Difference Constraints: An adequate Abstraction for Complexity Analysis of Imperative Programs

Moritz Sinn, Florian Zuleger, Helmut Veith
TU Wien, Austria Supported by the Austrian National Research Network S11403-N23 (RiSE) of the Austrian Science Fund (FWF) and by the Vienna Science and Technology Fund (WWTF) through grants PROSEED and ICT12-059.

Abstract

Difference constraints have been used for termination analysis in the literature, where they denote relational inequalities of the form $x^{\prime}\leq y+c$ , and describe that the value of $x$ in the current state is at most the value of $y$ in the previous state plus some constant $c\in\mathbb{Z}$ . In this paper, we argue that the complexity of imperative programs typically arises from counter increments and resets, which can be modeled naturally by difference constraints. We present the first practical algorithm for the analysis of difference constraint programs and describe how C programs can be abstracted to difference constraint programs. Our approach contributes to the field of automated complexity and (resource) bound analysis by enabling automated amortized complexity analysis for a new class of programs and providing a conceptually simple program model that relates invariant- and bound analysis. We demonstrate the effectiveness of our approach through a thorough experimental comparison on real world C code: our tool Loopus computes the complexity for considerably more functions in less time than related tools from the literature.

I Introduction

Automated program analysis for inferring program complexity and (resource) bounds is a very active area of research. Amongst others, approaches have been developed for analyzing functional programs [14], C# [13], C [5, 20, 16], Java [4] and Integer Transition Systems [4, 7, 10].

Difference constraints ( $\mathit{DCs}$ ) have been introduced by Ben-Amram for termination analysis in [6], where they denote relational inequalities of the form $x^{\prime}\leq y+c$ , and describe that the value of $x$ in the current state is at most the value of $y$ in the previous state plus some constant $c\in\mathbb{Z}$ . We call a program whose transitions are given by a set of difference constraints a difference constraint program ( $\mathit{DCP}$ ).

In this paper, we advocate the use of $\mathit{DCs}$ for program complexity and (resource) bounds analysis. Our key insight is that $\mathit{DCs}$ provide a natural abstraction of the standard manipulations of counters in imperative programs: counter increments/decrements $x:=x+c$ resp. resets $x:=y$ , can be modeled by the $\mathit{DCs}$ $x^{\prime}\leq x+c$ resp. $x^{\prime}\leq y$ (see Section IV on program abstraction). In contrast, previous approaches to bound analysis can model either only resets [13, 5, 20, 4, 7, 10] or increments [16]. For this reason, we are able to design a more powerful analysis: In Section II-A we discuss that our approach achieves amortized analysis for a new class of programs. In Section II-B we describe how our approach performs invariant analysis by means of bound analysis.

In this paper, we establish the practical usefulness of $\mathit{DCs}$ for bound (and complexity) analysis of imperative programs: 1) We propose the first algorithm for bound analysis of $\mathit{DCPs}$ . Our algorithm is based on the dichotomy between increments and resets. 2) We develop appropriate techniques for abstracting C programs to $\mathit{DCPs}$ : we describe how to extract norms (integer-valued expressions on the program state) from C programs and how to use them as variables in $\mathit{DCPs}$ . We are not aware of any previous implementation of $\mathit{DCPs}$ for termination or bound analysis. 3) We demonstrate the effectiveness of our approach through a thorough experimental evaluation. We present the first comparison of bound analysis tools on source code from real software projects (see Section V). Our implementation performs significantly better in time and success rate.

II Motivation and Related Work

void foo(uint n) {
   int x = n;
   int r = 0;
 $l_{1}$   while(x > 0) {
     x = x - 1;
     r = r + 1;
 $l_{2}$     if(*) {
       int p = r;
 $l_{3}$       while(p > 0)
         p--;
       r = 0;
     }
 $l_{4}$   } }

foo(uint n, uint m1,
    uint m2) {
  int y = n;
  int x;
 $l_{1}$  if(*)
     x = m1;
   else
     x = m2;
 $l_{2}$   while(y > 0) {
     y--;
     x = x + 2; }
   int z = x;
 $l_{3}$   while(z > 0)
     z--; }

Complexity:

\mathit{T\mathcal{B}}(\tau_{5})+\mathit{T\mathcal{B}}(\tau_{3})=n+n=2n

Complexity:

\mathit{T\mathcal{B}}(\tau_{1})+\mathit{T\mathcal{B}}(\tau_{3})=\max(m_{1},m_{2})+3n

Example 1

abstracted

\mathit{DCP}

of Example 1

Example 2

abstracted

\mathit{DCP}

of Example 2

Figure 1: Running Examples, * denotes non-determinism (arising from conditions not modeled in the analysis)

II-A Amortized Complexity Analysis

Example 1 stated in Figure 1 is representative for a class of loops that we found in parsing and string matching routines during our experiments. In these loops the inner loop iterates over disjoint partitions of an array or string, where the partition sizes are determined by the program logic of the outer loop. For an illustration of this iteration scheme, we refer the reader to Example 3 stated in Appendix -A,which contains a snippet of the source code after which we have modeled Example 1. Example 1 has the linear complexity $2n$ , because the inner loop as well as the outer loop can be iterated at most $n$ times (as argued in the next paragraph). However, previous approaches to bound analysis [13, 5, 20, 16, 4, 7, 10] are only able to deduce that the inner loop can be iterated at most a quadratic number of times (with loop bound $n^{2}$ ) by the following reasoning: (1) the outer loop can be iterated at most $n$ times, (2) the inner loop can be iterated at most $n$ times within one iteration of the outer loop (because the inner loop has a local loop bound $p$ and $p\leq n$ is an invariant), (3) the loop bound $n^{2}$ is obtained from (1) and (2) by multiplication. We note that inferring the linear complexity $2n$ for Example 1, even though the inner loop can already be iterated $n$ times within one iteration of the outer loop, is an instance of amortized complexity analysis [18].

In the following, we give an overview how our approach infers the linear complexity for Example 1:
1. Program Abstraction. We abstract the program to a $\mathit{DCP}$ over $\mathbb{Z}$ as shown in Figure 1. We discuss our algorithm for abstracting imperative programs to $\mathit{DCP}$ s based on symbolic execution in Section IV.
2. Finding Local Bounds. We identify $p$ as a variable that limits the number of executions of transition $\tau_{3}$ : We have the guard $p>0$ on $\tau_{3}$ and $p$ decreases on each execution of $\tau_{3}$ . We call $p$ a local bound for $\tau_{3}$ . Accordingly we identify $x$ as a local bound for transitions $\tau_{1},\tau_{2a},\tau_{2b},\tau_{4},\tau_{5}$ .
3. Bound Analysis. Our algorithm (stated in Section III) computes transition bounds, i.e., (symbolic) upper bounds on the number of times program transitions can be executed, and variable bounds, i.e., (symbolic) upper bounds on variable values. For both types of bounds, the main idea of our algorithm is to reason how much and how often the value of the local bound resp. the variable value may increase during program run. Our algorithm is based on a mutual recursion between variable bound analysis (“how much”, function $\mathit{V\mathcal{B}}(\mathtt{v})$ ) and transition bound analysis (“how often”, function $\mathit{T\mathcal{B}}(\tau)$ ). Next, we give an intuition how our algorithm computes transition bounds: Our algorithm computes $\mathit{T\mathcal{B}}(\tau)=n$ for $\tau\in\{\tau_{1},\tau_{2a},\tau_{2b},\tau_{4},\tau_{5}\}$ because the local bound $x$ is initially set to $n$ and never increased or reset. Our algorithm computes $\mathit{T\mathcal{B}}(\tau_{3})$ ( $\tau_{3}$ corresponds to the loop at $l_{3}$ ) as follows: $\tau_{3}$ has local bound $p$ ; $p$ is reset to $r$ on $\tau_{2a}$ ; our algorithm detects that before each execution of $\tau_{2a}$ , $r$ is reset to $0$ on either $\tau_{0}$ or $\tau_{4}$ , which we call the context under which $\tau_{2a}$ is executed; our algorithm establishes that between being reset and flowing into $p$ the value of $r$ can be incremented up to $\mathit{T\mathcal{B}}(\tau_{1})$ times by $1$ ; our algorithm obtains $\mathit{T\mathcal{B}}(\tau_{1})=n$ by a recursive call; finally, our algorithm calculates $\mathit{T\mathcal{B}}(\tau_{3})=0+\mathit{T\mathcal{B}}(\tau_{1})\times 1=n$ . We give an example for the mutual recursion between $\mathit{T\mathcal{B}}$ and $\mathit{V\mathcal{B}}$ in Section II-B.

We contrast our approach for computing the loop bound of $l_{3}$ of Example 1 with classical invariant analysis: Assume ’ $c$ ’ counting the number of inner loop iterations (i.e., $c$ is initialized to 0 and incremented in the inner loop). For inferring $c<=n$ through invariant analysis the invariant $c+x+r<=n$ is needed for the outer loop, and the invariant $c+x+p<=n$ for the inner loop. Both relate 3 variables and cannot be expressed as (parametrized) octagons (e.g., [11]). Further, the expressions $c+x+r$ and $c+x+p$ do not appear in the program, which is challenging for template based approaches to invariant analysis.

II-B Invariants and Bound Analysis

We explain on Example 2 in Figure 1 how our approach performs invariant analysis by means of bound analysis. We first motivate the importance of invariant analysis for bound analysis. It is easy to infer $x$ as a bound for the possible number of iterations of the loop at $l_{3}$ . However, in order to obtain a bound in the function parameters the difficulty lies in finding an invariant $x\leq\mathtt{expr}(n,{m_{1}},{m_{2}})$ . Here, the most precise invariant $x\leq\max(m_{1},m_{2})+2n$ cannot be computed by standard abstract domains such as octagon or polyhedra: these domains are convex and cannot express non-convex relations such as maximum. The most precise approximation of $x$ in the polyhedra domain is $x\leq m_{1}+m_{2}+2n$ . Unfortunately, it is well-known that the polyhedra abstract domain does not scale to larger programs and needs to rely on heuristics for termination. Next, we explain how our approach computes invariants using bound analysis and discuss how our reasoning is substantially different from invariant analysis by abstract interpretation.

Our algorithm computes a transition bound for the loop at $l_{3}$ by $\mathit{T\mathcal{B}}(\tau_{3})=\mathit{T\mathcal{B}}(\tau_{2})\times\mathit{V\mathcal{B}}(x)=1\times\mathit{V\mathcal{B}}(x)=\mathit{V\mathcal{B}}(x)=\mathit{T\mathcal{B}}(\tau_{1})\times 2+\max(m_{1},m_{2})=(n\times\mathit{T\mathcal{B}}(\tau_{0}))\times 2+\max(m_{1},m_{2})=(n\times 1)\times 2+\max(m_{1},m_{2})=2n+\max(m_{1},m_{2})$ . We point out the mutual recursion between $\mathit{T\mathcal{B}}$ and $\mathit{V\mathcal{B}}$ : $\mathit{T\mathcal{B}}(\tau_{3})$ has called $\mathit{V\mathcal{B}}(x)$ , which in turn called $\mathit{T\mathcal{B}}(\tau_{1})$ . We highlight that the variable bound $\mathit{V\mathcal{B}}(x)$ (corresponding to the invariant $x\leq\max(m_{1},m_{2})+2n$ ) has been established during the computation of $\mathit{T\mathcal{B}}(\tau_{3})$ .

Standard abstract domains such as octagon or polyhedra propagate information forward until a fixed point is reached, greedily computing all possible invariants expressible in the abstract domain at every location of the program. In contrast, $\mathit{V\mathcal{B}}(x)$ infers the invariant $x\leq\max(m1,m2)+2n$ by modular reasoning: local information about the program (i.e., increments/resets of variables, local bounds of transitions) is combined to a global program property. Moreover, our variable and transition bound analysis is demand-driven: our algorithm performs only those recursive calls that are indeed needed to derive the desired bound. We believe that our analysis complements existing techniques for invariant analysis and will find applications outside of bound analysis.

II-C Related Work

In [6] it is shown that termination of $\mathit{DCPs}$ is undecidable in general but decidable for the natural syntactic subclass of deterministic $\mathit{DCPs}$ (see Definition 3), which is the class of $\mathit{DCPs}$ we use in this paper. It is an open question for future work whether there is a complete algorithm for bound analysis of deterministic $\mathit{DCPs}$ .

In [16] a bound analysis based on constraints of the form $x^{\prime}\leq x+c$ is proposed, where $c$ is either an integer or a symbolic constant. The resulting abstract program model is strictly less powerful than $\mathit{DCPs}$ . In [20] a bound analysis based on so-called size-change constraints $x^{\prime}\lhd y$ is proposed, where $\lhd\in\{<,\leq\}$ . Size-change constraints form a strict syntactic subclass of $\mathit{DCs}$ . However, termination is decidable even for non-deterministic size-change programs and a complete algorithm for deciding the complexity of size-change programs has been developed [9]. Because the constraints in [20, 16] are less expressive than $\mathit{DCs}$ , the resulting bound analyses cannot infer the linear complexity of Example 1 and need to rely on external techniques for invariant analysis.

In Section V we compare our implementation against the most recent approaches to automated complexity analysis [10, 7, 16]. [10] extends the COSTA approach by control flow refinement for cost equations and a better support for multi-dimensional ranking functions. The COSTA project (e.g. [4]) computes resource bounds by inferring an upper bound on the solutions of certain recurrence equations (so-called cost equations) relying on external techniques for invariant analysis (which are not explicitly discussed). The bound analysis in [7] uses approaches for computing polynomial ranking functions from the literature to derive bounds for SCCs in isolation and then expresses these bounds in terms of the function parameters using invariant analysis (see next paragraph).

The powerful idea of expressing locally computed loop bounds in terms of the function parameters by alternating between loop bound analysis and variable upper bound analysis has been explored in [7], [16] (as discussed in the extended version [17]) and [12]. We highlight some important differences to these earlier works. [7] computes upper bound invariants only for the absolute values of variables; this does, for example, not allow to distinguish between variable increments and decrements during the analysis. [17] and [12] do not give a general algorithm but deal with specific cases.

[19] discusses automatic parallelization of loop iterations; the approach builds on summarizing inner loops by multiplying the increment of a variable on a single iteration of a loop with the loop bound. The loop bounds in [19] are restricted to simple syntactic patterns.

The recent paper [8] discusses an interesting alternative for amortized complexity analysis of imperative programs: A system of linear inequalities is derived using Hoare-style proof-rules. Solutions to the system represent valid linear resource bounds. Interestingly, [8] is able to compute the linear bound for $l_{3}$ of Example 1 but fails to deduce the bound for the original source code (provided in Appendix -A).Moreover, [8] is restricted to linear bounds, while our approach derives polynomial bounds (e.g., Example B in Figure 2) which may also involve the maximum operator. An experimental comparison was not possible as [8] was developed in parallel.

III Program Model and Algorithm

In this section we present our algorithm for computing worst-case upper bounds on the number of executions of a given transition (transition bound) and on the value of a given variable (variable bound). We base our algorithm on the abstract program model of $\mathit{DCP}$ s stated in Definition 3. In Section III-B we generalize $\mathit{DCP}$ s and our algorithm to the non-well-founded domain $\mathbb{Z}$ .

Definition 1 (Variables, Symbolic Constants, Atoms).

By $\mathcal{V}$ we denote a finite set of Variables. By $\mathcal{C}$ we denote a finite set of symbolic constants. $\mathcal{A}=\mathcal{V}\cup\mathcal{C}\cup\mathbb{N}$ is the set of atoms.

Definition 2 (Difference Constraints).

A difference constraint over $\mathcal{A}$ is an inequality of form $x^{\prime}\leq y+c$ with $x\in\mathcal{V}$ , $y\in\mathcal{A}$ and $c\in\mathbb{Z}$ . We denote by $\mathcal{DC}(\mathcal{A})$ the set of all difference constraints over $\mathcal{A}$ .

Definition 3 (Difference Constraint Program).

A difference constraint program ( $\mathit{DCP}$ ) over $\mathcal{A}$ is a directed labeled graph $\Delta\mathcal{P}=(L,T,l_{b},l_{e})$ , where $L$ is a finite set of locations, $l_{b}\in L$ is the entry location, $l_{e}\in L$ is the exit location and $T\subseteq L\times 2^{\mathcal{DC}(\mathcal{A})}\times L$ is a finite set of transitions. We write $l_{1}\xrightarrow{u}l_{2}$ to denote a transition $(l_{1},u,l_{2})\in T$ labeled by a set of difference constraints $u\in 2^{\mathcal{DC}(\mathcal{A})}$ . Given a transition $\tau=l_{1}\xrightarrow{u}l_{2}\in T$ of $\Delta\mathcal{P}$ we call $l_{1}$ the source location of $\tau$ and $l_{2}$ the target location of $\tau$ . A path of $\Delta\mathcal{P}$ is a sequence $l_{0}\xrightarrow{u_{0}}l_{1}\xrightarrow{u_{1}}\cdots$ with $l_{i}\xrightarrow{u_{i}}l_{i+1}\in T$ for all $i$ . The set of valuations of $\mathcal{A}$ is the set $\mathit{Val}_{\mathcal{A}}=\mathcal{A}\rightarrow\mathbb{N}$ of mappings from $\mathcal{A}$ to the natural numbers with $\sigma(\mathtt{a})=\mathtt{a}$ if $\mathtt{a}\in\mathbb{N}$ . A run of $\Delta\mathcal{P}$ is a sequence $(l_{b},\sigma_{0})\xrightarrow{u_{0}}(l_{1},\sigma_{1})\xrightarrow{u_{1}}\cdots$ such that $l_{b}\xrightarrow{u_{0}}l_{1}\xrightarrow{u_{1}}\cdots$ is a path of $\Delta\mathcal{P}$ and for all $i$ it holds that (1) $\sigma_{i}\in\mathit{Val}_{\mathcal{A}}$ , (2) $\sigma_{i+1}(x)\leq\sigma_{i}(y)+c$ for all ${x^{\prime}\leq y+c}\in u_{i}$ , (3) $\sigma_{i}(s)=\sigma_{0}(s)$ for all $s\in\mathcal{C}$ . Given $\mathtt{v}\in\mathcal{V}$ and $l\in L$ we say that $\mathtt{v}$ is defined at $l$ and write $\mathtt{v}\in\mathcal{D}(l)$ if $l\neq l_{b}$ and for all incoming transitions ${l_{1}\xrightarrow{u}l}\in T$ of $l$ it holds that there are $\mathtt{a}\in\mathcal{A}$ and $\mathtt{c}\in\mathbb{Z}$ s.t. $\mathtt{v}^{\prime}\leq{\mathtt{a}+\mathtt{c}}\in u$ .

$\Delta\mathcal{P}$ is deterministic (fan-in-free in the terminology of [6]), if for every transition $l_{1}\xrightarrow{u}l_{2}\in T$ and every $\mathtt{v}\in\mathcal{V}$ there is at most one $\mathtt{a}\in\mathcal{A}$ and $\mathtt{c}\in\mathbb{Z}$ s.t. $\mathtt{v}^{\prime}\leq\mathtt{a}+\mathtt{c}\in u$ .

Our approach assumes the given $\mathit{DCP}$ to be deterministic. We further assume that $\mathit{DCP}$ s are well-defined: Let $\mathtt{v}\in\mathcal{V}$ and $l\in L$ , if $\mathtt{v}$ is live at $l$ then $\mathtt{v}\in\mathcal{D}(l)$ . Our abstraction algorithm from Section IV generates only deterministic and well-defined $\mathit{DCP}$ s.

Complexity:

\mathit{T\mathcal{B}}(\tau_{1})+\mathit{T\mathcal{B}}(\tau_{2})=2n

Complexity:

\mathit{T\mathcal{B}}(\tau_{1})+\mathit{T\mathcal{B}}(\tau_{2})+\mathit{T\mathcal{B}}(\tau_{3})=2n+n^{2}

Complexity:

\mathit{T\mathcal{B}}(\tau_{2})+\mathit{T\mathcal{B}}(\tau_{3})=2n

\zeta:\{\tau_{0}\mapsto 1,\tau_{1}\mapsto i,\tau_{2}\mapsto j\}

\zeta:\{\tau_{0}\mapsto 1,\tau_{1}\mapsto i,\tau_{2}\mapsto l,\tau_{3}\mapsto j\}

\zeta:\{\tau_{0}\mapsto 1,\tau_{1}\mapsto i,\tau_{3}\mapsto i,\tau_{2}\mapsto k\}

\mathit{T\mathcal{B}}(\tau_{1})=n,\mathit{T\mathcal{B}}(\tau_{2})=n

\mathit{T\mathcal{B}}(\tau_{1})=n

\mathit{T\mathcal{B}}(\tau_{2})=n

\mathit{T\mathcal{B}}(\tau_{3})=n^{2}

Def. 9:

\mathit{T\mathcal{B}}(\tau_{1})=n

\mathit{T\mathcal{B}}(\tau_{2})=n^{2}

\mathit{T\mathcal{B}}(\tau_{3})=n

Def. 11:

\mathit{T\mathcal{B}}(\tau_{1})=n

\mathit{T\mathcal{B}}(\tau_{2})=n

\mathit{T\mathcal{B}}(\tau_{3})=n

Figure 2: Example

\mathit{DCP}

’s (A), (B), (C)

In Definitions 4 to 11 we assume a $\mathit{DCP}$ $\Delta\mathcal{P}(L,T,l_{b},l_{e})$ over $\mathcal{A}$ to be given.

Definition 4 (Transition Bound).

Let $\tau\in T$ , $\tau$ is bounded iff $\tau$ appears a finite number of times on any run of $\Delta\mathcal{P}$ . An expression $\mathtt{expr}$ over $\mathcal{C}\cup\mathbb{Z}$ is a transition bound for $\tau$ iff $\tau$ is bounded and for any finite run $\rho=(l_{b},\sigma_{0})\xrightarrow{u_{0}}(l_{1},\sigma_{1})\xrightarrow{u_{1}}(l_{2},\sigma_{2})\xrightarrow{u_{2}}\dots(l_{e},\sigma_{n})$ of $\Delta\mathcal{P}$ it holds that $\tau$ appears not more than $\sigma_{0}(\mathtt{expr})$ often on $\rho$ . We say that a transition bound $\mathtt{expr}$ of $\tau$ is precise iff there is a run $\rho$ of $\Delta\mathcal{P}$ s.t. $\tau$ appears $\sigma_{0}(\mathtt{expr})$ times on $\rho$ .

We want to infer the complexity of the examples in Figure 2 (Examples A, B, C), i.e., we want to infer how often location $l_{1}$ can be visited during an execution of the program. We will do so by computing a bound on the number of times transitions $\tau_{0}$ , $\tau_{1}$ , $\tau_{2}$ and $\tau_{3}$ may be executed. In general, the complexity of a given program can be inferred by summing up the transition bounds for the back edges in the program.

Definition 5 (Counter Notation).

Let $\tau\in T$ and $\mathtt{v}\in\mathcal{V}$ . Let $\rho=(l_{b},\sigma_{0})\xrightarrow{u_{0}}(l_{1},\sigma_{1})\xrightarrow{u_{1}}\cdots(l_{e},\sigma_{n})$ be a finite run of $\Delta\mathcal{P}$ . By $\sharp(\tau,\rho)$ we denote the number of times that $\tau$ occurs on $\rho$ . By ${\downarrow}(\mathtt{v},\rho)$ we denote the number of times that the value of $\mathtt{v}$ decreases on $\rho$ , i.e. ${\downarrow}(\mathtt{v},\rho)=|\{i\mid{\sigma_{i}(\mathtt{v})>\sigma_{i+1}(\mathtt{v})}\}|$ .

Definition 6 (Local Transition Bound).

Let $\tau\in T$ and $\mathtt{v}\in\mathcal{V}$ . $\mathtt{v}$ is a local bound for $\tau$ iff on all finite runs $\rho=(l_{b},\sigma_{0})\xrightarrow{u_{0}}(l_{1},\sigma_{1})\xrightarrow{u_{1}}\cdots(l_{e},\sigma_{n})$ of $\Delta\mathcal{P}$ it holds that $\sharp(\tau,\rho)\leq{\downarrow}(\mathtt{v},\rho)$ .

We call a complete mapping $\zeta:T\rightarrow\mathcal{V}\cup\{\textbf{1}\}$ a local bound mapping for $\Delta\mathcal{P}$ if $\zeta(\tau)$ is a local bound of $\tau$ or $\zeta(\tau)=\textbf{1}$ and $\tau$ can only appear at most once on any path of $\Delta\mathcal{P}$ .

Example A: $i$ is a local bound for $\tau_{1}$ , $j$ is a local bound for $\tau_{2}$ . Example C: $i$ is a local bound for $\tau_{1}$ and for $\tau_{3}$ .

A variable $\mathtt{v}$ is a local transition bound if on any run of $\Delta\mathcal{P}$ we can traverse $\tau$ not more often than the number of times the value of $\mathtt{v}$ decreases. I.e., a local bound $\mathtt{v}$ limits the potential number of executions of $\tau$ as long as the value of $\mathtt{v}$ does not increase. In our analysis, local transition bounds play the role of potential functions in classical amortized complexity analysis [18]. Our bound algorithm is based on a mapping which assigns each transition a local bound. We discuss how we find local bounds in Section III-C.

Definition 7 (Variable Bound).

An expression $\mathtt{expr}$ over $\mathcal{C}\cup\mathbb{Z}$ is a variable bound for $\mathtt{v}\in\mathcal{V}$ iff for any finite run $\rho=(l_{b},\sigma_{0})\xrightarrow{u_{0}}(l_{1},\sigma_{1})\xrightarrow{u_{1}}(l_{2},\sigma_{2})\xrightarrow{u_{2}}\dots(l_{e},\sigma_{n})$ of $\Delta\mathcal{P}$ and all $1\leq i\leq n$ with $\mathtt{v}\in\mathcal{D}(l_{i})$ it holds that $\sigma_{i}(\mathtt{v})\leq\sigma_{0}(\mathtt{expr})$ .

Let $\mathtt{v}\in\mathcal{V}$ . Our algorithm is based on a syntactic distinction between transitions which increment $\mathtt{v}$ or reset $\mathtt{v}$ .

Definition 8 (Resets and Increments).

Let $\mathtt{v}\in\mathcal{V}$ . We define the resets $\mathcal{R}(\mathtt{v})$ and increments $\mathcal{I}(\mathtt{v})$ of $\mathtt{v}$ as follows:
$\begin{array}[]{ll}\mathcal{R}(\mathtt{v})&=\{(l_{1}\xrightarrow{u}l_{2},\mathtt{a},\mathtt{c})\in{T\times\mathcal{A}\times\mathbb{Z}}\mid\\ &\quad\quad\quad\quad\quad\quad\quad\quad\quad{\mathtt{v}^{\prime}\leq\mathtt{a}+\mathtt{c}}\in u,\mathtt{a}\neq\mathtt{v}\}\\ \mathcal{I}(\mathtt{v})&=\{(l_{1}\xrightarrow{u}l_{2},\mathtt{c})\in{T\times\mathbb{Z}}\mid{\mathtt{v}^{\prime}\leq\mathtt{v}+\mathtt{c}}\in u,\mathtt{c}>0\}\end{array}$ Given a path $\pi$ of $\Delta\mathcal{P}$ we say that $\mathtt{v}$ is reset on $\pi$ if there is a transition $\tau$ on $\pi$ such that $(\tau,\mathtt{a},\mathtt{c})\in\mathcal{R}(\mathtt{v})$ for some $\mathtt{a}\in\mathcal{A}$ and $\mathtt{c}\in\mathbb{Z}$ .

Example B: $\mathcal{I}(k)=\{(\tau_{1},1)\}$ and $\mathcal{R}(k)=\{(\tau_{0},n,0)\}$ .

I.e., we have $(\tau,\mathtt{a},\mathtt{c})\in\mathcal{R}(\mathtt{v})$ if variable $\mathtt{v}$ is reset to a value $\leq\mathtt{a}+\mathtt{c}$ when executing the transition $\tau$ . Accordingly we have $(\tau,\mathtt{c})\in\mathcal{I}(\mathtt{v})$ if variable $\mathtt{v}$ is incremented by a value $\leq\mathtt{c}$ when executing the transition $\tau$ .

Our algorithm in Definition 9 is build on a mutual recursion between the two functions $\mathit{V\mathcal{B}}(\mathtt{v})$ and $\mathit{T\mathcal{B}}(\tau)$ , where $\mathit{V\mathcal{B}}(\mathtt{v})$ infers a variable bound for $\mathtt{v}$ and $\mathit{T\mathcal{B}}(\tau)$ infers a transition bound for the transition $\tau$ .

Definition 9 (Bound Algorithm).

Let $\zeta:T\rightarrow\mathcal{V}\cup\{\textbf{1}\}$ be a local bound mapping for $\Delta\mathcal{P}$ . We define $\mathit{V\mathcal{B}}:\mathcal{A}\mapsto\mathit{Expr}(\mathcal{A})$ and $\mathit{T\mathcal{B}}:T\mapsto\mathit{Expr}(\mathcal{A})$ as:
$\mathit{V\mathcal{B}}(\mathtt{a})=\mathtt{a}$ , if $\mathtt{a}\in\mathcal{A}\setminus\mathcal{V}$ , else
$\mathit{V\mathcal{B}}(\mathtt{v})=\mathtt{Incr}(\mathtt{v})+\max\limits_{(\_,\mathtt{a},\mathtt{c})\in\mathcal{R}(\mathtt{v})}(\mathit{V\mathcal{B}}(\mathtt{a})+\mathtt{c})$

$\mathit{T\mathcal{B}}(\tau)=$	1, if $\zeta(\tau)=\textbf{1}$ , else
$\mathit{T\mathcal{B}}(\tau)=$	$\mathtt{Incr}(\zeta(\tau))$
	$+\sum\limits_{(\mathtt{t},\mathtt{a},\mathtt{c})\in\mathcal{R}(\zeta(\tau))}\mathit{T\mathcal{B}}(\mathtt{t})\times\max(\mathit{V\mathcal{B}}(\mathtt{a})+\mathtt{c},0)$

where
$\mathtt{Incr}(\mathtt{v})=\sum\limits_{(\tau,\mathtt{c})\in\mathcal{I}(\mathtt{v})}{\mathit{T\mathcal{B}}(\tau)\times\mathtt{c}}$ ( $\mathtt{Incr}(\mathtt{v})=0$ for $\mathcal{I}(\mathtt{v})=\emptyset$ )

Discussion

We first explain the subroutine $\mathtt{Incr}(\mathtt{v})$ : With $(\tau,\mathtt{c})\in\mathcal{I}(\mathtt{v})$ we have that a single execution of $\tau$ increments the value of $\mathtt{v}$ by not more than $\mathtt{c}$ . $\mathtt{Incr}(\mathtt{v})$ multiplies the transition bound of $\tau$ with the increment $\mathtt{c}$ for summarizing the total amount by which $\mathtt{v}$ may be incremented over all executions of $\tau$ . $\mathtt{Incr}(\mathtt{v})$ thus computes a bound on the total amount by which the value of $\mathtt{v}$ may be incremented during a program run.

The function $\mathit{V\mathcal{B}}(\mathtt{v})$ computes a variable bound for $\mathtt{v}$ : After executing a reset transition $(\tau,\mathtt{a},\mathtt{c})\in\mathcal{R}(\mathtt{v})$ , the value of $\mathtt{v}$ is bounded by $\mathit{V\mathcal{B}}(\mathtt{a})+\mathtt{c}$ . As long as $\mathtt{v}$ is not reset, its value cannot increase by more than $\mathtt{Incr}(\mathtt{v})$ .

The function $\mathit{T\mathcal{B}}(\tau)$ computes a transition bound for $\tau$ based on the following reasoning: (1) The total amount by which the local bound $\zeta(\tau)$ of transition $\tau$ can be incremented is bounded by $\mathtt{Incr}(\zeta(\tau))$ . (2) We consider a reset $(\mathtt{t},\mathtt{a},\mathtt{c})\in\mathcal{R}(\zeta(\tau))$ ; in the worst case, a single execution of $\mathtt{t}$ resets the local bound $\zeta(\mathtt{t})$ to $\mathit{V\mathcal{B}}(\mathtt{a})+\mathtt{c}$ , adding $\max(\mathit{V\mathcal{B}}(\mathtt{a})+\mathtt{c},0)$ to the potential number of executions of $\mathtt{t}$ ; in total all $\mathit{T\mathcal{B}}(\mathtt{t})$ possible executions of $\mathtt{t}$ add up to $\mathit{T\mathcal{B}}(\mathtt{t})\times\max(\mathit{V\mathcal{B}}(\mathtt{a})+\mathtt{c},0)$ to the potential number of executions of $\mathtt{t}$ .

Example A, $\zeta$ as defined in Figure 2: $j$ is reset to $0$ on $\tau_{0}$ and incremented by $1$ on $\tau_{1}$ . $i$ is reset to $n$ on $\tau_{0}$ . Our algorithm computes $\mathit{T\mathcal{B}}(\tau_{2})=\mathit{T\mathcal{B}}(\tau_{1})\times 1+\mathit{T\mathcal{B}}(\tau_{0})\times 0=\mathit{T\mathcal{B}}(\tau_{1})=\mathit{T\mathcal{B}}(\tau_{0})\times n=n$ . Thus the overall complexity of Example A is inferred by $\mathit{T\mathcal{B}}(\tau_{1})+\mathit{T\mathcal{B}}(\tau_{2})=2n$ .

Example B, $\zeta$ as defined in Figure 2: $i$ and $l$ are reset to $n$ on $\tau_{0}$ . Our algorithm computes $\mathit{T\mathcal{B}}(\tau_{1})=\mathit{T\mathcal{B}}(\tau_{0})\times n=n$ and $\mathit{T\mathcal{B}}(\tau_{2})=\mathit{T\mathcal{B}}(\tau_{0})\times n=n$ . $j$ is reset to $0$ on $\tau_{0}$ and reset to $k$ on $\tau_{2}$ . Our algorithm computes $\mathit{T\mathcal{B}}(\tau_{3})=\mathit{T\mathcal{B}}(\tau_{0})\times 0+\mathit{T\mathcal{B}}(\tau_{2})\times\mathit{V\mathcal{B}}(k)$ . Since $k$ is reset to $0$ on $\tau_{0}$ and incremented by $1$ on $\tau_{1}$ , our algorithm computes $\mathit{V\mathcal{B}}(k)=\mathit{T\mathcal{B}}(\tau_{1})\times 1=n\times 1=n$ . Thus $\mathit{T\mathcal{B}}(\tau_{3})=\mathit{T\mathcal{B}}(\tau_{2})\times\mathit{V\mathcal{B}}(k)=n\times n=n^{2}$ . Thus the overall complexity of Example B is inferred by $\mathit{T\mathcal{B}}(\tau_{1})+\mathit{T\mathcal{B}}(\tau_{2})+\mathit{T\mathcal{B}}(\tau_{3})=n+n+n^{2}=2n+n^{2}$ .

Example 2 (Figure 1): $\zeta=\{\tau_{0},\tau_{0_{a}},\tau_{0_{b}},\tau_{2}\mapsto 1,\tau_{1}\mapsto y,\tau_{3}\mapsto z\}$ , $\mathcal{R}(z)=\{(\tau_{2},x,0)\}$ , $\mathcal{I}(x)=\{(\tau_{1},2)\}$ , $\mathcal{R}(x)=\{(\tau_{0a},m1,0),(\tau_{0b},m2,0)\}$ , $\mathcal{R}(y)=\{(\tau_{0},n,0)\}$ . We have stated the computation of $\mathit{T\mathcal{B}}(\tau_{3})$ in Section II-B.

Termination: Our algorithm does not terminate if recursive calls cycle, i.e., if a call to $\mathit{T\mathcal{B}}(\tau)$ resp. $\mathit{V\mathcal{B}}(\mathtt{v})$ (indirectly) leads to a recursive call to $\mathit{T\mathcal{B}}(\tau)$ resp. $\mathit{V\mathcal{B}}(\mathtt{v})$ . This can be easily detected, we return the value $\bot$ (undefined).

Theorem 1 (Soundness).

Let $\Delta\mathcal{P}(L,T,l_{b},l_{e})$ be a well-defined and deterministic $\mathit{DCP}$ over atoms $\mathcal{A}$ , $\zeta:T\mapsto{\mathcal{V}\cup\{1\}}$ be a local bound mapping for $\Delta\mathcal{P}$ , $\mathtt{v}\in\mathcal{V}$ and $\tau\in T$ . Either $\mathit{T\mathcal{B}}(\tau)=\bot$ or $\mathit{T\mathcal{B}}(\tau)$ is a transition bound for $\tau$ . Either $\mathit{V\mathcal{B}}(\mathtt{v})=\bot$ or $\mathit{V\mathcal{B}}(\mathtt{v})$ is a variable bound for $\mathtt{v}$ .

III-A Context-Sensitive Bound Analysis

So far our algorithm reasons about resets occurring on single transitions. In this section we increase the precision of our analysis by exploiting the context under which resets are executed through a refined notion of resets and increments.

Definition 10 (Reset Graph).

The Reset Graph for $\Delta\mathcal{P}$ is the graph $\mathcal{G}(\mathcal{A},\mathcal{E})$ with $\mathcal{E}\subseteq\mathcal{A}\times T\times\mathbb{Z}\times\mathcal{V}$ s.t. $\mathcal{E}=\{(x,\tau,\mathtt{c},y)\mid{(\tau,y,\mathtt{c})\in\mathcal{R}(x)}\}$ . We call a finite path $\kappa=\mathtt{a}_{n}\xrightarrow{\tau_{n},c_{n}}\mathtt{a}_{n-1}\xrightarrow{\tau_{n-1},c_{n-1}}\dots\mathtt{a}_{0}$ in $\mathcal{G}$ with $n>0$ a reset path of $\Delta\mathcal{P}$ . We define $\mathit{in}(\kappa)=\mathtt{a}_{n}$ , $\mathit{c}(\kappa)=\sum\limits_{i=1}^{n}c_{i}$ , $\mathit{trn}(\kappa)=\{\tau_{n},\tau_{n-1}\dots,\tau_{1}\}$ , and $\mathit{atm}(\kappa)=\{a_{n},a_{n-1}\dots,a_{0}\}$ . $\kappa$ is sound if for all $1\leq i<n$ it holds that $\mathtt{a}_{i}$ is reset on all paths from the target location of $\tau_{1}$ to the source location of $\tau_{i}$ in $\Delta\mathcal{P}$ . $\kappa$ is optimal if $\kappa$ is sound and there is no sound reset path $\hat{\kappa}$ s.t. $\kappa$ is a suffix of $\hat{\kappa}$ , i.e., $\hat{\kappa}=\mathtt{a}_{n+k}\xrightarrow{\tau_{n+k},c_{n+k}}\mathtt{a}_{{n+k}-1}\xrightarrow{\tau_{{n+k}-1},c_{{n+k}-1}}\dots\mathtt{a}_{n}\xrightarrow{\tau_{n},c_{n}}\mathtt{a}_{n-1}\xrightarrow{\tau_{n-1},c_{n-1}}\dots\mathtt{a}_{0}$ with $k\geq 1$ . Let $\mathtt{v}\in\mathcal{V}$ , by $\mathfrak{R}(\mathtt{v})$ we denote the set of optimal reset paths ending in $\mathtt{v}$ .

We explain the notions sound and optimal in the course of the following discussion. Figure 3 shows the reset graphs of Examples A, B, C and Example 1 from Figure 1. For a given reset $(\tau,\mathtt{a},\mathtt{c})\in\mathcal{R}(\mathtt{v})$ , the reset graph determines which atom flows into variable $\mathtt{v}$ under which context. For example, consider $\mathcal{G}(C)$ : When executing the reset $(\tau_{1},r,0)\in\mathcal{R}(k)$ under the context $\tau_{3}$ , $k$ is set to $0$ , if the same reset is executed under the context $\tau_{0}$ , $k$ is set to $n$ . Note that the reset graph does not represent increments of variables. We discuss how we handle increments below.

We assume that the reset graph is a DAG. We can always force the reset graph to be a DAG by abstracting the $\mathit{DCP}$ : we remove all program variables which have cycles in the reset graph and all variables whose values depend on these variables. Note that if the reset graph is a DAG, the set $\mathfrak{R}(\mathtt{v})$ is finite for all $\mathtt{v}\in\mathcal{V}$ .


$\mathcal{G}(A)$	$\mathcal{G}(B)$	$\mathcal{G}(C)$	$\mathcal{G}(Ex1)$

Figure 3: Reset Graphs, increments by

0

are not depicted

Let $\mathtt{v}\in\mathcal{V}$ . Given a reset path $\kappa$ of length $k$ that ends in $\mathtt{v}$ , we say that $(\mathit{trn}(\kappa),\mathit{in}(\kappa),\mathit{c}(\kappa))$ is a reset of $\mathtt{v}$ with context of length $k-1$ . I.e., $\mathcal{R}(\mathtt{v})$ from Definition 8 is the set of context-free resets of $\mathtt{v}$ (context of length $0$ ), because $(\mathit{trn}(\kappa),\mathit{in}(\kappa),\mathit{c}(\kappa))\in\mathcal{R}(\mathtt{v})$ iff $\kappa$ ends in $\mathtt{v}$ and has length $1$ . Our algorithm from Definition 9 reasons context free since it uses only context-free resets.

Consider Example C. The precise bound for $\tau_{2}$ is $n$ because we can iterate $\tau_{2}$ only in the first iteration of the loop at $l_{1}$ since $r$ is reset to $0$ on $\tau_{3}$ . But when reasoning context-free, our algorithm infers a quadratic bound for $\tau_{2}$ : We assume $\zeta$ to be given as stated in Figure 2. In $\mathcal{G}(C)$ $\kappa=r\xrightarrow{\tau_{1},0}k$ is the only reset path of length $1$ ending in $k$ . Thus $\mathcal{R}(k)=\{(\tau_{1},r,0)\}$ . Our algorithm from Definition 9 computes: $\mathit{T\mathcal{B}}(\tau_{1})=\mathit{T\mathcal{B}}(\tau_{0})\times n=n$ , $\mathit{V\mathcal{B}}(r)=\mathit{T\mathcal{B}}(\tau_{0})\times n+\mathit{T\mathcal{B}}(\tau_{3})\times 0=n$ , $\mathit{T\mathcal{B}}(\tau_{2})=\mathit{T\mathcal{B}}(\tau_{1})\times\mathit{V\mathcal{B}}(r)=n\times n=n^{2}$ .

We show how our algorithm infers the linear bound for $\tau_{2}$ when using resets with context: If we consider $\kappa$ with contexts, we get $\kappa_{1}=0\xrightarrow{\tau_{3},0}r\xrightarrow{\tau_{1},0}k$ and $\kappa_{2}=n\xrightarrow{\tau_{0},0}r\xrightarrow{\tau_{1},0}k$ . Note that $\kappa_{1}$ and $\kappa_{2}$ are sound by Definition 10 because $r$ is reset on all paths from the target location $l_{2}$ of $\tau_{1}$ to the source location $l_{1}$ of $\tau_{1}$ in Example C (namely on $\tau_{3}$ ). Thus $\mathfrak{R}(k)=\{(\{\tau_{3},\tau_{1}\},0,0),(\{\tau_{0},\tau_{1}\},n,0)\}$ . We can compute a bound on the number of times that a sequence $\tau_{1},\tau_{2},\dots\tau_{n}$ of transitions may occur on a run by computing $\min\limits_{1\leq i\leq n}\mathit{T\mathcal{B}}(\tau_{i})$ . Thus, basing our analysis on $\mathfrak{R}(k)$ rather than $\mathcal{R}(k)$ we compute: $\mathit{T\mathcal{B}}(\tau_{2})=\min(\mathit{T\mathcal{B}}(\tau_{3}),\mathit{T\mathcal{B}}(\tau_{1}))\times 0+\min(\mathit{T\mathcal{B}}(\tau_{0}),\mathit{T\mathcal{B}}(\tau_{1}))\times n=\min(n,1)\times n=n$ .

We have demonstrated that our analysis gains precision when adding context to our notion of resets. It is, however, not sound to base the analysis on maximal reset paths (i.e., resets with maximal context) only: Consider Example B with $\zeta$ as stated in Figure 2. There are 2 maximal reset paths ending in $j$ (see $\mathcal{G}(B)$ ): $\kappa_{1}=0\xrightarrow{\tau_{0},0}j$ and $\kappa_{2}=0\xrightarrow{\tau_{0},0}k\xrightarrow{\tau_{2},0}j$ . Thus $\mathfrak{R}(j)^{\prime}=\{(\{\tau_{0},\tau_{2}\},0,0),(\{\tau_{0}\},0,0)\}$ is the set of resets of $j$ with maximal context. Using $\mathfrak{R}(j)^{\prime}$ rather than $\mathcal{R}(j)$ our algorithm computes: $\mathit{T\mathcal{B}}(\tau_{3})=\min(\mathit{T\mathcal{B}}(\tau_{0}),\mathit{T\mathcal{B}}(\tau_{2}))\times 0+\mathit{T\mathcal{B}}(\tau_{0})\times 0+\mathit{T\mathcal{B}}(\tau_{1})\times 1=\mathit{T\mathcal{B}}(\tau_{1})\times 1=n$ , but $n$ is not a transition bound for $\tau_{3}$ . The reasoning is unsound because $\kappa_{2}$ is unsound by Definition 10: $k$ is not reset on all paths from the target location $l_{1}$ of $\tau_{2}$ to the source location $l_{1}$ of $\tau_{2}$ in Example B: e.g., the path $\tau_{2}=l_{1}\xrightarrow{u_{2}}l_{1}$ of Example B does not reset $k$ .

We base our context sensitive algorithm on the set $\mathfrak{R}(\mathtt{v})$ of optimal reset paths. The optimal reset paths are those that are maximal within the sound reset paths (Definition 10).

Definition 11 (Bound Algorithm with Context).

Let $\zeta:T\rightarrow\mathcal{V}\cup\{\textbf{1}\}$ be a local bound mapping for $\Delta\mathcal{P}$ . Let $\mathit{V\mathcal{B}}:\mathcal{A}\mapsto\mathit{Expr}(\mathcal{A})$ be as defined in Definition 9. We override the definition of $\mathit{T\mathcal{B}}:T\mapsto\mathit{Expr}(\mathcal{A})$ in Definition 9 by stating:

$\mathit{T\mathcal{B}}(\tau)=$	1 if $\zeta(\tau)=\textbf{1}$ else
$\mathit{T\mathcal{B}}(\tau)=$	$\sum\limits_{\kappa\in\mathfrak{R}(\zeta(\tau))}$	$\mathit{T\mathcal{B}}(\mathit{trn}(\kappa))\times\max(\mathit{V\mathcal{B}}(\mathit{in}(\kappa))+\mathit{c}(\kappa),0)$
		$+\sum\limits_{\mathtt{a}\in\mathit{atm}(\kappa)}\mathtt{Incr}(\mathtt{a})$

where
$\mathit{T\mathcal{B}}(\{\tau_{1},\tau_{2},\dots,\tau_{n}\})=\min\limits_{1\leq i\leq n}\mathit{T\mathcal{B}}(\tau_{i})$

Discussion and Example

The main difference to the definition of $\mathit{T\mathcal{B}}(\tau)$ in Definition 9 is that the term $\mathtt{Incr}(\zeta(\tau))$ is replaced by the term $\sum\limits_{\mathtt{a}\in\mathit{atm}(\kappa)}\mathtt{Incr}(\mathtt{a})$ . Consider the abstracted $\mathit{DCP}$ of Example 1 in Figure 1. We have discussed in Section II-A that $r$ may be incremented on $\tau_{1}$ between the reset of $r$ to $0$ on $\tau_{0}$ resp. $\tau_{4}$ and the reset of $p$ to $r$ on $\tau_{2a}$ . The term $\sum\limits_{\mathtt{a}\in\mathit{atm}(\kappa)}\mathtt{Incr}(\mathtt{a})$ takes care of such increments which may increase the value that finally flows into $\zeta(\tau)$ (in the example $p$ ) when the last transition on $\kappa$ (in the example $\tau_{2a}$ ) is executed: We use the local bound mapping $\zeta=\{\tau_{0}\mapsto 1,\tau_{1}\mapsto x,\tau_{2a}\mapsto x,\tau_{2b}\mapsto x,\tau_{4}\mapsto x,\tau_{5}\mapsto x,\tau_{3}\mapsto p\}$ for Example 1. The reset graph of Example 1 is shown in Figure 3. We have $\mathfrak{R}(p)=\{0\xrightarrow{\tau_{0}}r\xrightarrow{\tau_{2a}}p,0\xrightarrow{\tau_{4}}r\xrightarrow{\tau_{2a}}p\}$ . Thus our algorithm computes $\mathit{T\mathcal{B}}(\tau_{3})=\sum\limits_{\kappa\in\mathfrak{R}(p)}\mathit{T\mathcal{B}}(\mathit{trn}(\kappa))\times\max(\mathit{V\mathcal{B}}(\mathit{in}(\kappa))+\mathit{c}(\kappa),0)+\sum\limits_{\mathtt{a}\in\mathit{atm}(\kappa)}\mathtt{Incr}(\mathtt{a})=\mathit{T\mathcal{B}}(\{\tau_{0},\tau_{2a}\})\times\max(\mathit{V\mathcal{B}}(0),0)+\mathtt{Incr}(r)+\mathit{T\mathcal{B}}(\{\tau_{4},\tau_{2a}\})\times\max(\mathit{V\mathcal{B}}(0),0)+\mathtt{Incr}(r)=2\times\mathtt{Incr}(r)=2\times\mathit{T\mathcal{B}}(\tau_{1})\times 1=2\times n$ (with $\mathit{T\mathcal{B}}(\tau_{1})=n$ ).

Complexity

In theory there can be exponentially many resets in $\mathfrak{R}(\mathtt{v})$ . In our experiments this never occurred, enumeration of (optimal) reset paths did not affect performance.

Further Optimization

We have shown in Section II that transitions $\tau_{3}$ of Example 1 has a linear bound, precisely $n$ . The Bound $2n$ that is computed by our bound algorithm from Definition 11 is linear but not precise. We compute $2n$ because $r$ appears on both reset paths of $p$ and therefore $\mathtt{Incr}(r)=n$ is added twice. However, there is only one transition ( $\tau_{2a}$ ) on which $p$ is reset to $r$ and between any two executions of $\tau_{2a}$ $r$ will be reset to $0$ . For this reason each increment of $r$ can only contribute once to the increase of the local bound $p$ of $\tau_{3}$ , and not twice. We thus suggest to further optimize our algorithm from Definition 11 by distinguishing if there is more than one way how $\mathtt{a}\in\mathit{atm}(\kappa)$ may flow into the target variable of $\kappa$ or not. We divide $\mathit{atm}(\kappa)$ into two disjoint sets $\mathit{atm}_{2}(\kappa)=\{\mathtt{a}\in\mathit{atm}(\kappa)\mid\text{more than 1 path from }\mathtt{a}\text{ to target variable of }\kappa\text{ in }\mathcal{G}(\Delta\mathcal{P})\}$ , $\mathit{atm}_{1}(\kappa)=\mathit{atm}(\kappa)\setminus\mathit{atm}_{2}(\kappa)$ . We define

$\mathit{T\mathcal{B}}(\tau)=$	( $\sum\limits_{\mathtt{a}\in\bigcup\limits_{\kappa\in\mathfrak{R}(\zeta(\tau))}\mathit{atm}_{1}(\kappa)}\mathtt{Incr}(\mathtt{a}))~+$
	$\sum\limits_{\kappa\in\mathfrak{R}(\zeta(\tau))}$	$\mathit{T\mathcal{B}}(\mathit{trn}(\kappa))\times\max(\mathit{V\mathcal{B}}(\mathit{in}(\kappa))+\mathit{c}(\kappa),0)$
		$+\sum\limits_{\mathtt{a}\in\mathit{atm}_{2}(\kappa)}\mathtt{Incr}(\mathtt{a})$

for $\zeta(\tau)\neq 1$ . Note that for Example 1 $\mathit{atm}_{1}(\kappa)=\{r\}$ and $\mathit{atm}_{2}(\kappa)=\emptyset$ for both $\kappa\in\mathfrak{R}(p)$ . Therefore $\mathit{T\mathcal{B}}(\tau_{3})=\mathcal{I}(r)=n$ with the optimization.

Theorem 2 (Soundness of Bound Algorithm with Context).

Let $\Delta\mathcal{P}(L,T,l_{b},l_{e})$ be a well-defined and deterministic $\mathit{DCP}$ over atoms $\mathcal{A}$ , $\zeta:T\mapsto{\mathcal{V}\cup\{1\}}$ be a local bound mapping for $\Delta\mathcal{P}$ , $\mathtt{v}\in\mathcal{V}$ and $\tau\in T$ . Let $\mathit{T\mathcal{B}}(\tau)$ and $\mathit{V\mathcal{B}}(\mathtt{a})$ be defined as in Definition 11. Either $\mathit{T\mathcal{B}}(\tau)=\bot$ or $\mathit{T\mathcal{B}}(\tau)$ is a transition bound for $\tau$ . Either $\mathit{V\mathcal{B}}(\mathtt{v})=\bot$ or $\mathit{V\mathcal{B}}(\mathtt{v})$ is a variable bound for $\mathtt{v}$ .

III-B $\mathit{DCP}$ s over non-well-founded domains

In real world code, many data types are not well-founded. The abstraction of a concrete program is much simpler and more information is kept if the abstract program model is not limited to a well-founded domain. Below we extend our program model from Definition 3 to the non-well-founded domain $\mathbb{Z}$ by adding guards to the transitions in the program. Interestingly our bound algorithm from Definition 9 resp. Definition 11 remains sound for the extended program model, if we adjust our notion of a local transition bound (Definition 12).

We extend the range of the valuations $\mathit{Val}_{\mathcal{A}}$ of $\mathcal{A}$ from $\mathbb{N}$ to $\mathbb{Z}$ and allow constants to be integers, i.e., we define $\mathcal{A}=\mathcal{V}\cup\mathcal{C}\cup\mathbb{Z}$ . We extend Definition 3 as follows: The transitions $T$ of a guarded $\mathit{DCP}$ $\Delta\mathcal{P}(L,T,l_{b},l_{e})$ are a subset of $L\times 2^{\mathcal{V}}\times 2^{\mathcal{DC}(\mathcal{A})}\times L$ . A sequence $(l_{b},\sigma_{0})\xrightarrow{g_{0},u_{0}}(l_{1},\sigma_{1})\xrightarrow{g_{1},u_{1}}\cdots$ is a run of $\Delta\mathcal{P}$ if it meets the conditions required in Definition 3 and additionally $\sigma_{i}(x)>0$ holds for all ${x}\in g_{i}$ . For examples see Figure 1.

Definition 12 (Local Transition Bound for $\mathit{DCP}$ s with guards).

Let $\Delta\mathcal{P}(L,T,l_{b},l_{e})$ be a $\mathit{DCP}$ with guards over $\mathcal{A}$ . Let $\tau\in T$ and $\mathtt{v}\in\mathcal{V}$ . $\mathtt{v}$ is a local bound for $\tau$ if for all finite runs $\rho=(l_{b},\sigma_{0})\xrightarrow{\tau_{0}}(l_{1},\sigma_{1})\xrightarrow{\tau_{1}}\cdots(l_{e},\sigma_{n})$ of $\Delta\mathcal{P}$ it holds that $\sharp(\tau,\rho)\leq{\downarrow}(\max(\mathtt{v},0),\rho)$ .

The algorithms in Sections III-C and IV are based on the extended program model over $\mathbb{Z}$ , it is straightforward to adjust them for $\mathit{DCP}$ s without guards.

III-C Determining Local Bounds

We call a path of a $\mathit{DCP}$ $\Delta\mathcal{P}(L,T,l_{b},l_{e})$ simple and cyclic if it has the same start- and end-location and does not visit a location twice except for the start- and end-location. Given a transition $\tau\in T$ we assign it $\mathtt{v}\in\mathcal{V}$ as local bound if for all simple and cyclic paths $\pi=l_{1}\xrightarrow{g_{1},u_{1}}l_{2}\xrightarrow{g_{2},u_{2}}...l_{n}$ ( $l_{n}=l_{1}$ ) of $\Delta\mathcal{P}$ that traverse $\tau$ it holds that (1) $\exists 0<i<n$ s.t. $\mathtt{v}\in g_{i}$ and (2) $\exists 0<i<n$ s.t. $\mathtt{v}^{\prime}\leq\mathtt{v}+\mathtt{c}\in u_{i}$ for some $\mathtt{c}<0$ . Our implementation avoids an explicit enumeration of the simple and cyclic paths of $\Delta\mathcal{P}$ by a simple data flow analysis.

IV Program Abstraction

In this section we present our concrete program model and discuss how we abstract a given program to a $\mathit{DCP}$ .

Definition 13 (Program).

Let $\Sigma$ be a set of states. The set of transition relations $\Gamma=2^{\Sigma\times\Sigma}$ is the set of relations over $\Sigma$ . A program is a directed labeled graph $\mathcal{P}=(L,E,l_{b},l_{e})$ , where $L$ is a finite set of locations, $l_{b}\in L$ is the entry location, $l_{e}\in L$ is the exit location and $E\subseteq L\times\Gamma\times L$ is a finite set of transitions. We write $l_{1}\xrightarrow{\rho}l_{2}$ to denote a transition $(l_{1},\rho,l_{2})$ .

A norm $e\in\Sigma\rightarrow\mathbb{Z}$ is a function that maps the states to the integers.

Programs are labeled transition systems over some set of states, where each transition is labeled by a transition relation that describes how the state changes along the transition. Note, that a $\mathit{DCP}$ (Definition 3) is a program by Definition 13.

Definition 14 (Transition Invariants).

Let $e_{1},e_{2},e_{3}\in\Sigma\rightarrow\mathbb{Z}$ be norms, and let $c\in\mathbb{Z}$ be some integer. We say $e_{1}^{\prime}\leq e_{2}+e_{3}$ is invariant for $l_{1}\xrightarrow{\rho}l_{2}$ , if $e_{1}(s_{2})\leq e_{2}(s_{1})+e_{3}(s_{1})$ holds for all $(s_{1},s_{2})\in\rho$ . We say $e_{1}>0$ is invariant for $l_{1}\xrightarrow{\rho}l_{2}$ , if $e_{1}(s_{1})>0$ holds for all $(s_{1},s_{2})\in\rho$ .

Definition 15 (Abstraction of a Program).

Let $\mathcal{P}=(L,E,l_{b},l_{e})$ be a program and let $\mathit{N}$ be a finite set of norms. A $\mathit{DCP}$ $\Delta\mathcal{P}=(L,E^{\prime},l_{b},l_{e})$ with atoms $\mathit{N}$ is an abstraction of the program $\mathcal{P}$ iff for each transition ${l_{1}\xrightarrow{\rho}l_{2}}\in E$ there is a transition ${l_{1}\xrightarrow{u,g}l_{2}}\in E^{\prime}$ s.t. every ${e_{1}^{\prime}\leq e_{2}+c}\in u$ is invariant for ${l_{1}\xrightarrow{\rho}l_{2}}$ and for every $e_{1}\in g$ it holds that $e_{1}>0$ is invariant for ${l_{1}\xrightarrow{\rho}l_{2}}$ .

We propose to abstract a program $\mathcal{P}=(L,E,l_{b},l_{e})$ to a $\mathit{DCP}$ $\Delta\mathcal{P}=(L,E^{\prime},l_{b},l_{e})$ as follows: Let $\mathit{N}$ be some initial set of norms.
1) For each transition ${l_{1}\xrightarrow{\rho}l_{2}}\in E$ we generate a set of difference constraints $\alpha(\rho)$ : Initially we set $\alpha(\rho)=\emptyset$ for all transitions ${l_{1}\xrightarrow{\rho}l_{2}}$ . We then repeat the following construction until the set of norms $\mathit{N}$ becomes stable: For each $e_{1}\in\mathit{N}$ and ${{l_{1}\xrightarrow{\rho}l_{2}}}\in E$ we check whether there is a difference constraint of form $e_{1}^{\prime}\leq e_{2}+\mathtt{c}$ for $e_{1}$ in $\alpha(\rho)$ . If not, we try to find a norm $e_{2}$ (possibly not yet in $\mathit{N}$ ) and a constant $\mathtt{c}\in\mathbb{Z}$ s.t. $e_{1}^{\prime}\leq e_{2}+\mathtt{c}$ is invariant for $\rho$ . If we find appropriate $e_{2}$ and $\mathtt{c}$ , we add $e_{1}^{\prime}\leq e_{2}+\mathtt{c}$ to $\alpha(\rho)$ and $e_{2}$ to $\mathit{N}$ . I.e., our transition abstraction algorithm performs a fixed point computation which might not terminate if new terms keep being added (see discussion in next section).
2) For each transition ${l_{1}\xrightarrow{\rho}l_{2}}$ we generate a set of guards $G(\rho)$ : Initially we set $G(\rho)=\emptyset$ for all transitions ${l_{1}\xrightarrow{\rho}l_{2}}$ . For each $e\in\mathit{N}$ and each transition ${l_{1}\xrightarrow{\rho}l_{2}}$ we check if $e>0$ is invariant for ${l_{1}\xrightarrow{\rho}l_{2}}$ . If so, we add $e$ to $G(\rho)$ .
3) We set $E^{\prime}=\{{l_{1}\xrightarrow{G(\rho),\alpha(\rho)}l_{2}}\mid{l_{1}\xrightarrow{\rho}l_{2}}\in E\}$ .

In the following we discuss how we implement the above sketched abstraction algorithm.

IV-A Implementation

0. Guessing the initial set of Norms.

We aim at creating a suitable abstract program for bound analysis. In our non-recursive setting, complexity evolves from iterating loops. Therefore we search for expressions which limit the number of loop iterations. For this purpose we consider conditions of form $a>b$ resp. $a\geq b$ found in loop headers or on loop-paths if they involve loop counter variables, i.e., variables which are incremented and/or decremented inside the loop. Such conditions are likely to limit the consecutive execution of single or multiple loop-paths. From each such condition we form the integer expression $b-a$ and add it to our initial set of norms. Note that on those transitions on which $a>b$ holds, $b-a>0$ must hold.

1. Abstracting Transitions.

For a given norm $e\in\mathit{N}$ and a transition ${l_{1}\xrightarrow{\rho}l_{2}}$ we derive a transition predicate ${e^{\prime}\leq e_{2}+\mathtt{c}}\in\alpha(\rho)$ as follows: We symbolically execute $\rho$ for deriving $e^{\prime}$ from $e$ . In order to keep the number of norms low, we first try
i) to find a norm $e_{2}\in\mathit{N}$ s.t. $e^{\prime}\leq e_{2}+e_{3}$ is invariant for $\rho$ where $e_{3}$ is some integer valued expression. If $e_{3}=\mathtt{c}$ for some integer $\mathtt{c}\in\mathbb{Z}$ we derive the transition predicate $e^{\prime}\leq e_{2}+\mathtt{c}$ . Else we use our bound algorithm (Section III) for over-approximating $e_{3}$ by a constant expression $k\geq e_{3}$ and infer the transition predicate $e^{\prime}\leq e_{2}+k$ where we consider $k$ to be a symbolic constant.
ii) If i) fails, we form a norm $e_{4}$ s.t. $e^{\prime}\leq e_{4}+\mathtt{c}$ by separating constant parts in the expression $e^{\prime}$ using associativity and commutativity of the addition operator. E.g., given $e^{\prime}=\mathtt{v}+5$ we set $e_{4}=\mathtt{v}$ and $\mathtt{c}=5$ . We add $e_{4}$ to $\mathit{N}$ and derive the predicate $e^{\prime}\leq e_{4}+\mathtt{c}$ .

Since case ii) triggers a recursive abstraction for the newly added norm we have to ensure the termination of our abstraction procedure: Note that we can always stop the abstraction process at any point, getting a sound abstraction of the original program. We therefore enforce termination of the abstraction algorithm by limiting the chain of recursive abstraction steps triggered by entering case ii) above: In case this limit is exceeded we remove all norms from the abstract program which form part of the limit exceeding chain of recursive abstraction steps. This also ensures well-definedness of the resulting abstract program.

Further note that the $\mathit{DCP}$ s generated by our algorithm are always deterministic: For each transition, we get at most one predicate ${e^{\prime}\leq e_{2}+\mathtt{c}}$ for each $e\in\mathit{N}$ .

2. Inferring Guards

Given a transition $l_{1}\xrightarrow{\rho}l_{2}$ and a norm $e$ , we use an SMT solver to check whether $e>0$ is invariant for $l_{1}\xrightarrow{\rho}l_{2}$ . If so, we add $e$ to $G(\rho)$ .

Non-linear Iterations.

We handle counter updates such as $x^{\prime}=2x$ or $x^{\prime}=x/2$ as discussed in [16].

V Experiments

	Succ.	$1$	$n$	$n^{2}$	$n^{3}$	$n^{>3}$	$2^{n}$	Time	TO
Loopus’15	806	205	489	97	13	2	0	15m	6
Loopus’14	431	200	188	43	0	0	0	40m	20
KoAT	430	253	138	35	2	0	2	5,6h	161
CoFloCo	386	200	148	38	0	0	0	4.7h	217

Figure 4: Tool Results on analyzing the complexity of 1659 functions in the cBench benchmark, none of the tools infers

\mathit{log}

bounds.

Implementation

We have implemented the presented algorithm into our tool Loopus [1]. Loopus reads in the LLVM [15] intermediate representation and performs an intra-procedural analysis. It is capable of computing bounds for loops as well as analyzing the complexity of non-recursive functions.

Experimental Setup

For our experimental comparison we used the program and compiler optimization benchmark Collective Benchmark [2] (cBench), which contains a total of 1027 different C files (after removing code duplicates) with 211.892 lines of code. In contrast to our earlier work we did not perform a loop bound analysis but a complexity analysis on function level. We set up the first comparison of complexity analysis tools on real world code. For comparing our new tool (Loopus’15) we chose the 3 most promising tools from recent publications: the tool KoAT implementing the approach of [7], the tool CoFloCo implementing [10] and our own earlier implementation (Loopus’14) [16]. Note that we compared against the most recent versions of KoAT and CoFloCo (download 01/23/15).¹¹1https://github.com/s-falke/kittel-koat, https://github.com/aeflores/CoFloCo The experiments were performed on a Linux system with an Intel dual-core 3.2 GHz processor and 16 GB memory. We used the following experimental set up:
1) We compiled all 1027 C files in the benchmark into the llvm intermediate representation using clang.
2) We extracted all 1751 functions which contain at least one loop using the tool llvm-extract (comes with the llvm tool suite). Extracting the functions to single files guarantees an intra-procedural setting for all tools.
3) We used the tool llvm2kittel [3] to translate the 1751 llvm modules into 1751 text files in the Integer Transition System (ITS) format read in by KoAT.
4) We used the transformation described in [10] to translate the ITS format of KoAT into the ITS format of CoFloCo. This last step is necessary because there exists no direct way of translating C or the llvm intermediate representation into the CoFloCo input format.
5) We decided to exclude the 91 recursive functions in the set because we were not able to run CoFloCo on these examples (the transformation tool does not support recursion), KoAT was not successful on any of them and Loopus does not support recursion.

In total our example set thus comprises 1659 functions.

Evaluation

Table 4 shows the results of the 4 tools on our benchmark using a time out of 60 seconds. The first column shows the number of functions which were successfully bounded by the respective tool, the last column shows the number of time outs, on the remaining examples (not shown in the table) the respective tool did not time out but was also not able compute a bound. The column Time shows the total time used by the tool to process the benchmark. Loopus’15 computes the complexity for about twice as many functions as KoAT, CoFloCo and Loopus’14 while needing an order of magnitude less time than KoAT and CoFloCo and significantly less time than Loopus’14. We conclude that our approach is both scalable and more successful than existing approaches.

Pointer and Shape Analysis

Even Loopus’15, computed bounds for only about half of the functions in the benchmark. Studying the benchmark code we concluded that for many functions pointer alias and/or shape analysis is needed for inferring functional complexity. In our experimental comparison such information was not available to the tools. Using optimistic (but unsound) assumptions on pointer aliasing and heap layout, our tool Loopus’15 was able to compute the complexity for in total 1185 out of the 1659 functions in the benchmark (using 28 minutes total time).

Amortized Complexity

During our experiments, we found 15 examples with an amortized complexity that could only be inferred by the approach presented in this paper. These examples and further experimental results can be found on [1] where our new tool is offered for download.

References

[1] http://forsyte.at/software/loopus/.
[2] http://ctuning.org/wiki/index.php/CTools:CBench.
[3] https://github.com/s-falke/llvm2kittel.
[4] E. Albert, P. Arenas, S. Genaim, G. Puebla, and D. Zanardini. Cost analysis of object-oriented bytecode programs. Theor. Comput. Sci., 413(1):142–159, 2012.
[5] C. Alias, A. Darte, P. Feautrier, and L. Gonnord. Multi-dimensional rankings, program termination, and complexity bounds of flowchart programs. In SAS, pages 117–133, 2010.
[6] A. M. Ben-Amram. Size-change termination with difference constraints. ACM Trans. Program. Lang. Syst., 30(3), 2008.
[7] M. Brockschmidt, F. Emmes, S. Falke, C. Fuhs, and J. Giesl. Alternating runtime and size complexity analysis of integer programs. In TACAS, page to appear, 2014.
[8] Q. Carbonneaux, J. Hoffmann, and Z. Shao. Compositional certified resource bounds. PLDI, 2015.
[9] T. Colcombet, L. Daviaud, and F. Zuleger. Size-change abstraction and max-plus automata. In MFCS, pages 208–219, 2014.
[10] A. Flores-Montoya and R. Hähnle. Resource analysis of complex programs with cost equations. In APLAS, pages 275–295, 2014.
[11] T. M. Gawlitza, M. D. Schwarz, and H. Seidl. Parametric strategy iteration. arXiv preprint arXiv:1406.5457, 2014.
[12] S. Gulwani and S. Juvekar. Bound analysis using backward symbolic execution. Technical Report MSR-TR-2004-95, Microsoft Research, 2009.
[13] S. Gulwani and F. Zuleger. The reachability-bound problem. In PLDI, pages 292–304, 2010.
[14] J. Hoffmann, K. Aehlig, and M. Hofmann. Multivariate amortized resource analysis. ACM Trans. Program. Lang. Syst., 34(3):14, 2012.
[15] C. Lattner and V. S. Adve. Llvm: A compilation framework for lifelong program analysis & transformation. In CGO, pages 75–88, 2004.
[16] M. Sinn, F. Zuleger, and H. Veith. A simple and scalable static analysis for bound analysis and amortized complexity analysis. In CAV, pages 745–761. Springer, 2014.
[17] M. Sinn, F. Zuleger, and H. Veith. A simple and scalable static analysis for bound analysis and amortized complexity analysis. CoRR, abs/1401.5842, 2014.
[18] R. E. Tarjan. Amortized computational complexity. SIAM Journal on Algebraic Discrete Methods, 6(2):306–318, Apr. 1985.
[19] P. Wu, A. Cohen, and D. Padua. Induction variable analysis without idiom recognition: Beyond monotonicity. In Languages and Compilers for Parallel Computing, pages 427–441. Springer, 2003.
[20] F. Zuleger, S. Gulwani, M. Sinn, and H. Veith. Bound analysis of imperative programs with the size-change abstraction. In SAS, pages 280–297, 2011.

-A Full Example

xnu(int len) {
  int beg,end,i = 0;
 $l_{1}$  while(i < len) {
    i++;
 $l_{2}$    if (*)
      end = i;
 $l_{3}$    if (*) {
      int k = beg;
 $l_{4}$      while (k < end)
        k++;
      end = i;
      beg = end;
    }
 $l_{5}$  }
}

(a) Example 3

(b) LTS of Example 3

\mathit{DCP}

for Example 3

Figure 5: Example 3 shows the code after which we have modeled Example 1, * denotes non-determinism (arising from conditions not modeled in the analysis)

Example 3 in Figure 5 contains a snippet of the source code after which we have modeled Example 1 in Figure 1. Example 3 can be found in the SPEC CPU2006 benchmark²²2https://www.spec.org/cpu2006/, in function XNU of 456.hmmer/src/masks.c. The outer loop in Example 3 partitions the interval $[0,len]$ into disjoint sub-intervals $[beg,end]$ . The inner loop iterates over the sub-intervals. Therefore the inner loop has an overall linear iteration count. Example 3 is a natural example for amortized complexity: Though a single visit to the inner loop can cost $len$ (if $beg=0$ and $end=len$ ), several visits can also not cost more than $len$ since in each visit the loop iterates over a disjoint sub-interval. I.e., the total cost $len$ of the inner loop is the amortized cost over all visits to the inner loop. To the best of our knowledge our new implementation Loopus’15 (available at [1]) is the only tool that infers the linear complexity of Example 3 without user interaction.

-A1 Abstraction

In Figure 5 (b) the labeled transition system for Example 3 is shown. We discuss how our abstraction algorithm from Section IV abstracts the example to the $\mathit{DCP}$ shown in Figure 5 (c).

Our heuristics add the expressions $l-i$ and $e-k$ generated from the conditions $k<e$ and $i<l$ to the initial set of norms $N$ . Thus our initial set of norms is $\mathit{N}=\{l-i,e-k\}$ .

•
We check how $l-i$ changes on the transitions $\rho_{0},\rho_{1},\rho_{2a},\rho_{2b},\rho_{3a},\rho_{3b},\rho_{4},\rho_{5},\rho_{6}$ :
- –
  
  $\rho_{0}$ : we derive $(l-i)^{\prime}\leq l$ (reset), we add $l$ to $N$
- –
  
  $\rho_{1}$ : we derive $(l-i)^{\prime}\leq(l-i)-1$ (negative increment)
- –
  
  $\rho_{2a},\rho_{2b},\rho_{3a},\rho_{3b},\rho_{4},\rho_{5},\rho_{6}$ : $l-i$ unchanged
•
We check how $l$ changes on the transitions $\rho_{0},\rho_{1},\rho_{2a},\rho_{2b},\rho_{3a},\rho_{3b},\rho_{4},\rho_{5},\rho_{6}$ :
- –
  
  unchanged on all transitions
•
We check how $e-k$ changes on the transitions $\rho_{3a},\rho_{4}$ ( $k$ is only defined at $l_{4}$ ):
- –
  
  $\rho_{3a}$ : we derive $(e-k)^{\prime}\leq(e-b)$ (reset), we add $(e-b)$ to $N$
- –
  
  $\rho_{4}$ : we derive $(e-k)^{\prime}\leq(e-k)-1$ (negative increment)
•
We check how $e-b$ changes on the transitions $\rho_{0},\rho_{1},\rho_{2a},\rho_{2b},\rho_{3a},\rho_{3b},\rho_{4},\rho_{5},\rho_{6}$ ::
- –
  
  $\rho_{0}$ : we derive $(e-b)^{\prime}\leq 0$ (reset)
- –
  
  $\rho_{2a}$ : we derive $(e-b)^{\prime}\leq(i-b)$ , we add $(i-b)$ to $N$
- –
  
  $\rho_{5}$ : we derive $(e-b)^{\prime}\leq 0$ (reset)
- –
  
  $\rho_{1},\rho_{2b},\rho_{3a},\rho_{3b},\rho_{4},\rho_{6}$ :: $e-b$ unchanged
•
We check how $i-b$ changes on the transitions $\rho_{0},\rho_{1},\rho_{2a},\rho_{2b},\rho_{3a},\rho_{3b},\rho_{4},\rho_{5},\rho_{6}$ :
- –
  
  $\rho_{0}$ : we derive $(i-b)^{\prime}\leq 0$ (reset)
- –
  
  $\rho_{1}$ : we derive $(i-b)^{\prime}\leq(i-b)+1$ (increment)
- –
  
  $\rho_{5}$ : we derive $(i-b)^{\prime}\leq 0$ (reset)
- –
  
  $\rho_{2a},\rho_{2b},\rho_{3a},\rho_{3b},\rho_{4},\rho_{6}$ :: unchanged
•

We have processed all norms in $N$

We infer that $\rho_{1}\models(l-i)>0$ and $\rho_{4}\models(e-k)>0$ .

The resulting $\mathit{DCP}$ is shown in Figure 5(c).

-A2 Bound Computation

\mathit{DCP}

for Example 3, variables renamed

Reset Graph

Figure 6:

We discuss how our bound algorithm from Section III infers the linear bound for the inner loop at $l_{4}$ . For ease of readability, we state the abstracted $\mathit{DCP}$ of Example 3 in Figure 6 renaming the variables by the following scheme: $\{\mathbf{p}=(e-k),\mathbf{q}=(e-b),\mathbf{r}=(i-b),\mathbf{x}=(l-i)\}$ . On the right hand side the reset graph is shown. Our Algorithm from Definition 11 now computes a bound for the example by the following reasoning:

1.

Our algorithm for determining the local bound mapping (Section III-C) assigns the following local bounds to the respective transitions $\zeta(\tau_{0})=1$ , $\zeta(\tau_{1})=\zeta(\tau_{2a})=\zeta(\tau_{2b})=\zeta(\tau_{3a})=\zeta(\tau_{3b})=\zeta(\tau_{5})=\zeta(\tau_{6})=x$ , $\zeta(\tau_{4})=p$ .
2.

$\mathfrak{R}(p)=\{0\xrightarrow{\tau_{0},0}r\xrightarrow{\tau_{2a},0}q\xrightarrow{\tau_{3a},0}p,0\xrightarrow{\tau_{5},0}r\xrightarrow{\tau_{2a},0}q\xrightarrow{\tau_{3a},0}p,0\xrightarrow{\tau_{0},0}q\xrightarrow{\tau_{3a},0}p,0\xrightarrow{\tau_{5},0}q\xrightarrow{\tau_{3a},0}p\}$
3.

We get: $\mathit{T\mathcal{B}}(\tau_{1})$ resp. $\mathit{T\mathcal{B}}(\tau_{2a})$ resp. $\mathit{T\mathcal{B}}(\tau_{2b})$ resp. $\mathit{T\mathcal{B}}(\tau_{3a})$ resp. $\mathit{T\mathcal{B}}(\tau_{3b})$ resp. $\mathit{T\mathcal{B}}(\tau_{5})$ resp. $\mathit{T\mathcal{B}}(\tau_{6})=\mathit{T\mathcal{B}}(\tau_{0})\times l=l$ (Definition 11) with $\mathit{T\mathcal{B}}(\tau_{0})=1$
4.

For $\tau_{4}$ we get: $\mathit{T\mathcal{B}}(\tau_{4})=\mathit{T\mathcal{B}}(\tau_{0},\tau_{2a},\tau_{3a})\times 0+\mathit{T\mathcal{B}}(\tau_{1})\times 1+\mathit{T\mathcal{B}}(\tau_{5},\tau_{2a},\tau_{3a})\times 0+\mathit{T\mathcal{B}}(\tau_{1})\times 1+\mathit{T\mathcal{B}}(\tau_{0},\tau_{3a})\times 0+\mathit{T\mathcal{B}}(\tau_{5},\tau_{3a})\times 0=n\times 1+n\times 1=2n$ (Definition 11) with $\mathit{T\mathcal{B}}(\tau_{1})=n$
5.

We get the precise bound $n$ for $\tau_{4}$ when applying the optimization presented in the discussion under Definition 11: For all $\kappa\in\mathfrak{R}(p)$ we have $\mathit{atm}_{1}(\kappa)=\{r,q\}$ and $\mathit{atm}_{2}(\kappa)=\emptyset$ . Therefore $\mathit{T\mathcal{B}}(\tau_{4})=\mathit{T\mathcal{B}}(\tau_{1})\times 1+\mathit{T\mathcal{B}}(\tau_{0},\tau_{2a},\tau_{3a})\times 0+\mathit{T\mathcal{B}}(\tau_{5},\tau_{2a},\tau_{3a})\times 0+\mathit{T\mathcal{B}}(\tau_{0},\tau_{3a})\times 0+\mathit{T\mathcal{B}}(\tau_{5},\tau_{3a})\times 0=n\times 1=n$ with $\mathit{T\mathcal{B}}(\tau_{1})=n$ .

Difference Constraints: An adequate Abstraction for Complexity Analysis of Imperative Programs

Abstract

I Introduction

II Motivation and Related Work

II-A Amortized Complexity Analysis

II-B Invariants and Bound Analysis

II-C Related Work

III Program Model and Algorithm

Definition 1 (Variables, Symbolic Constants, Atoms).

Definition 2 (Difference Constraints).

Definition 3 (Difference Constraint Program).

Definition 4 (Transition Bound).

Definition 5 (Counter Notation).

Definition 6 (Local Transition Bound).

Definition 7 (Variable Bound).

Definition 8 (Resets and Increments).

Definition 9 (Bound Algorithm).

Discussion

Theorem 1 (Soundness).

III-A Context-Sensitive Bound Analysis

Definition 10 (Reset Graph).

Definition 11 (Bound Algorithm with Context).

Discussion and Example

Complexity

Further Optimization

Theorem 2 (Soundness of Bound Algorithm with Context).

III-B 𝐷𝐶𝑃\mathit{DCP}s over non-well-founded domains

Definition 12 (Local Transition Bound for 𝐷𝐶𝑃\mathit{DCP}s with guards).

III-C Determining Local Bounds

IV Program Abstraction

Definition 13 (Program).

Definition 14 (Transition Invariants).

Definition 15 (Abstraction of a Program).

IV-A Implementation

0. Guessing the initial set of Norms.

1. Abstracting Transitions.

2. Inferring Guards

Non-linear Iterations.

V Experiments

Implementation

Experimental Setup

Evaluation

Pointer and Shape Analysis

Amortized Complexity

References

-A Full Example

-A1 Abstraction

-A2 Bound Computation

III-B $\mathit{DCP}$ s over non-well-founded domains

Definition 12 (Local Transition Bound for $\mathit{DCP}$ s with guards).