the limit of a descending Kleene sequence. Next, we show that, for relations satisfying one of the conditions of Lemma 3.7, one can also define the weakest non-termination precondition in first order arithmetic.
Definition 3.8. Let {S i } i≥1 be an infinite sequence of valuation sets, S i ⊆ Z x , for all i ≥ 1. The closed form of {S i } i≥1 is a formula S(k, x) such that, for all n ≥ 1 and all ν ∈ Z x : In the rest of the paper, we shall define the weakest non-termination precondition wnt(R) for relations R that are octagonal or finite monoid affine. Assuming that at least one of the hypotheses of Lemma 3.7 holds and that ' pre R (k, x) is a closed form of the sequence {pre n R (Z x )} n≥1 , the weakest non-termination precondition of R is equivalent to the first-order arithmetic formula on the right hand side in the following equivalence: In the upcoming developments, we will show that ' pre R (k, x) is Presburger definable, for octagonal and finite monoid affine relations R. As a direct consequence of (3.1), the weakest non-termination precondition is definable in Presburger arithmetic. Since satisfiability is decidable for Presburger arithmetic [35], the universal termination problem for octagonal and finite-monoid affine relations is decidable as well.
Then, by (3.1), we have: Hence the relation R is well founded.

Octagonal Relations
Octagonal constraints (also known as Unit Two Variables Per Inequality or UTVPI, for short) appear in the context of abstract interpretation where they have been extensively studied as an abstract domain [29]. They are defined syntactically as conjunctions of atomic propositions of the form ±x ± y ≤ c, where x and y are variables and c ∈ Z is an integer constant. They are a generalization of the simpler notion of difference bounds constraints. Since most results concerning octagons rely on notions related to difference bounds constraints, we introduce first the latter, for reasons of self-containment.
4.1. Difference Bounds Relations. Difference bounds constraints are also known as zones in the context of timed automata verification [1] and abstract interpretation [29,28]. They are defined syntactically as conjunctions of atomic propositions of the form x − y ≤ c, where x and y are variables and c ∈ Z is an integer constant. Difference bounds constraints can be represented as matrices and graphs. These matrices (graphs) have a canonical form, which is used for efficient inclusion checks, and can be computed by the classical Floyd-Warshall shortest path algorithm [19].
For example, the equality constraint x − y = 5 is equivalent to the difference bounds constraint x − y ≤ 5 ∧ y − x ≤ −5. In practice, difference bounds constraints are represented either as matrices or as graphs: . , x N } be a set of variables ranging over Z and φ(x) be a difference bounds constraint. Then the difference bounds matrix (DBM) representing φ is the matrix M φ ∈ Z N ×N ∞ such that: } the maximal absolute value over all constants that appear in φ(x).
Weighted graphs are central to the upcoming developments. An integer weighted digraph A cycle is a path of length greater than zero, whose source and destination vertices are the same. An elementary cycle is a cycle who is elementary.
. , x N } be a set of variables ranging over Z and φ(x) be a difference bounds constraint. Then φ can be represented as the weighted graph G φ = (x, →), where each vertex corresponds to a variable, and there is an edge is a DBM, the corresponding difference bounds constraint is defined as: The consistency of a DBM can be decided in PTIME by the classical Floyd-Warshall shortest path algorithm (Algorithm 1), which computes also the closure of consistent DBMs: be a DBM representing a difference bounds constraint φ. If M is consistent, the output of Algorithm 1 is its closure M * . Otherwise, if M is inconsistent, Algorithm 1 will report this fact. The running time of the algorithm is of the order O(N 3 · (N + log 2 µ(φ))).
Proof. The correctness proof of the Floyd-Warshall algorithm is standard, e.g. Theorem 3.3.5 in [28] proves that We next analyze how the updated of matrix entries depend on one another during the k-th iteration of the outermost loop and analyze how the changes are propagated. Clearly, each (i, j) ∈ A k depends on itself and on 2 entries (i, k), (k, j) ∈ B k , each (i, j) ∈ B k depends on itself and on (k, k) ∈ C k , and the entry (k, k) ∈ C k depends only on itself. It is easy to see, due to the test on line 8, that before executing the update on line 7, M ℓℓ = 0 for each 1 ≤ ℓ ≤ N . Thus, the following holds for each 1 ≤ k ≤ N : . Thus, the min and sum operations at line 7 can be executed in time at most log 2 µ N which is of the order O(N + log 2 µ(φ)). Since line 7 is iterated N 3 times, the complexity of the nested loops at lines 4-8 is O(N 3 · (N + log 2 µ(φ))). The loop at lines 1-3 does not add to this factor. if M ii < 0 then report "inconsistent" if i = j and M ii < 0 then report "inconsistent" The closure of DBMs is needed to check the equivalence and entailment of two difference bounds constraints. Moreover, it is used for quantifier elimination. Proposition 4.6. Let φ(x), φ 1 (x) and φ 2 (x), where x = {x 1 , . . . , x N }, be consistent difference bounds constraints. Then the following hold: is obtained by eliminating the k-th line and column from M * φ . Proof. The points (1), (2) and (3), are equivalent to the Theorems 3.4.1, 3.4.2 and 3.6.1 (second point) in [28], respectively.
Difference bounds relations are relations defined by difference bounds constraints over primed and unprimed variables (e.g. x−x ′ ≤ 0). Difference bounds relations have been studied by Comon and Jurski who showed, in [15], that their transitive closure is Presburger definable. In the rest of this paper, for each difference bounds relation R ⊆ Z x ×Z x , we denote by R(x, x ′ ) any difference bounds constraint that defines R.
for every consistent constraint R(x, x ′ ), by Proposition 4.6 (third point). In the rest of this section, we will often write M R instead of M R(x,x ′ ) , whenever the defining constraint R(x, x ′ ) is clear from the context. In the following, the projection operators are assumed to have lower priority than closure operators, e.g. M * R stands for (M * R ). Example 4.7. Figure 1(a) shows the constraint graph G R for the difference bounds relation defined as Figure 1(b) shows the closed DBM representation of R.
We show next that the composition of two difference bounds relations encoded as DBMs can be computed in PTIME using Algorithm 1. Let R 1 , R 2 ⊆ Z x × Z x be two difference bounds relations. We write M 1 and M 2 for M R 1 (x,x ′ ) and M R 2 (x,x ′ ) , i.e. the DBMs corresponding to the difference bounds constraints R 1 (x, x ′ ) and R 2 (x, x ′ ), respectively. Let M 12 ∈ Z 3N ×3N be the following matrix: and let M 1 ⊙ M 2 ∈ Z 2N ×2N be the matrix obtained by erasing the lines and columns N + 1, . . . , 2N from the closure M * 12 , if M 12 is consistent, and ⊥ ⊥ 2N , otherwise.
Proof. The composition R 1 •R 2 is defined by the formula ∃y . R 1 (x, y)∧R 2 (y, x ′ ). It is easy to see that M 12 is the DBM corresponding to the conjunction R 1 (x, y) ∧ R 2 (y, x ′ ), after the elimination of the redundant constraints on y, i.e. the replacement of any conjunction of the form The existential quantifiers are eliminated by checking the consistency of M 12 , computing its closure, and erasing the lines and columns N + 1, . . . , 2N (by Proposition 4.6, third point). The time complexity upper bound is a direct consequence of the complexity of Algorithm 1 (Proposition 4.5) used to compute M * 12 . In general, for a DBM M ∈ Z 2N ×2N ∞ , we define M ⊙ 1 = M and M ⊙ n = M ⊙ n−1 ⊙ M , for any n > 1. An inductive argument shows that the difference bounds constraint ∆[M ⊙ n R(x,x ′ ) ] defines R n , for any difference bounds relation R ⊆ Z x × Z x and n > 0. In the following, we 4.2. Zigzag Automata. In this section we introduce an automata-theoretic model for reasoning about the powers of a difference bounds relation. Since a difference bounds relation R ⊆ Z x × Z x is represented by a difference constraint formula R(x, x ′ ), which, in turn, can be seen as a constraint graph G R (Definition 4.3), the m-th power of R can be seen as a constraint graph consisting of m copies of G R : (4) x (5) x (6) x (7) x (8) Definition 4.9. Let R ⊆ Z x × Z x be a difference bounds relation, where x = {x 1 , . . . , x N }, and G R be the constraint graph of a difference bounds constraint R(x, x ′ ) defining R. The n-times unfolding of G R is defined for every n > 0 as: and for all 0 ≤ k < n, there is an edge: Each constraint in R n (x, x ′ ) corresponds to a path between extremal 5 vertices in G n R . Notice that, since difference bounds relations are closed under composition (Proposition 4.8), then R n is a difference bounds relation, for any n > 0. For any given integer n > 0, assuming that R n is consistent, R n is defined by the following difference constraint: j } stands for the minimal weight between all paths among the extremal vertices x The set of paths between any two extremal vertices in the unfolding graph G n R of a difference bounds relation R, for some n > 0, can be seen as words over the finite alphabet of subgraphs of G R that are accepted by a finite weighted automaton called zigzag automaton [12]. Intuitively, a zigzag automaton reads, at step i in the computation, all edges between x (i) and x (i+1) simultaneously. The weight of a transition fired by the zigzag automaton at step i is the sum of the weights of these edges. A run of a zigzag automaton of length n > 0 will thus encode a path between the extremal vertices in G n R . Since we are interested in the minimal weight paths (4.3), we aim at computing the minimal weight among all runs of length n, as a function of n. One of the results of [12] is that the minimal weight functions are definable in Presburger arithmetic, hence the transitive closures of difference bounds relations are Presburger definable as well. Moreover, one of the results of [10] is that these functions generate periodic sequences. In this paper we use zigzag automata to define the closed form of the sequence {pre n R (Z x )} n≥1 of sets (preconditions) from which larger and larger executions, of length n = 1, 2, . . . are possible. This section is concerned with the formal definition of zigzag automata.
, one for each replaced atomic proposition, not occurring initially in R(x, x ′ ). We assume further on that any given difference bounds constraint R(x, x ′ ) does not contain atomic propositions of the form x − y ≤ c or x ′ − y ′ ≤ c, and that its constraint graph G R is bipartite, i.e. it does only contain edges from x to x ′ or vice versa. We define the zigzag automaton that is used to define the closed form of precondition sequences {pre n R (Z x )} n≥0 , where pre n R (Z x ) ⊆ Z x are sets defined only by constraints between unprimed variables. Since pre n R (Z x ) = pre R n (Z x ), and taking into account the definition of the n-th powers of R (4.3), these constraints correspond to minimal weight paths of the form x These paths are represented by words w = w 1 . . . w n , as follows: the symbol w i represents simultaneously all edges of π that involve only nodes from x (i) ∪ x (i+1) , for all 0 ≤ i < n. With these considerations, the alphabet Σ R is the set of graphs G satisfying the following conditions: the in-degree and out-degree of each node are at most one (4) the number of edges from x to x ′ equals the number of edges from x ′ to x We denote by Σ + R the set of all non-empty words using symbols from Σ R . The weight of any symbol G ∈ Σ R , denoted ω(G), is the sum of the weights that occur on its edges. For a word w = w 1 w 2 . . . w n ∈ Σ + R , we define its weight as ω(w) = n i=1 ω(w i ). Example 4.11. Figure 1(e) shows the zigzag alphabet Σ R for the difference bounds relation  j , for some n > 0. These automata share the same alphabet and transition table, and differ only by the choice of the sets of initial and final states. The common transition table is defined as T R = Q, δ , where the set of states Q is the set of N -tuples q = q 1 , . . . , q N of symbols q i ∈ {ℓ, r, ℓr, rℓ, ⊥} capturing the direction of the incoming and outgoing edges of the alphabet symbols: ℓ for a path traversing from right to left, r for a path traversing from left to right, ℓr for a right incoming and right outgoing path, rℓ for a left incoming and left outgoing path, and ⊥ when there are no incoming nor outgoing edges from that node (see Figure 1(g) for an example of the use of states in a zigzag automaton). The set of transitions δ is the set of transitions of the form q G − → q ′ such that for every 1 ≤ i ≤ N : • q i = ℓ iff G has one edge whose destination is x i , and no other edge involving x i , • q ′ i = ℓ iff G has one edge whose source is x ′ i , and no other edge involving x ′ i , • q i = r iff G has one edge whose source is x i , and no other edge involving x i , • q ′ i = r iff G has one edge whose destination is x ′ i , and no other edge involving x ′ i , • q i = ℓr iff G has exactly two edges involving x i , one having x i as source, and another as destination, • q ′ i = rℓ iff G has exactly two edges involving x ′ i , one having x ′ i as source, and another as destination, r, ℓr, rℓ, ⊥} N are the sets of initial and final states, respectively: The zigzag automaton recognizing elementary cycles that traverse x where T R and F are as defined previously and Since the set of states of a zigzag automaton is the set of tuples {ℓ, r, ℓr, rℓ, ⊥} N , then the number of states reachable from an initial state, and co-reachable from a final state is bounded by 5 N . In the following, we denote runs of the form q 1 Given words w 1 , w 2 ∈ Σ * R and runs π 1 = q 1 w 1 − → q 2 and π 2 = q 2 w 2 − → q 3 of some zigzag automaton A ij , we write π = π 1 .π 2 to denote their concatenation q 1 ≤ 0 from Example 4.7 and Example 4.11. Note that useless 6 control states are not shown and hence the alphabet symbols G 6 and G 7 are not used. Figure 1 Figure 1(g) shows a run of A 24 that accepts γ. The weights of the symbols in the word are ω(

4.2.3.
Language and Periodicity of Zigzag Automata. We recall that G n R denotes the constraint graph obtained by concatenating the constraint graph of R to itself n > 0 times. A run of the zigzag automaton A ij = T R , I ij , F , for some 1 ≤ i, j ≤ N is said to be accepting if it starts with a state from I ij and it ends with a state from F . The following lemma relates certain paths in G n R to runs in zigzag automata. Lemma 4.13 ([12]). Let R(x, x ′ ) be a difference bounds constraint defining a relation and let G R be its constraint graph. Then for any n ≥ 1 such that R n (x, x ′ ) is consistent and any 1 ≤ i, j ≤ N , i = j, A ij has an accepting run of length n if and only if there exists a path in G n R , from x | π is an accepting run in A ij of length n} 6 A control state is useless if it is not reachable from an initial state or no final state is reachable from it.

DECIDING CONDITIONAL TERMINATION 17
Furthermore, for any n ≥ 1, R n (x, x ′ ) is inconsistent if and only if A ii has an accepting run π such that |π| = n and ω(π) < 0 for some 1 ≤ i ≤ N .
The formula (4.3) defining the powers of a difference bounds relation R says that, if R n is consistent, for a given n > 0, then R n is definable by a closed DBM 7 M R n ∈ Z 2N ×2N . It follows that the set pre n R (Z x ) is defined by M n , for any n > 0. Moreover, by (4.3), ( M n ) ij is the minimum weight among all accepting runs of length n of A ij . In the following, we show that the sequence of matrices { M R n } n≥1 is periodic in the following sense: is said to be periodic if and only if: for all k ≥ 1 and i = 0, 1, . . . , c − 1. The smallest b, c for which the above holds are called the prefix and period of the periodic sequence, respectively. Λ 0 , Λ 1 , . . . , Λ c−1 are called the rates of the periodic sequence.
Intuitively, the elements situated at equal distances (c ≥ 1) beyond a certain threshold (b ≥ 1) in a periodic sequence, differ by equal quantities. The following proposition establishes the equivalence between periodic sequences of integers and matrices: Moreover, the prefix, period and rates of the {M k } ∞ k=1 sequence are effectively computable given the prefix, period and rates of the {(M k ) ij } ∞ k=1 sequences, respectively. Proof. See Lemma 1 in [10].
Periodicity of integer sequences is preserved by several arithmetic operations, as shown by the following lemma: be two periodic sequences of integers, of given prefix, period and rates. Then the sequences are periodic, and moreover, their prefix, period and rates are effectively computable, respectively.
is a set of edges, and ω : E → Z is a weight function. The following theorem shows that the matrices giving the weights of the minimal weight paths of a given length in a weighted graph form a periodic sequence of matrices. , where for all 1 ≤ i, j ≤ N , (A n ) ij is the minimal weight among all paths of length n from v i to v j in G. Then {A n } n≥1 is a periodic sequence, and its prefix, period and rates are effectively computable.
Proof. See, e.g. Theorem 3.3 in [38]. 7 Since the coefficients of the DBM are minimal weight paths, the triangle inequality holds.
An important consequence of Theorem 4.17 is that, for a * -consistent difference bounds relation R, the sequence of sets {pre n R (Z x )} n≥1 is definable by a periodic sequence of difference bounds matrices.
is periodic, and its prefix, period and rates are all effectively computable.
Proof. Since R is * -consistent, G n R does not have negative cycles, for any n > 0, hence the minimum min Since R n is defined by the difference bounds constraint (4.3), and since the triangle inequality: holds for all pairwise distinct indices 1 ≤ i, j, k ≤ N , then we have: by the uniqueness of the closure for DBMs. Clearly, Let T R = Q, δ, ω , Q = {q 1 , . . . , q 5 N }, be the common transition table of all zigzag automata A ij = T R , I ij , F for R. Then, by Theorem 4.17, the sequence {T m } m≥0 is periodic, where T m ∈ Z 5 N ×5 N is the matrix defined as: (T m ) kℓ is the minimum weight among all paths of length m between q k and q ℓ in T R , 1 ≤ k, ℓ ≤ 5 N . By Lemma 4.13, we have: The effective computability of the prefix, period, and rates of the { M * R n } n≥1 sequence follows from the constructive arguments of Theorem 4.17, Proposition 4.15 and Lemma 4.16, respectively. Fig. 1 for G 8 R ). The first 11 elements of the sequence are depicted in Figure 2. The periodic behavior can be observed for prefix b = 3, period c = 3, and rates Λ 0 , Λ 1 , Λ 2 defined in Figure 2. For example, M * 4.3. Octagonal Constraints. Octagonal constraints are a generalization of difference bounds constraints to conjunctions of atomic propositions of the form ±x ± y ≤ c, c ∈ Z. An octagonal constraint φ(x 1 , . . . , x N ) is usually represented by a difference bounds constraints φ(y 1 , . . . , y 2N ) where y 2i−1 stands for +x i and y 2i stands for −x i , with the implicit requirement that y 2i−1 = −y 2i , for each 1 ≤ i ≤ N . It is important to notice that this implicit condition cannot be directly represented as a difference constraint. The class of integer octagonal constraints is formally defined as follows: We represent octagons as difference bounds constraints over the dual set of variables y = {y 1 , y 2 , . . . , y 2N }, with the convention that y 2i−1 stands for x i and y 2i for −x i , respectively. For example, the octagonal constraint x 1 +x 2 = 3 is represented as In order to handle the y variables in the following, we defineī = i − 1, if i is even, and ı = i + 1 if i is odd. Obviously, we haveī = i, for all i ∈ Z, i ≥ 1. We denote by φ(y) the difference bounds constraint over y that represents φ(x) and which is defined as follows: This property is needed since, for example, an atomic proposition corresponds to the following octagonal constraint: Given an octagonal constraint φ(x), we have the following equivalences: For each octagonal constraint φ(x), we define µ(φ) to be the maximal absolute value over all constants that appear in φ(x), formally: The last condition from Definition 4.22 ensures that the knowledge induced by the implicit conditions y i + yī = 0, which cannot be represented as difference constraints, has been propagated through the DBM. Since M is supposed to be the most precise DBM representation of an octagonal constraint. Moreover, by taking j =ī in the previous, we have M iī ≤ 2⌊ M iī 2 ⌋, implying that M iī is necessarily even, if M is tightly closed.
The following theorem from [2] provides an effective way of testing octagonal-consistency and computing the tight closure of a coherent DBM. Moreover, it shows that the tight closure of a given DBM is unique and can also be computed with the same worst-case time complexity as the DBM closure.
Moreover, the following proposition shows that octagonal constraints are closed under existential quantification.
Proof. For the first point, see Theorem 2 in [7]. For the second point, let us define the . By Theorem 4.23, it is sufficient to prove that for every 1 ≤ i, j ≤ 2N such that P * iī < ∞ and P * j < ∞, the following holds: Clearly, there exists 1 ≤ k, ℓ ≤ N such that either of the following holds: We give the proof for the first case (the other being symmetric). Then, (4.6) is equivalent Figure 3. Graph and matrix representation of the difference bounds repre- Finally, we combine the equivalences: A relation R ⊆ Z x × Z x over a set of variables is an octagonal relation if it can be defined by an octagonal constraint. The problem of computing the closed forms of octagonal relations has been studied first in [7], where it was shown that the transitive closures of octagonal relations are Presburger definable. In [10] we show that the sequence of tightly closed DBM encodings of the powers of an octagonal relations is periodic, in the sense of Definition 4.15. Moreover, the prefix, period and rates of this sequence of matrices are effectively computable. This result is crucial in showing that the weakest non-termination preconditions wrs(R) are Presburger definable and effectively computable, and moreover, that the well-foundedness problem for octagonal relations is decidable. Figure 3(a) shows the graph representation G R . Note that the implicit constraint y ′ 3 − y ′ 4 ≤ 1 (represented by a dashed edge in Figure 3(a) is not tight. The tightening step replaces the bound 1 (crossed in Figure 3(a)) with 0. Figure  3(b) shows the tightly closed DBM representation of R, denoted M t R .
. , x N }, be an octagonal constraint and R(y, y ′ ), where y = {y 1 , . . . , y 2N }, be its difference bounds representation. Then, for each n ≥ 1, consistency of R n (x, x ′ ) implies consistency of R n (y, y ′ ). Consequently, * - Proof. It follows from the definition of consistency of octagonal and difference bounds constraints that: The next proposition shows that the composition of two octagonal relations is octagonal, and moreover, can be computed in PTIME using the tight closure method of Theorem 4.23.
Proof. Among the lines of the proof of Proposition 4.8. An easy check shows that, if M 1 and M 2 are coherent, then M 12 is coherent as well. The consistency of M 12 can be checked in time O(N 3 · (N + log 2 (max(µ(R 1 ), µ(R 2 ))))) by Algorithm 1, and its closure M * 12 can be computed during this check. The octagonal consistency of M 12 is checked applying Theorem 4.23, and the same can be done to compute the tight closure M t 12 . Clearly, these steps do not add to the previous complexity upper bound. Finally, the existential quantifier from ∃x ′′ . R 1 (x, x ′′ ) ∧ R 2 (x ′′ , x ′ ) can be eliminated using Proposition 4.26.
A simple inductive argument based on Proposition 4.29 shows that the n-th power R n of the relation , for all n > 0. In the following, we denote the formula Ω[M ⊙ n t ] by R n (x, x ′ ). As usual, let R(y, y ′ ) be the difference bounds constraint encoding R(x, x ′ ), and R n (y, y ′ ) be the difference bounds constraint defining the n-th power of the relation defined by R(y, y ′ ). The following lemma establishes an essential connection between the DBMs M t R n , M t R n , M * R n ∈ Z 4N ×4N , leading to a method for the computation of the transitive closures for octagonal relations [7]. . , x N } be a set of variables and R ⊆ Z x ×Z x be a * -consistent octagonal relation. Then the following hold, for all integers n > 0: Proof. We prove the first point by induction on n > 0. The base case n = 1 is immediate.
Since R is * -consistent, then M t R n is an octagonal-consistent DBM and we can directly apply Theorem 4.23 to prove the second point.
The following result shows that the sequence {pre n R (Z x )} n≥1 , of a * -consistent octagonal relation R is defined by a periodic sequence of matrices.
is periodic, and its prefix, period and rates are all effectively computable.
Proof. By Lemma 4.30, for all 1 ≤ i, j ≤ 2N we have: Recall that µ(R) The main result of this section is an algorithm (Algorithm 3) that computes the weakest recurrent set of an octagonal relation R in at most O(N 4 · (N + log 2 (µ(R)))) time. The main insight of the algorithm is that the Kleene sequence {pre n R (Z x )} n≥1 either (1) never stabilizes, in which case . . . and wrs(R) = ∅, or (2) stabilizes after at most 5 2N steps, in which case Then, the stability of the sequence can be checked by checking equality between its 5 2N -th element with the (5 2N + 1)-th element. These elements can be computed by fast exponentiation by applying at most O(⌈log 2 5 2N + 1⌉) = O(N ) relational compositions. We then show that the absolute values of the coefficients of the octagonal constraint defining the set pre n R (Z x ) is of the order O(µ(R) · N · n). Consequently, each of the octagonal compositions performed during fast exponentiation takes at most O(N 3 · (log 2 (µ(R) · N · 5 2N ))) = O(N 4 · (N + log 2 (µ(R)))) time, by Proposition 4.29. As a direct consequence of the correctness of this algorithm, one obtains a decision procedure for the termination problem with the same worst-case complexity, simply by testing the computed wrs(R), itself an octagonal constraint, for consistency.
The correctness argument of Algorithm 3 for * -consistent octagonal relations depends on Lemmas 4.33, 4.35, and 4.36. First, Lemma 4.33 proves that the weakest recurrent set of an * -consistent octagonal relation R(x, x ′ ) is the limit of the Kleene sequence {pre n R (Z x )} n≥1 and moreover, that the limit is either empty or stabilizes after a finite number of steps. Next, Lemma 4.35 gives two equivalent conditions for checking well-foundedness of an arbitrary * -consistent difference bounds relation R(x, x ′ ). Its main insight is that the instability of the sequence {pre n R (Z x )} n≥1 (and thus well-foundedness of R) is equivalent to existence of a negative-weight cycle in zigzag automata. Moreover, it proves that the instability manifests already after 5 N steps (5 N is an upper bound on the size of elementary cycles in zigzag automata). Then, Lemma 4.36 proves that an octagonal relation R(x, x ′ ), where x = {x 1 , . . . , x N }, is well founded if and only if its difference bounds representation R(y, y ′ ), where y = {y 1 , . . . , y 2N }, is well founded. Hence the stability stability bound of 5 2N applies for octagonal relations, as a consequence of Lemma 4.35.
The following proposition gives an alternative characterization of periodic sequences of matrices. Proof. By induction on n ≥ 0, we prove that M nc+b+i = n · Λ i + M b+i , for all n ≥ 0 and for all 0 ≤ i < c. The base case trivially holds. For the induction step, observe that The first equality is by Definition 4.14, the second is by the induction hypothesis.
Given a * -consistent octagonal relation R(x, x ′ ) and integers b ≥ 1, c ≥ 1, we denote by ◊ pre R,b,c (k, x) the closed form of the sequence {pre b+nc R (Z x )} n≥0 . Given a * -consistent octagonal relation R and integers b, c such that b is the prefix and c is the period of the sequence { M t R n } n≥1 , the following lemma proves that the closed form ◊ pre R,b,c (k, x) can be computed and moreover, one can perform a simple syntactical check on ◊ pre R,b,c (k, x) to compute the weakest recurrent set, which is either ∅ or pre b R (Z x ). For a set v of variables, let OctT erm(v) = {±v 1 ± v 2 | v 1 , v 2 ∈ v} denote the set of octagonal terms over v. Lemma 4.33. Let R(x, x ′ ) be an octagonal constraint defining a * -consistent relation R ⊆ Z x × Z x , let b be the prefix and c the period of { M t R n } n≥1 . Then, there exists a set of octagonal terms U ⊆ OctT erm(x) such that for some a u ∈ Z, d u ≤ 0. Moreover, the set U and the coefficients a u , d u , u ∈ U , are effectively computable. Furthermore, Proof. The sequence { M t R n } n≥1 is periodic, by Lemma 4.31. Let Λ 0 , . . . , Λ c−1 be its rates. For each u ∈ OctT erm(x), we define indices i u , j u as: Then, the set of octagonal terms which are bounded in Hence, we can define the coefficients a u ∈ Z, d u ≤ 0 for each u ∈ U as By Lemma 4.31, the prefix b, the period c, and the rate Λ 0 are effectively computable. Consequently, the set U and coefficients a u , d u , u ∈ U , defined above are effectively computable too. It follows from (4.8) that the closed form of {pre b+nc R (Z x )} n≥0 can now be defined as . The latter set can now be defined as We have is the empty set, if d u < 0 for some u ∈ U . In this case, condition 3 of Lemma 3.7 holds. Otherwise, we obtain n≥1 pre n R (Z x ) ≡ u∈U u ≤ a u . However, this is exactly the set pre b In this case, condition 2 of Lemma 3.7 holds. Thus, we can apply Lemma 3.7 in both cases and conclude that wrs(R) = n≥1 pre n R (Z x ). To summarize, wrs(R) = ∅ if d u < 0 for some u ∈ U . Otherwise, wrs(R) = pre b R (Z x ). The following proposition proves that the Kleene sequence {pre n R (Z x )} n≥1 is strictly descending for arbitrary relation that is both * -consistent and well founded.
Proposition 4.34. Let R ⊆ Z x × Z x be a * -consistent and well-founded relation. Then, For a proof by contraposition, suppose that pre n 1 R (Z x ) = pre n 2 R (Z x ) some n 2 > n 1 ≥ 1. Then wrs(R) = pre n 1 R (Z x ), by Lemma 3.7. Since R is * -consistent, then clearly wrs(R) = pre n 1 R (Z x ) = ∅ and R is not well founded.
The following two lemmas give several equivalent conditions for checking that a difference bounds (Lemma 4.35) or an octagonal relation (Lemma 4.36) is well founded. These conditions will later be used to design an efficient polynomial time algorithm that computes the weakest recurrent set of an octagonal relation. These conditions also provide the basis for the proof of existence of a linear ranking functions for well-founded octagonal relations, which we give in the next section.
. , x N }, be a difference bounds constraint defining a * -consistent relation R ⊆ Z x × Z x and let T R = Q, δ, ω be the transition table of zigzag automata. Then, the following statements are equivalent: there exists a zigzag automaton A ij = T R , I ij , F for some 1 ≤ i, j ≤ N, i = j with an accepting run µ.λ.µ ′ where λ is a cycle such that |λ| > 0 and ω(λ) < 0.
. , x N }, be an octagonal constraint defining a * -consistent relation R ⊆ Z x × Z x , and let R(y, y ′ ), where y = {y 1 , . . . , y 2N }, be the difference bounds encoding of R(x, x ′ ). Then, the following statements are equivalent.
for some integers n 1 , n 2 such that 5 2N ≤ n 1 < n 2 Proof. Observe that since R is * -consistent, R is * -consistent too, by Proposition 4.28.
(3 ⇒ 2) We first prove that pre n 1 R (Z x ) pre n 2 R (Z x ) implies that pre n 1 R (Z y ) pre n 2 R (Z y ). For a proof by contraposition, suppose that pre n 1 R (Z y ) ⊆ pre n 2 R (Z y ). By Proposition 3.1, pre n 1 R (Z y ) ⊇ pre n 2 R (Z y ) and consequently, pre n 1 R (Z y ) = pre n 2 R (Z y ). Then, M * R n 1 = M * R n 2 , by Proposition 4.6. This implies that M t R n 1 = M t R n 2 , by Lemma 4.30. Consequently, pre n 1 R (Z x ) = pre n 2 R (Z x ), by Proposition 4.25. Since 5 2N ≤ n 1 < n 2 and pre n 1 R (Z y ) pre n 2 R (Z y ), then R is well founded, by Lemma 4.35.
(2 ⇒ 1) The sequence {pre n R (Z y )} n≥1 is strictly descending, by Proposition 4.34. Hence . . . and it follows from Proposition 4.6 that M * Clearly, there exist integers 1 ≤ i, j ≤ 2N such that i = i n and j = j n for infinitely many n ≥ 1. Consequently, for each n ≥ 1 there exists m > n such that By Lemma 4.30, the following holds for each n ≥ 1 By Equation (4.4) and coherency of tight encoding, there exist integers 1 ≤ k, ℓ ≤ N such that for each n ≥ 1, Ω[ M t R n ] implies: Let u ∈ OctT erm(x) be the octagonal term from above (i.e. of the form ±x k ± x ℓ ). By Lemma 4.33, wrs Consequently, wrs(R) = ∅ and R is thus well founded.
The main result of this section is Algorithm 3 which computes the weakest non-termination precondition of an octagonal relation, in time polynomial in the number of variables and logarithmic in the maximal absolute value among all coefficients of the relation. As an auxiliary procedure, it uses Algorithm 2 to compute exponentially large powers in polynomial time.
Proof. Let µ P,i (respectively µ Q,i ) be the maximal absolute value over all integer entries of P (respectively Q) before executing line 9 during the i-th iteration for i = 1, . . . , ⌈log 2 n⌉. Further, let n i ≥ 0 be an integer such that Ω[P ] ⇔ R n i (x, x ′ ) at line 7 during the i-th iteration. Notice that before executing line 7, It is easy to see that Ω[Q] is consistent before executing line 9. Since n i ≤ 2 i−1 , it then follows that Ω[P ] is consistent before executing line 10 too. Thus, compositions on lines 10 and 11 are always applied to two consistent relations. If the test on line 7 passes, then Ω[Q] ⇔ R 2 i−1 ⇔ false and consequently, since 2 i−1 < n, R n ⇔ false too. Thus, the algorithm returns the correct result on line 8. The correctness of the rest of the algorithm is easy to see.
Lines 2-5 take at most O(N 3 · (N + log 2 µ(R))) time, by Corollary 4.24. Since the graph unfolding G 2 i R , corresponding to R 2 i for each i ≥ 1, has 2N · 2 i nodes, each elementary path in this graph is of length at most 2N · 2 i . Thus, (M * Tightening clearly does not change this bound. Since Q ⇔ R 2 i−1 ⇔ false on line 9, then µ Q,i ≤ µ(R) · 2N · 2 i−1 . By Proposition 4.29, composition on line 11 can be computed in time O(N 3 ·(N +log 2 (µ Q,i ))). Since i ≤ ⌈log 2 n⌉, this simplifies to O(N 3 · (N + log 2 µ(R) + ⌈log 2 n⌉)). Since n i ≤ 2 i−1 , then µ P,i ≤ µ Q,i and the same bound applies for the composition on line 10. By the definition of the composition operator ⊙ t and the tight closure operator, the octagonal-consistency check on line 7 can be taken care of during the preceding assignment to Q, i.e. on line 11 (composition) or on line 5 (tight closure). Thus, the overall running time of the algorithm is in the order of O(⌈log 2 n⌉ · N 3 · (N + log 2 µ(R) + ⌈log 2 n⌉)). Finally, µ(R n ) is asymptotically bounded by O(µ(R) · N · n).  return . , x N } for some N ≥ 1, be an octagonal constraint defining a relation R ⊆ Z x × Z x . Then, Algorithm 3 returns an octagonal constraint φ(x) that defines wrs(R) in at most O(N 4 · (N + log 2 µ(R))) time. Also, µ(φ) = O(µ(R) · N · 2 N ).
Proof. By Lemma 4.37, lines 2 and 3 of the algorithm compute V ⇔ R 5 2N and W ⇔ R 5 2N +1 in at most O(N 4 · (N + log 2 µ(R))) time and moreover, µ(V ) and µ(W ) are of the order O(µ(R) · N · 2 N ). By Corollary 4.24, the test W ⇔ false can be performed in at most O(N 3 · (N + log 2 µ(W ))) time. If the test fails, the algorithm returns false. Otherwise, W is consistent and moreover, since 5 2N < 5 2N + 1, V is consistent too.  An immediate consequence of Theorem 4.38 is that the termination problem is decidable.

4.5.
On the Existence of Linear Ranking Functions. We first define the notion of a linear ranking function, using the following notation: if f (x) is a linear term over x of the form f (x) = a 0 + N i=1 a i x i where a 0 , . . . , a N ∈ Z, then f (x ′ ) denotes the corresponding term over 40. Given a relation defined by R(x, x ′ ), a linear ranking function f : x → Z for R(x, x ′ ) is a linear term f (x) such that the following holds: A ranking function for a given relation R constitutes a proof of the fact that R is well founded. In this section, we show that for any well-founded octagonal relation R( x ′ ) has a linear ranking function if and only if R is well founded. Note that if R is well founded, then V is guaranteed to have a linear ranking function even when R alone does not have one. Moreover, we show that such a linear ranking function can be computed in polynomial time. The proof is organized as follows. First, we show in Lemma 4.41 that for each m ≥ 1, strengthening R(x, x ′ ) with ∃x ′ .R m (x, x ′ ) preserves the (conditional) termination problem, formally: wrs(R) = wrs(R m ) where R m is defined by R(x, x ′ ) ∧ ∃x ′ .R m (x, x ′ ). As a consequence, wrs(R) = wrs(V ).
In Section 4.5.1, we study the case when R(x, x ′ ) is a well-founded difference bounds constraint. Here, we first generalize Lemma 4.35 and show that the zigzag automaton of R is guaranteed to have a negative-weight cycle, whenever the 5 N -th power of R is consistent. Lemma 4.43 and Lemma 4.47 use the structure of this cycle, representing several of the constraints in R, to show the existence of the linear ranking function for the witness relation Section 4.5.2 then studies octagonal relations. Given an octagonal constraint R(x, x ′ ), where x = {x 1 , . . . , x N }, with its difference bounds representation R(y, y ′ ), where y = {y 1 , . . . , y 2N }, such that R is well founded and the 5 2N -th power of R is consistent, we first apply the above result and immediately infer that R(y, y ′ ) ∧ ∃y ′ .R For the case when the 5 2N -th power is not consistent, it follows easily that R( is not consistent either and hence, trivially, has a linear ranking function. Then, since the sequence x ′ ) and one can thus show that f is also a ranking function for V . Finally, we summarize this reasoning in Theorem 4.51 and prove that such a linear ranking function can be found in polynomial time. Proof. "⊆" By Proposition 3.1, pre R ′ (S) ⊆ pre R (S) for any set S and relations R, R ′ such that R ′ ⊆ R. Since R m ⊆ R, then pre Rm (Z x ) ⊆ pre R (Z x ). Applying this argument n-times, we infer that pre n Rm (Z x ) ⊆ pre n R (Z x ). Thus, we have: wrs(R m ) = n≥1 pre n Rm (Z x ) by Lemma 4.33 ⊆ n≥1 pre n R (Z x ) = wrs(R) by Lemma 4.33 "⊇" We prove the dual. Assume that wrs(R) = ∅, i.e. there exists an infinite sequence of valuations σ = {ν i ∈ Z x } i≥0 such that (ν i , ν i+1 ) ∈ R, for all i ≥ 0. Then each ν i belong to the set defined by ∃x ′ . R m (x, x ′ ), hence σ is an infinite sequence for the relation defined by R(x, x ′ ) ∧ ∃x ′ .R m (x, x ′ ) as well.

Linear Ranking Function for Difference Bounds Relation.
In the rest of this section, let us fix the set of variables x = {x 1 , . . . , x N } for some constant N ≥ 1. We first prove the existence of a negative-weight cycle in a zigzag automaton whenever the 5 N -th power of a well-founded difference bounds relation R(x, x ′ ) is consistent.
Lemma 4.42. Let R(x, x ′ ) be a well-founded difference bounds relation such that R 5 N (x, x ′ ) is consistent. Then, there exists a zigzag automaton A ij = T R , I ij , F for some 1 ≤ i, j ≤ N with an accepting run µ.λ.µ ′ where λ is a cycle such that |λ| > 0 and ω(λ) < 0.
Proof. If R(x, x ′ ) is * -consistent, then the result follows immediately from Lemma 4.35.
Then ω(µ.µ ′ ) = ω(π) − ω(λ) < 0 and hence, by Lemma 4.13, R m (x, x ′ ) is not consistent. Since m < n, this contradicts the definition of n as the minimal inconsistent power. Thus, ω(λ) < 0 and the run µ.λ.µ ′ of A ii has the property required by the lemma.
We next prove the existence of a linear decreasing function, based on the existence of a negative-weight cycle in the zigzag automaton.
Proof. By Lemma 4.42, there exist integers 1 ≤ i, j ≤ N such that the zigzag automaton A ij has an accepting run µ.λ.µ ′ where λ is a cycle such that |λ| > 0 and ω(λ) < 0. Let us Recall that G j is a bipartite graph for each 0 ≤ j < p and therefore contains edges of the form Consider the following sum of all constraints represented by edges appearing in λ (note that the sum of weights of these edges equals ω(λ)): Notice that for each 0 ≤ j < p, there exists an accepting run of the form for some q, q ′ ∈ Q and w, w ′ ∈ Σ * R . It follows from the definition of zigzag automata that for each edge e 1 : x ′ k − → x i ∈ E j , there exists a unique "successor" e 2 which is of either of the following forms: (4.10) Dually, e 1 is said to be the unique "predecessor" of e 2 . Similarly, for each edge e 1 : x k − → x ′ i ∈ E j , there exists a unique successor e 2 which is of either of the following forms: Consider the following sum: (4.12) and note that every edge e = (x k − → x ′ i ) ∈ E j , where 1 ≤ i, j ≤ N, 0 ≤ j < p, is considered exactly twice in (4.12), since • e has a unique successor and therefore contributes with the −x ′ i term in (4.12) • e has a unique predecessor and therefore contributes with the +x k term in (4.12) Similarly, every edge (x ′ k − → x i ) ∈ E j is considered twice and contributes with terms −x i and +x ′ k . Hence, the sum (4.12) is equivalent to the left-hand side of (4.9). Clearly, the second and the fourth sum in (4.12) evaluate to zero. It follows from Equations (4.11) and (4.10) that the remaining two sums can be written equivalently as Thus, (4.9) can be written equivalently as Let f (x) denote the negated sum of all unprimed terms in (4.13) and g(x ′ ) denote the sum of all primed terms in (4.13). Clearly, f (x) = g(x ′ )[x/x ′ ] (i.e. g(x ′ ) is the primed counterpart of f (x)) and (4.14) can be written as g( We thus obtain: Hence, f (x) is strictly decreasing, formally:  Figure 1). By Lemma 4.35, there exists an accepting run µ.λ.µ ′ in a zigzag automaton where λ is a cycle such that ω(λ) < 0. Figure 4 depicts such a run in A 2,4 where µ, λ, and µ ′ are labeled with words G 3 , G 1 .G 2 .G 3 , and G 4 , respectively. We have ω(λ) = −1. We follow the construction from Lemma 4.43 and sum the edges that are present in λ (see the solid edges in G 1 , G 2 , and G 3 in Figure 4). We obtain  Figure (a) shows a run π that accepts word γ = G 3 .G 1 .G 2 .G 3 .G 4 . Figure (b) shows G π , obtained by concatenating the symbols (graphs) of γ. G π contains a single path ρ from x Next, we prove that all functions of Lemma 4.43 are bounded, concluding that they are indeed ranking functions. Each run π of length n ≥ 1 in the zigzag automaton A ij , Assuming that E ℓ is the set of edges in G ℓ for each 0 ≤ ℓ < n, we define the concatenation of graphs G 0 , . . . , G n−1 as H π = (V, E) where V = n ℓ=0 x (ℓ) and x for all 0 ≤ ℓ < n and 1 ≤ i, j ≤ N . See Figure 4 for an illustration. Supposing that π traverses a cycle λ in A ij (see the cycle λ in Figure 4), π can be decomposed into a prefix, the cycle itself and a suffix. By the definition of zigzag automata, H π contains exactly one path 8 ρ from x  Figure 4(a) mark such a matching). These paths from the exit to the corresponding entries give the lower bound on f (x), formally: R n (x, x ′ ) ⇒ f (x) ≥ h for some h ∈ Z and sufficiently large n ≥ 1 (Proposition 4.45). In fact, these paths appear already on graphs G i R for every i ≥ N 2 (Lemma 4.46) and the "sufficiently large n" can be thus bounded by N 2 . Hence the need for a strengthened witness R(x, x ′ )∧∃x ′ .R N 2 (x, x ′ ), as R alone is not enough for proving boundedness of f (x). Lemma 4.47 combines all these results to prove the existence of a ranking function.  such that for every i ∈ {j | (q k ) j = r}, the following formula is valid: Proof. We define a shift operator that for every path ρ in G m R , m ≥ 1, of the form ρ = x ip , p > 1, and every k ∈ Z, returns the path ρ →k defined as: Let us assume that G k = (x ∪ x ′ , E k ) for each 0 ≤ k < n and let us denote by w the word G 0 .G 1 . . . G n−1 accepted by π. Given a path ρ in G n R , let V ρ denote the set of all vertices traversed by ρ. It follows from the definition of zigzag automata that H π contains one path ν 0 that starts in x i , but it must eventually turn left and reach x (k) j such that (q k ) j = ℓ for some 1 ≤ j ≤ N , either in order to reach x x (m) , the path would have to cross some component (q k ) t , 1 ≤ t ≤ N , such that (q k ) t = ℓ). Hence, ρ can be shifted by −k and we obtain a path ρ ′ = ρ →(−k) that starts in x (0) i and ends in x As an immediate consequence, the following formulas are valid too: The next lemma proves, for any two unprimed variables Lemma 4.46. Let R(x, x ′ ) be a difference bounds constraint. Then, for each 1 ≤ i, j ≤ N, i = j and for each n ≥ 1, the following is a valid formula: Proof. Let us first define, for each n ≥ 1: j in G n R } Clearly, for each n ≥ 1, G n R is a subgraph of G n+1 R and hence B n ⊆ B n+1 . Next observe that for every n ≥ 1, every path ρ from x can be written as ρ = τ 0 .ν 1 .τ 1 . . . ν p .τ p for some p ≥ 0 such that τ 0 , . . . , τ p traverse only nodes from x (0) ∪x (1) and ν 1 , . . . , ν p traverse only nodes from j in G n R and consequently, (i, j) ∈ B n . Hence, we have for all n ≥ 1: k 4 ), . . . ∈ B n and G R has paths x (0) Hence, B n+1 is a function of B n and G R . Consequently, if B n = B n+1 for some n ≥ 1, then B m = B n for all m ≥ n. Clearly, |B n | ≤ N 2 for any n ≥ 1. Hence, the sequence {B n } n≥1 stabilizes after at most N 2 steps, formally: B n = B N 2 for all n ≥ N 2 . Consequently, the implication (i, j) ∈ B n ⇒ (i, j) ∈ B N 2 (4.16) holds for all n ≥ N 2 . In fact, it is also valid for all 1 ≤ n < N 2 , since we have B n ⊆ B N 2 in this case. Hence, (4.16) holds for all n ≥ 1. Next, observe that: Finally, we combine the above with (4.16) and conclude that for all n ≥ 1 and for all 1 ≤ i, j ≤ N , we have: Hence, the lemma holds.
Finally, we show that each decreasing function of Lemma 4.43 is also bounded, concluding that it is a linear ranking function.
Lemma 4.47. Let R(x, x ′ ) be a difference bounds constraint defining a well-founded relation R ⊆ Z x × Z x such that R 5 N (x, x ′ ) is consistent. Then, there exists a linear ranking function Proof. Let µ.λ.µ ′ be an accepting run from Lemma 4.43 where λ is a negative-weight cycle of the form λ = q 0 Hence, for each 0 ≤ j < p and 1 ≤ i ≤ N , (q j ) i contributes to f (x) with terms: Let n def = |µ.λ.µ ′ |. By Proposition 4.45, for each 0 ≤ j < p, there exists a bijection By Lemma 4.46, we then have: Thus, since each term x β j (i) − x i in the above sum is bounded in ∃x ′ . R N 2 (x, x ′ ), it follows that the sum of these terms is bounded too: By Lemma 4.43, we have: Since strengthening the hypothesis of any implication preserves its validity, we can infer from (4.17) and (4.18) that:  Figure 4(a) mark these bijections). Next, we define the paths ρ 0 , ρ 1 , ρ 2 as subpaths of ρ from Figure 4 Note that The bijection β 0 therefore satisfies the required properties. Next, we apply Proposition 4.46 and infer that (∃x ′ . R N 2 (x, x ′ )) ⇒ (x β 0 (1) − x 1 ) ≥ c 0 for some c 0 ∈ Z. By analogical reasoning, we infer that Then, we infer: We conclude that f (x) is a ranking function.
As an experiment, we have tried the iRankFinder [4] tool (complete for integer linear ranking functions), which failed to discover a ranking function on this example. This comes with no surprise, since no linear decreasing function that is bounded after the first iteration exists. However, iRankFinder finds a linear ranking function for the witness relation R(x, x ′ ) ∧ ∃x ′ .R N 2 (x, x ′ ) instead. Interestingly, the linear ranking function found by iRankFinder differs from the one computed in this example only by a constant.

Linear Ranking Functions for Octagonal Relations.
In the rest of this section, let us fix the sets of variables x = {x 1 , . . . , x N } and y = {y 1 , . . . , y 2N } for some constant N ≥ 1. The following proposition gives a way to construct a linear ranking function for an octagonal relation R(x, x ′ ) from any linear ranking function for its difference bounds representation R(y, y ′ ).
Proposition 4.49. Let R(x, x ′ ) be an octagonal constraint, R(y, y ′ ) be its difference bounds encoding and let f (y) be a linear ranking function for R(y, y ′ ). Then, the function f (x) , is a linear ranking function for R(x, x ′ ). Proof. Clearly, f (x) is linear by definition. We have the following equivalences: (by definition of f (x)) Since f (y) is a linear ranking function for R(y, y ′ ), the following formula is valid: The next proposition generalizes Proposition 4.50 and shows how to construct a linear ranking function for an octagonal relation R(x, x ′ ) ∧ ∃x ′ .R n (x, x ′ ) from any linear ranking function for the difference bounds relation R(y, y ′ ) ∧ ∃y ′ . R n (y, y ′ ).
Proposition 4.50. Let R(x, x ′ ) be an octagonal constraint, R(y, y ′ ) be its difference bounds encoding and let f (y) be a linear ranking function for R(y, y ′ ) ∧ ∃y ′ . R n (y, y ′ ), for a fixed Proof. Let us first define the following substitution Next, observe that (the second equivalence is by Proposition 4.26) Consequently, we have: (4.19)) (4.20) Consequently, we have: Thus, since f (y) is a linear ranking function for R(y, y ′ ) ∧ ∃y ′ . R n (y, y ′ ), then f (x) is a linear ranking function for R(x, x ′ ) ∧ ∃x ′ . R n (x, x ′ ), by Proposition 4.49.
Finally, we can combine the above results into the main theorem.
Theorem 4.51. Let R ⊆ Z x × Z x be a relation defined by an octagonal constraint R(x, x ′ ) and let V ⊆ Z x × Z x be a relation defined by Then, R is well founded if and only if V is well founded if and only if V (x, x ′ ) has a linear ranking function. Moreover, both V (x, x ′ ) and the linear ranking function are computable in polynomial time.
Proof. The fact that R(x, x ′ ) is well founded if and only if V (x, x ′ ) is well founded follows from Lemma 4.41. Thus, if R(x, x ′ ) is not well founded, neither is V (x, x ′ ) and hence, V (x, x ′ ) has no (linear) ranking function. In the rest of the proof, we show that if R(x, x ′ ) is well founded, then there exists a linear ranking function for V (x, x ′ ). As a first subcase, suppose that R 5 2N (x, x ′ ) is inconsistent. Then clearly, V (x, x ′ ) is inconsistent too and, trivially, V (x, x ′ ) has a linear ranking function. As a second subcase, suppose that (y, y ′ ) is consistent too. Since R is well founded, R is well founded too, by Lemma 4.36. Then, by Lemma 4.47, there exists a linear ranking function f for R(y, y ′ ) ∧ ∃y ′ .R Combining (4.21) with (4.22), we infer that f (x) is a linear ranking function for R(x, By Lemma 4.37, V can be computed in at most O(N 4 · (N + log 2 µ(R))) time and moreover, µ(V ) is of the order O(µ(R)·N ·2 N ). Consistency of V (x, x ′ ) can then be checked in at most O(N 3 · (N + log 2 µ(V ))) = O(N 3 · (N + log 2 µ(R))) time, by Corollary 4.24. If V ⇔ false, one can return an arbitrary linear function f (x). Otherwise, if V ⇔ false, one (y, y ′ ), again in at most O(N 3 · (N + log 2 µ(R))) time, as a consequence of Proposition 4.26, Proposition 4.25, and Corollary 4.24. Then, a linear ranking function for R can be computed in time that is polynomial in the bit-size of V (x, x ′ ), as proved in [4] (see Corollary 4.8 in Section 4.1). It follows easily from Definition 4.20 that V (x, x ′ ) can be represented using O(log 2 (µ(V )) · 3 · (2N ) 2 ) = O(N 2 · (log 2 N + log 2 µ(R))) bits. Thus, the time needed to compute f is polynomial in µ R and N . Finally, one computes f , again in polynomial time.

Linear Affine Relations
The previous section was concerned with computing weakest non-termination preconditions for non-deterministic integer relations (octagonal relations). Here, we present linear affine relations which are a general model of deterministic transition relations. Linear affine relations are conjunctions of equalities of the form x ′ = a 1 x 1 + . . . + a n x n + b, where a 1 , . . . , a n ∈ Z are integer coefficients, and Presburger definable conditions on the unprimed variables x 1 , . . . , x n . First, we show that the weakest recurrent set of a linear affine relation R can be computed as the limit of a descending Kleene sequence pre R (Z x ) ⊇ pre 2 R (Z x ) ⊇ . . .. Second, this set can be defined in Presburger arithmetic for a subclass of affine relations with the finite monoid property (Section 5.3). Finally, we relax the finite monoid condition and describe a method for generating sufficient termination conditions, i.e. sets S ∈ Z x such that S ∩ wrs(R) = ∅, for the class of polynomially bounded affine relations (Section 5.4).
Definition 5.1. Let x = x 1 , . . . , x N be a vector of variables ranging over Z. A relation R ⊆ Z x × Z x is said to be an affine relation if it can be defined by a formula R(x, x ′ ) of the form: and φ is a quantifier-free Presburger formula over unprimed variables only, called the guard of R. The formula x ′ = A × x + b, defining a linear transformation, is called the update of R.

5.1.
Background on Linear Algebra. We first recall several notions of linear algebra, needed in the following. For a comprehensive textbook on linear algebra, we refer to [37]. A complex number r is said to be a root of the unity if r d = 1 for some integer d > 0. If A ∈ Z n×n is a square matrix, and v ∈ Z n is a column vector of integer constants, then any complex number λ ∈ C such that Av = λv, for some complex vector v ∈ C n , is called an eigenvalue of A. The vector v in this case is called an eigenvector of A. It is known that the eigenvalues of A are the roots of the characteristic polynomial P A (x) = det(A − xI n ) = 0, which is an effectively computable univariate polynomial. The minimal polynomial of A is the polynomial µ A of lowest degree such that µ A (A) = 0. By the Cayley-Hamilton Theorem, the minimal polynomial always divides the characteristic polynomial, i.e. the roots of the former are root of the latter.
If λ 1 , . . . , λ m are the eigenvalues of A, then λ p 1 , . . . , λ p m are the eigenvalues of A p , for all integers p > 0. A matrix is said to be diagonalizable if and only if there exists a non-singular matrix U ∈ C N ×N and a diagonal matrix with the eigenvalues λ 1 , . . . , λ m occurring on the main diagonal, such that A = U × D × U −1 . This is the case if and only if µ A has only roots of multiplicity one. 9

Termination Preconditions for Deterministic
Relations. First, we show that the pre-image function of a deterministic relation is ∩-continuous. Since affine transformations are deterministic, this means that their weakest non-termination preconditions can be computed as limits of descending Kleene sequences. Let x be a set of variables in the following.
Lemma 5.2. Let R ⊆ Z x × Z x be a deterministic relation. Then, pre R is ∩-continuous.
Proof. Let I = {0, . . . , d}, d ∈ N ∞ , and {S i ⊆ Z x } i∈I be a potentially infinite collection of sets. We prove that: pre R ( i∈I S i ) = i∈I pre R (S i ). "⊆" By the monotonicity of pre R (Proposition 3.1), we have pre R ( i∈I S i ) ⊆ pre R (S i ) for all i ∈ I and hence, pre R ( i∈I S i ) ⊆ i∈I pre R (S i ). "⊇" Let v ∈ i∈I pre R (S i ). Then, there exists v i ∈ S i such that (v, v i ) ∈ R for all i ∈ I. Since R is deterministic, then v 0 = v i for all i ∈ I and hence v 0 ∈ i∈I S i . Consequently, v ∈ pre R ( i∈I S i ).
For the rest of this section, we extend the notion of closed form (Definition 3.8) from sequences of sets S ⊆ Z x to sequences of powers of relations R ⊆ Z x × Z x .
x, x ′ ) such that, for all n ≥ 1 and all ν, ν ′ ∈ Z x : Next, we prove that the closed form of a deterministic relation can be defined in Presburger arithmetic whenever the closed form of its update can be defined in Presburger arithmetic. Concretely, whenever the logical definition of a relation R can be split into a guard and a deterministic update, and the closed form of R can be computed based on the closed form of the update.
. , x N }, be a deterministic relation and ϕ(x) be a guard. Then the closed form of the relation defined by the formula R(x, x ′ ) ∧ ϕ(x) is: where " R is the closed form of R and y = {y 1 , . . . , y N }.
By the fact that R was assumed to be deterministic, we have Since linear affine relations are deterministic (Definition 5.1), by Lemma 5.2 they are also ∩-continuous, and the weakest recurrent set of an arbitrary linear affine relation R can be computed as wrs(R) = m≥0 pre m R (Z x ), by Lemma 3.7. Hence, the weakest recurrent set can be defined using the closed form of R: Considering that the formula defining R is of the form R u (x, x ′ ) ∧ ϕ(x) where R u (x, x ′ ) is a deterministic update and ϕ(x) is a Presburger guard, we can write the closed form of R as: x, y) ∧ ϕ(y) by Lemma 5.4. Then, the definition of the weakest recurrent set of a linear affine relation is (after the elimination of the trailing existential quantifier and renaming ℓ with k and y with x ′ ):

Finite Monoid Affine
Relations. The class of finite monoid affine relations was the first class of integer relations for which the transitive closure has been shown to be Presburger definable, by Boigelot [5]. Informally, an affine relation is a finite monoid relation if the set of powers of its transformation matrix is finite. Originally, Boigelot characterized this class by two decidable conditions in [5] (we report on these conditions in Theorem 5.5). Later, Finkel and Leroux noticed in [21] that Boigelot's conditions correspond to the finite monoid property, which is also known to be decidable [27]. Given a vector x = x 1 , . . . , x N of variables, an affine transformation where A ∈ Z N ×N , b ∈ Z N , is said to have the finite monoid property [5,21] if the monoid of powers of A, denoted as It has been shown in [21] that the finite monoid property can be equivalently characterized by the following two conditions.
Theorem 5.5 ( [5,21]). An affine transformation R(x, has the finite monoid property if and only if there exists p > 0 such that the following hold: (1) every eigenvalue of A p belongs to the set {0, 1}, and Both conditions in the above theorem are decidable [5,27]. It was shown in [5,21,10] that the closed form of (the update part of) a linear affine transformation with the finite monoid property is Presburger definable. This entails the decidability of the universal termination problem for finite monoid affine relations.
Theorem 5.6. The weakest non-termination precondition of a finite monoid affine relation is Presburger definable and effectively computable. Consequently, the termination problem is decidable for finite monoid affine relations.
Proof. Let R ⊆ Z x × Z x be a finite monoid affine relation defined by a formula R u (x, x ′ ) ∧ ϕ(x). By Equation (5.2) we have: Since both " R u (k, x, x ′ ) and ϕ(x ′ ) are Presburger formulas, wrs(R)(x) is a Presburger formula as well. Since Presburger arithmetic is decidable [35], the termination problem can be decided by checking whether wrs(R) = ∅.

Polynomially Bounded Affine Relations.
In the following, we study another subclass of affine relations with linear guards and transformation matrices whose eigenvalues are either zero or roots of the unity.
Definition 5.7. If x = x 1 , . . . , x N is a vector of variables ranging over Z, a polynomially bounded affine relation is a relation defined by a formula of the form: where A ∈ Z N ×N , C ∈ Z P ×N are matrices, and b ∈ Z N , d ∈ Z P are column vectors of integer constants, for some P > 0, and moreover, all eigenvalues of A are either zero or roots of the unity.
Note that, if A is a finite monoid matrix, then all eigenvalues of A are either zero or roots of the unity. Thus, the condition on A is weaker for polynomially bounded affine relations. However, since the guard of finite monoid relations is more general (Presburger), the two classes are incomparable. The closed form of polynomially bounded affine relations cannot be defined in Presburger arithmetic 10 , thus we renounce defining wrs(R) precisely, and content ourselves with the discovery of sufficient conditions for termination. Basically, given a linear affine relation R, we aim at finding a disjunction φ(x) of linear constraints on x, such that φ ∧ wrs(R) is inconsistent without explicitly computing wrs(R). For this, we use several existing results from linear algebra (see, e.g., [20]). In the following, it is convenient to work with the equivalent homogeneous form: The weakest recurrent set of R can be then defined as: Definition 5.8. A function f : N → C is said to be a C-finite recurrence if and only if: A C-finite recurrence always admits a closed form. 20]). The closed form of a C-finite recurrence is: where λ 1 , . . . , λ s ∈ C are non-zero distinct roots of the characteristic polynomial of f , and p 1 , . . . , p s ∈ C[n] are polynomials of degree less than the multiplicities of λ 1 , . . . , λ s , respectively.
Next, we define the closed form for the sequence of powers of A.
A − a 0 = 0 by the Cayley-Hamilton Theorem. If we define f i,j (n) = (A n ) i,j , for all n > 0, by multiplying the above equality with A n , we obtain: By Theorem 5.9, we have that (A n ) i,j = p 1,i,j (n)λ n 1 + . . . + p s,i,j (n)λ n s for some polynomials p 1,i,j , . . . , p s,i,j ∈ C[n] of degrees less than the multiplicities of λ 1 , . . . , λ s , respectively.
Lemma 5.11. Given a square matrix A ∈ Z N ×N , whose non-zero eigenvalues are all roots of the unity. Then (A n ) i,j ∈ Q[n], for all 1 ≤ i, j ≤ N , are effectively computable polynomials with rational coefficients.
Proof. Assume from now on that all non-zero eigenvalues λ 1 , . . . , λ s of A are such that λ d 1 1 = . . . = λ ds s = 1, for some integers d 1 , . . . , d s > 0. The method given in [5] for testing the finite monoid condition for A gives also bounds for d 1 , . . . , d s . Then we have λ L 1 = . . . λ L s = 1, where L = lcm(d 1 , . . . , d s ). As d 1 , . . . , d s are effectively bounded, so is L. By Corollary 5.10, we have that, if n is a multiple of L, then (A n ) i,j = p i,j (n) for some effectively computable polynomial p i,j ∈ C[n], of degree d ij > 0, i.e. for n multiple of L, A n is polynomially definable. But since p i,j (n) assumes real values in an infinity of points n = kL, k > 0, it must be that its coefficients are all real numbers, i.e. p i,j ∈ R[n]. Moreover, these coefficients are the solutions of the integer system: We turn now back to the problem of defining wrs(R) for linear affine relations R of the form (5.5). First notice that, if all non-zero eigenvalues of A are roots of the unity, then the same holds for A h (5.4). By Lemma 5.11, one can find rational polynomials p i,j (k) defining (A k h ) i,j , for all 1 ≤ i, j ≤ N . The condition (5.5) becomes a conjunction of the form: where each P i = a i,d (x)·k d +. . .+a i,1 (x)·k+a i,0 (x) is a polynomial in k whose coefficients are the linear combinations a i,d ∈ Q[x]. We are looking for a sufficient condition for termination, which is, in this case, any set of valuations of x that would invalidate (5.6). The following proposition gives sufficient invalidating clauses for each conjunct above. By taking the disjunction of all these clauses we obtain a sufficient termination condition for R.
Proof. Assuming that: ) is negative, the polynomial will assume only negative values, from some point on.
Example 5.13. Consider the following program [16], and its linear transformation matrix A.
We can generalize this method further to the case where all eigenvalues of A are of the form q · r, with q ∈ R and r ∈ C being a root of the unity 11 . The main reason for not using this condition from the beginning is that we are, to this point, unaware of its decidability status. With this condition instead, it is sufficient to consider only the eigenvalues with the maximal absolute value, and the polynomials obtained as sums of the polynomial coefficients of these eigenvalues. The result of Lemma 5.11 and the sufficient condition of Lemma 5.12 carry over when using these polynomials instead.

Termination Analysis of Integer Programs
In this section, we extend the computation of weakest non-termination preconditions from simple conjunctive loops to programs with possibly nested loops. The method described here applies the transition invariants technique, initially developed for proving program termination [34], to the computation of termination preconditions.
The method can be summarized as follows. Suppose that R is the (possibly disjunctive) transition relation of a program. Our method first computes (1) a reachability relation, defined as an over-approximation of a restriction of the transitive closure of the transition relation R + to a set Init of initial program configurations, formally Reach ⊇ {(ν, ν ′ ) | (ν, ν ′ ) ∈ R + , ν ∈ Init}, and (2) a transition invariant, defined as an over-approximation of the transitive closure of R restricted to states reachable from the set of initial configurations, formally T Inv ⊇ {(ν, ν ′ ) | (ν, ν ′ ) ∈ R + , ν ∈ R * (Init)}. Then, T Inv is over-approximated with a union R 1 ∪ · · · ∪ R m , m ≥ 1, of octagonal relations. Next, the weakest non-termination precondition wnt(R i ), 1 ≤ i ≤ m, can be computed using techniques from Sections 4 and 5. The weakest non-termination precondition of the program is then over-approximated by the pre-image of wnt(R 1 ) ∪ . . . ∪ wnt(R m ) via the reachability relation, formally Reach −1 (wnt(R 1 )∪. . .∪wnt(R m )), or equivalently, m i=1 Reach −1 (wnt(R i )). The complement of this set is then a valid termination precondition.
The technique presented in this section can be further applied to programs with (recursive) procedure calls, by using the program transformation described in [18], which turns a program P with recursive procedure calls into a program P ′ without procedures such that wrs(P ) ⊆ wrs(P ′ ). The main ingredient of this technique is the summarization of procedures, i.e. computing (an over-approximation of) the relation between the values of the input parameters and the values returned by the procedure. program can iterate the second branch y times and then iterate the third branch infinitely many times. int x,y; We view programs as control flow graphs labeled with arithmetic formulas. Figure  5(b) depicts the control flow graph of the program in Figure 5(a). We write I x 1 ,...,xm as a shorthand for m i=1 x ′ i = x i . The mechanics of our algorithm computing the weakest non-termination precondition applied on the above example are described in the following. First, we reduce the three loops Figure 5(b) into self-loops, obtaining a reduced control flow graph in Figure 5(c). Then, we compute the transitive summary relation induced by all non-trivial runs of the program starting and ending at ℓ 1 (this notion is formally defined in the next section). This relation is given in disjunctive normal form: Notice that, since ℓ 1 is the initial control state of the program, the set of valuations reached at ℓ 1 is the universal set Z x . A transition invariant of the program is the restriction of the summary relation to the reachable states, which, in this case, is [[P ]] T Inv (ℓ 1 , ℓ 1 ) = [[P ]] + (ℓ 1 , ℓ 1 ). Next, we compute the weakest non-termination precondition of each disjunct of the transition invariant, obtaining the formulas wnt(R 1 ), . . . , wnt(R 7 ) below: The disjunction of these non-termination precondition defines a set of configurations of the program, from which infinite runs, starting at ℓ 1 , are guaranteed to exist: Finally, we compute the pre-image of this set via the (reflexive and transitive) reachability relation defined as [[P ]] * (ℓ 1 , ℓ 1 ) = [[P ]] + (ℓ 1 , ℓ 1 )∨I x , obtaining thus the weakest non-termination precondition of the program: This result matches the intuition. Indeed, the program will terminate if and only if x = 0, in which case the while loop is never entered. For x = 0, the program enters the while loop and may get stuck into an infinite loop, for every initial value of y.
6.2. Syntax and Semantics. In the following, we abstract from specific programming language constructs and assume that programs are represented by control flow graphs whose edges are labeled by quantifier-free Presburger arithmetic formulas defining relations. Formally, an integer program is a tuple P = x, Q, q init , ∆ , where: • x is the set of variables of P • Q are the control states of P • ∆ is a set of transition rules q where q, q ′ ∈ Q are the source and destination states, and R(x, x ′ ) is a quantifier-free Presburger formula • q init is the initial control state of P Example 6.1. The program whose control flow graph is shown in Figure 5 A configuration of a program P = x, Q, q init , ∆ is a pair q, ν , where q ∈ Q is a control state and ν ∈ Z x is a valuation of the variables. Given two configurations q, ν and q ′ , ν ′ of a program P , the configuration q ′ , ν ′ is said to be an immediate successor of q, ν if and only if q For any k ≥ 0, a run of length k of the program P from q to q ′ is a finite sequence q 0 , ν 0 − → q 1 , ν 1 − → . . . − → q k , ν k , such that q = q 0 , q ′ = q k , and q i+1 , ν i+1 is an immediate successor of q i , ν i , for all 0 ≤ i < k. Given two configurations q, ν and q ′ , ν ′ of a program P , the configuration q ′ , ν ′ is said to be a successor of q, ν if there exists a run of length k ≥ 0 from q, ν to q ′ , ν ′ . An infinite run of a program P from a control state q is an infinite sequence q 0 , ν 0 − → q 1 , ν 1 − → . . . such that q = q 0 and q i+1 , ν i+1 is an immediate successor of q i , ν i for all i ≥ 0. The transitive closure of the transition relation [[P ]] + : (Q × Q) → 2 Z x ×Z x , the reflexive and transitive closures of the transition relation [[P ]] * : (Q × Q) → 2 Z x ×Z x , and the weakest nontermination precondition [[P ]] wnt : Q → 2 Z x of the program P are defined for each q, q ′ ∈ Q as follows: Note that the set of configurations with control state q that are reachable from q init , can be defined as the post-image of Z x via [[P ]] * (q init , q), i.e. [[P ]] * (q init , q)(Z x ). With this notation, the strongest transition invariant [[P ]] T Inv : (Q × Q) → 2 Z x ×Z x of a program P is defined for each q, q ′ ∈ Q as the restriction of the transitive closure of the transition relation to the set of reachable configurations: These are arbitrary mappings such that: for all q, q ′ ∈ Q. Any set [[P ]] T Inv ♯ that satisfies the above inclusion is called a transition invariant.
Algorithm 4 computes a sound over-approximation of the weakest non-termination precondition of an integer program. It uses a function WNT(R) to compute the weakest non-termination precondition of an octagonal, finite monoid or polynomially bounded affine relation. Based on our previous results, WNT(R) is precisely the weakest non-termination precondition, if R is octagonal (Algorithm 3) or finite monoid affine (Theorems 4.38 and 5.6, respectively), and WNT(R) is an over-approximation of the above, if R is a polynomially bounded affine relation (Equation (5.6) and Lemma 5.12). Let P = x, Q, q init , ∆ be an integer program, for which we would like to compute a non-termination precondition [[P ]] wnt ♯ (q init ). Since the set of control states of P is finite, any infinite computation of P will eventually iterate through the same state q ∈ Q infinitely often. Hence we must compute non-termination preconditions for all states q ∈ Q, i.e. sets of configurations from which a computation iterating q infinitely often is possible. For reasons of precision, here we distinguish two cases: • If q occurs within only one elementary cycle, then every infinite run involving q infinitely often must iterate this cycle. If, moreover, the composition of the relations on the cycle defines an: -octagonal relation or a finite monoid affine relation R, then we can compute wnt(R) precisely (see Theorems 4.38 and 5.6, respectively). -polynomially bounded affine relation R, then we can compute an over-approximation of wnt(R) (see Equation (5.6) and Lemma 5.12). Notice that equivalence of a formula with an octagonal constraint can be decided using integer linear programming [37], whereas the finite monoid and polynomial boundedness of an affine relation can be decided using Theorem 5.5 and the decidability of its preconditions [5,27]. (q), for every q ∈ Q. A version of this algorithm was implemented in the Flata tool [22], and is guaranteed to return the exact reflexive and transitive closures of the transition relations [[P ]] * (q init , q), and the strongest transition invariants of the program [[P ]] T Inv (q), for a specific class of programs, called flat (see Section 6.5). A formal proof of correctness of Algorithm 4 is given in Section 6.5.

Rn
− − → q is the only elementary cycle involving q in P then 5: if R defines an octagonal, fin. monoid or poly. bounded affine relation then 7: Algorithm 5 Procedure Summary Algorithm input A program P = x, Q, q init , ∆ , and distinct control states q in , q out ∈ Q output An over-approximated transitive closure [[P ]] + ♯ (q in , q out ) 1: function TransitiveRelation(P, q in , q out ) 2: if k = 0 then if k = 1 and R 1 is a finite monoid affine relation then T ← ReflexiveTransitiveClosure(H) 12: for each q 1 P − → q and q Q − → q 2 such that q ∈ {q 1 , q 2 } do 13: 6.4. Computing Transition Invariants. The core of the method for computing transition invariants, needed by the non-termination precondition Algorithm 3, is a procedure that computes, for any two control states q, q ′ ∈ Q of an integer program P = x, Q, q init , ∆ , an over-approximation [

Algorithm 5 computes the over-approximated transitive closures [[P ]] +
♯ (q, q ′ ), that are the key of our method for computing non-termination preconditions. The idea of this algorithm is to eliminate control states which are neither initial or final, while introducing new transitions labeled with compositions of relations between the remaining states. 12 In the beginning (line 2) we create a working copy P of the program by adding two fresh control statesq in ,q out ∈ Q and two copy transitionsq in Ix − → q in and q out Ix − →q out . This ensures that q in andq out do not occur within loops in P . Then we iterate the following steps, until no more states can be eliminated. For each control state with (possibly zero) self-loops labeled with relations R 1 , . . . , R k , we compute an over-approximation of the reflexive and transitive closure T = (R 1 ∨ . . . ∨ R k ) * . Three situations may arise: • if there is no such loop, i.e. k = 0, T is the identity relation.
• if there is only one such loop labeled with a finite monoid affine relation R 1 , T = R * 1 can be computed using one of the techniques from [21,5,10].
• otherwise, we compute first the octagonal hull H = (R 1 ∨. . .∨R k ) oct , and then the reflexive and transitive closure of the octagonal hull T = H * , using the algorithm described in [10]. The octagonal hull of a set is the strongest octagonal constraint that defines an overapproximation of that set. In general, the octagonal hull of a Presburger-definable set can be computed using integer linear programming [37].
Next, we compose the relation of each incoming transition q 1 R − → q with T , and with the relation of each outgoing transition q Q − → q 2 . We replace the pair of incoming and outgoing transitions with the transition q 1 P •T •Q − −−− → q 2 , which does not involve q (line 13), and, finally, we eliminate q and all transitions involving it from the program (lines [14][15]. The result is the disjunction of all relations occurring on the remaining transitions between the q in and q out states (line 16), which defines [[P ]] + ♯ (q in , q out ). The argument for proving the soundness of Algorithm 5 is that the following invariant holds, at each iteration of the main loop of the algorithm: after each elimination of a control state q from a program P (line 14), the transitive closure of the remaining program P ′ is an over-approximation of the previous one, i.e. for all q 1 , . This is the case because the summary relation: . . q 2 , ν 2 in P } induced by the set of runs between two configurations q 1 , ν 1 and q 2 , ν 2 , which visits q, is over-approximated by the composition of P , T and Q (line 13): x ′ ) It is to be noticed that each transition q 1 − → q 2 introduced at line 13 in the algorithm corresponds to a path between q 1 and q 2 in the original control flow graph of the program, which visits at least once the state q removed at line 14. A formal proof of soundness is given in Lemma 6.4. 6.5. Flat Integer Programs. In this section, we define a class of integer programs for which our method computes precisely the weakest non-termination preconditions, as formulas in Presburger arithmetic. As a consequence of the decidability of the satisfiability problem for Presburger arithmetic [35], the universal termination problem is decidable for this class. A recent result [9,8] shows that the reachability problem, i.e. the existence of a finite run between two control states, in a flat program whose transitions occurring within loops are labeled by octagonal constraints, is NP-complete. As a byproduct, we show that the non-termination problem, i.e. the existence of an infinite computation, for these programs is NP-complete as well. Definition 6.3. Let P = x, Q, q init , ∆ be an integer program. For any elementary cycle π : Then P is said to be flat if and only if: (1) each control state q ∈ Q belongs to at most one elementary cycle, (2) for each elementary cycle π in P , λ(π) defines an octagonal, or a finite monoid affine relation.
Example 1. Figure 6 depicts a flat integer programs P and its control flow graph. For simplicity, the elementary cycles have been already reduced to one transition, by composition of all the relations labeling the transitions within them. Since the labels of the self-loops are octagonal constraints, we can compute their reflexive and transitive closures precisely: 8 ) ⇔ y = y 0 Following the computation of Algorithm 4, the weakest non-termination precondition of the integer program is: )(x ′ ) Since wnt(R 2,2 ) ⇔ wnt(R 5,5 ) ⇔ false, the first two disjuncts are equivalent to false. The third disjunct, and hence wnt(P ), is equivalent to R 1,2 ⇔ y ′ 0 = y ∧ Ix,y,m,n R 2,5 ⇔ x ≥ m ∧ Ix,y,m,n,y 0 R 2,2 ⇔ x < m ∧ x ′ = x + 1 ∧ y ′ = y + 1 ∧ Im,n,y 0 R 5,8 ⇔ R 12 ⇔ x ≥ n ∧ Ix,y,m,n,y 0 R 5,5 ⇔ x < n ∧ x ′ = x + 1 ∧ y ′ = y − 1 ∧ Im,n,y 0 R 8,8 ⇔ y = y 0 ∧ Ix,y,m,n,y 0 R 8,10 ⇔ y = y 0 ∧ Ix,y,m,n,y 0 (a) (b) Figure 6. A flat integer program and its simplified control flow graph If P = x, Q, q init , ∆ is a flat program, then Algorithm 5 can be shown to return the precise transitive closures [[P ]] + (q, q ′ ), for any q, q ′ ∈ Q. Intuitively, this is the case because during the state elimination process, at any step, a state q ∈ Q that is chosen to be removed can have at most one self-loop (line 7 in Algorithm 5), which corresponds to the (at most one) elementary cycle involving q in ∆. Since, moreover the label of this cycle denotes an octagonal or finite monoid affine relation, the transitive closure of this relation can be computed as a Presburger formula, without loss of information, using the algorithm from e.g. [10]. As a direct consequence, [[P ]] * (q, q ′ ) can also be computed without loss of precision, if the program is flat. Lemma 6.4. Let P = x, Q, q init , ∆ be an integer program. Then, the result of Algorithm 5 is a Presburger formula φ(x, x ′ ) that defines an over-approximation of [[P ]] + (q in , q out ). If, moreover, P is flat, φ(x, x ′ ) defines precisely [[P ]] + .
Proof. Let P i = x, Q i , q in , ∆ i be the program P at the i-th iteration of the main loop of the algorithm, i ≥ 0, and P 0 = P . Since for all i ≥ 0, Q i+1 ⊂ Q i (line 14) it is sufficient to prove that, for all i ≥ 0 we have [[P i ]] + (q in ,q out ) ⊆ [[P i+1 ]] + (q in ,q out ). Moreover, P 0 = P (line 2) and [[P ]] + = [[P ]] + is an easy exercise. Then we obtain that, for all i ≥ 0, [[P ]] + (q in , q out ) ⊆ [[P i ]] + (q in ,q out ). The algorithm is bound to terminate, by the fact that the set of control states Q is finite and the for loop at line 3 is executed once for each control state q ∈ Q \ {q in ,q out }. Hence the result is an over-approximation of [[P ]] + .
Since the transitive closure of octagonal and finite monoid affine relations is Presburger definable (see e.g. [10]), Presburger arithmetic is closed under existential quantification, and since the octagonal hull of a Presburger formula can be computed using integer linear programming [37], it follows that the algorithm manipulates and returns only Presburger formulas.
Moreover, Algorithm 4 will also compute the weakest non-termination precondition for flat programs. Since every state occurs within at most one elementary cycle, the test on line 4 of the algorithm will succeed for every state on a loop, and since the formula defining the composition R of all relations along the cycle is equivalent to an octagonal or a finite monoid affine relation, the test on line 6 will also succeed. In this case, WNT(R) is bound to return the weakest non-termination precondition of R, thus the result of Algorithm 4 is the weakest non-termination precondition of the entire program. Lemma 6.5. Let P = x, Q, q init , ∆ be an integer program. Then, the result of Algorithm 4 is a Presburger formula φ(x, x ′ ) that defines an over-approximation of [[P ]] wnt (q init ). If, moreover, P is flat, φ(x, x ′ ) defines precisely [[P ]] wnt (q init ).
Next, suppose that P is flat. Moreover Since P is flat, [[P ]] * (q init , q) can be computed precisely as a Presburger formula, by Lemma 6.4. Moreover, R is an octagonal or a finite monoid affine relations and hence, wnt(R) can be computed precisely as a Presburger formula too, by Theorem 4.38 and 5.6. Hence, the algorithm returns a Presburger formula that precisely defines [[P ]] wnt (q init ).
If we restrict the class of flat integer programs further, by considering that only octagonal constraints appear as labels within the loops of the program, we can characterize the complexity class for the problem asking for the existence of an infinite run, within this class of programs. The result is based on a characterization of the reachability problem in this class of programs. Given a program P = x, Q, q init , ∆ and a control state q ∈ Q, the reachability problem asks for the existence of a run of P from q init to q. Theorem 6.6 ([9]). The reachability problem for the class of programs: − → q ′ is in a cycle, R is an octagonal constraint otherwise, R is a quantifier-free Presburger formulaí s NP-complete.
This result can be used in conjunction with Theorem 4.38 to obtain the following: Theorem 6.7. The problem asking for the existence of an infinite run is NP-complete for the class of programs P OCT .
Proof. Let P = x, Q, q init , ∆ be an instance of the P OCT class. Since P is a flat program, each strongly connected component consists of at most one cycle, which is elementary. Let C 1 , . . . , C k be the non-trivial elementary cycles of P , and let q 1 , . . . , q k be arbitrary control states belonging to each of these cycles, respectively. Let R i be the composition of all octagonal relations on C i starting from q i , for all i = 1, . . . , k, respectively. Since all of these relations are defined by octagonal constraints, their composition can be computed in PTIME, according to Corollary 4.24. Since PTIME ⊆ PSPACE, the sizes of R 1 , . . . , R k are at most polynomial in the size of P . Then one uses Algorithm 3 to compute wnt(R 1 ), . . . , wnt(R k ) in PTIME, respectively (Theorem 4.38). Clearly, the sizes of wnt(R 1 ), . . . , wnt(R k ) are also polynomial in the size of P . Finally, we construct P ′ = x, Q ∪ {q nt }, q init , ∆ ′ , where q nt ∈ Q is a fresh control state, and: The size of P ′ is bounded by a polynomial in the size of P , and, moreover, P has an infinite run if and only if the control state q nt is reachable by a finite run of P ′ . Hence the existence of an infinite run is in NP.
To show NP-hardness, let ϕ(x) be an arbitrary quantifier-free Presburger formula, and consider the following integer program: Clearly, the program (6.1) has an infinite run if and only if ϕ(x) is satisfiable. However, this is an NP-complete problem, since ϕ is an arbitrary quantifier-free Presburger formula.

Experiments
We have validated the methods described in this paper by automatically finding preconditions for termination of all the octagonal running examples, and of several integer programs synthesized from (i) programs with lists obtained using the translation scheme from [6] which generates an integer program from a program manipulating dynamically allocated single-selector linked lists, (ii) VHDL designs such as hardware counter and synchronous  LIFO [39], (iii) small C programs with challenging loops and (iv) small recursive Java programs from [41] translated to non-recursive programs using the procedure summarization method described in [18]. We have computed the weakest non-termination preconditions reported in Table 1 using the methods from Section 4 and 6 which we implemented in the Flata tool [22]. By computing octagonal abstractions of disjuncts of a transition invariant, we have verified universal termination of the ListCounter and ListReversal programs. Next, we have verified the Counter and SynLifo programs by computing the precise transition invariant and then the weakest non-termination precondition, which was empty in both cases. Thus, these models have infinite runs for any input values, which is to be expected as they encode the behavior of synchronous reactive circuits. Similarly, we have computed the weakest non-termination preconditions for numerical programs anubhav, cousot, leq, and plus.
Second, we have compared ( Table 2) our method for termination of polynomially bounded linear affine loops from Section 5 with the examples given in [16], and found the same termination preconditions as they do, with one exception, in which we can prove universal termination in integer input values (row 3 of Table 2).

Conclusion
We have presented several methods for deciding conditional termination of several classes of program loops manipulating integer variables. The universal termination problem has been found to be decidable for octagonal relations and linear affine loops with the finite monoid property. For the class of polynomially bounded linear affine loops, we give sufficient termination conditions. Further, we extend the computation of weakest non-termination preconditions from simple loops to general programs, and define a class of programs, called flat, for which this computation yields precise results. Finally, we have implemented our method in the Flata tool [22] and performed a number of preliminary experiments.