Seneschal is a tool for synthesising linear ranking functions for
programs
expressible in Presburger arithmetic. The underlying method is an
extension of Podelski's
and
Rybalchenko's approach for programs encoded as systems of
linear rational inequalities. Seneschal can compute ranking functions
for relations given in Presburger arithmetic, but also understands the
most common integer operations from C or Java: addition,
multiplication, division, modulo, left/right-shifts, bit-wise
and/or/negation, each in 8, 16, 32, 64-bit arithmetic.
Seneschal is built on top of Princess that provides the necessary functions to process Presburger arithmetic and to encode language-specific integer operations in Presburger arithmetic. Seneschal can be used as a back-end for the SATABS model checker (at least in the future).
Seneschal is described in a paper published at TACAS 2010. Some benchmarks are presented here.
Seneschal is free software and distributed under GPL v3.
Suppose we want to prove termination of the following program:
int i = 0;
int j = [...];
while (i < 100 && j > 0 && j < 1000) {
i = i + j;
}
We will do this by generating a ranking
function, which is a function of the program variables that is
bounded from below, and that monotonically decreases in each loop
iteration. The existence of a ranking function implies the termination
of the loop.
\from { i; j; }
\to { i'; j'; }
\transition {
in32(i) & in32(j) & // (1)
i < 100 & j > 0 & j < 1000 & // (2)
i' = add32(i, j) & j' = j // (3)
}
The first two lines declare the variables that the program operates
on, which are i and j. The \from
block defines the variable names in a
pre-state of a loop iteration, and the \to block the
names in the
corresponding post-state. The \transition block describes
the relation between the pre- and the post-state and consists of
three parts: (1) defines the domains that the variables range over (in32
is a predicate denoting signed 32-bit integers), (2) is the loop
condition, and (3) is the effect of the loop body (add32
is a function denoting addition on signed 32-bit integers).
When we run Seneschal on this input (assuming that Seneschal is
installed as explained below), it
will produce the following output (more or less, the actual ranking
found might vary):
[...]
Loading file /tmp/test.trans
Parsing transition relation ... done
Expanding to Presburger formula ... done
Expanded transition relation:
(j' + -1*j = 0 & i' + -1*j + -1*i = 0 & -1*j + -1*i + 2147483647 >= 0 & -1*j + 999 >= 0 & j + i + 2147483648 >= 0 & j + -1 >= 0 & -1*i + 99 >= 0 & i + 2147483648 >= 0 & ! ALL (4294967296*_0 + -1*i' + j + i != 0))
Flattening ... 1 disjuncts
Generating constraints ... done
Solving ... found a solution
Minimising the solution ... done
Ranking function: -1*i
Lower bound (pre-state): -99
Lower bound (post-state): -1098
The most interesting part are the last three lines, which give the
computed ranking function. This function is simply -i,
which
decreases in each loop iteration because some positive value is added
to i in the loop body. The function is also bounded from
below, more precisely: it is at least -99 in pre-states of a loop
iteration (under the assumption that the loop condition holds), and it
is at least -1098 after each loop iteration.
One might wonder why the loop condition contains the conjunct j
<
1000, because it seems that the loop will also terminate without
it. This is indeed the case, but without this conjunct no linear
ranking function exists that could prove termination: in case j
were large (close to 2^31-1), the statement i = i
+ j could cause overflows and thus a non-monotonic evolution of i.
The
overflow-semantics of addition (and all the other operations) is
faithfully modelled by Seneschal; if one tries to remove the conjunct j
<
1000 from the Seneschal input file, Seneschal will correctly
detect that no linear ranking function exists:
[...]
Flattening ... 2 disjuncts
Generating constraints ... done
Solving ... no solution
Apart from the connectives shown in the example and the operations
given in the next section, Seneschal supports all connectives present
in Princess, e.g.: and &, or |,
negation !, implication ->,
equivalence <->, quantifiers \exists int x;
..., \forall int x;
...
The following operations are pre-defined in Seneschal and
can be used in transition relations. All of them are simply predicates
or functions
defined by axioms in Princess (in the file resources/prelude.pri),
so
that
it is easy to add further operations if necessary.
| Unbounded |
1bit (unsigned) |
8bit (signed) |
8 (unsigned) |
Other bit-widths |
|
|---|---|---|---|---|---|
| Domain predicate |
inU1 |
in8 |
inU8 |
in16,
inU16, in32, inU32, in64, inU64 |
|
| Addition |
+ |
addU1
|
add8
|
addU8
|
add16,
addU16, ... |
| Subtraction |
- |
|
sub8
|
subU8
|
sub16,
subU16, ... |
| Minus (sign-change) |
- |
|
minus8
|
minusU8
|
minus16,
minusU16,
... |
| Multiplication |
mul |
mul8
|
mulU8 |
mul16,
mulU16, ... |
|
| Division |
div |
div8 |
divU8 |
div16,
divU16, ... |
|
| Modulo |
mod |
mod |
mod |
mod |
mod |
| Bit-shift |
shiftLeft,
shiftRight |
shift8 |
shiftU8 |
shift16,
shiftU16, ... |
|
| Bit-wise and |
and |
and |
and |
and |
and |
| Bit-wise or |
or |
or |
or |
or |
or |
| Bit-wise negation |
-x-1 |
bitnegU1 |
bitneg8 |
bitnegU8 |
bitneg16,
bitnegU16, ... |
| Casts |
cast8 |
castU8 |
cast16,
castU16, ... |
Some of the operations are non-linear, e.g., mul. Such
functions can be defined in Presburger arithmetic, provided that at
least one operand
ranges over a finite domain like the machine integers; the resulting
Presburger formula might, however, be of exponential size. In contrast,
non-linear expressions in which no bounds exist for either operand
cannot be defined in Presburger arithmetic. An expression mul(x,
y) will in general cause
Seneschal to run forever, but will work just fine if assumptions are
given that restrict the value of y to some finite domain
(the smaller the domain is, the more efficient will the expression be
handled).
Division and modulo are defined such that the following formulae
hold (unless y = 0):
0 <= mod(x, y) < |y|mul(div(x, y), y) + mod(x, y) = x
-assert
for turning
off assertions (which can make a huge performance difference):Usage: seneschal <option>* <inputfile>*
Options:
[+-]assert Enable runtime assertions (default: +)
Just download one of the binaries from the list of snapshots below
and
unpack it in your favourite location on the harddisk. Seneschal is
invoked by calling the script
seneschal-*/seneschal.
This is only tested under Linux, but should work also under Windows
if Cygwin is used. Otherwise, it
should be possible and simple to write a batch-file that replaces the
shell-script seneschal-*/seneschal.
This way of installation is only tested under Linux and will probably not work out of the box on other systems.
seneschal-* directoryMakefile: the first two lines in the file
specify the location of the Princess
and Scala installations. You need to change these lines to the correct
paths on your systemmake to compile Seneschal.If everything went ok, you can call Seneschal with the command
./seneschal <inputfile>