HAL Id: hal-01188696
https://hal.univ-reunion.fr/hal-01188696v2
Submitted on 15 Nov 2018
HAL
is a multi-disciplinary open access archive for the deposit and dissemination of sci- entific research documents, whether they are pub- lished or not. The documents may come from teaching and research institutions in France or abroad, or from public or private research centers.
L’archive ouverte pluridisciplinaire
HAL, estdestinée au dépôt et à la diffusion de documents scientifiques de niveau recherche, publiés ou non, émanant des établissements d’enseignement et de recherche français ou étrangers, des laboratoires publics ou privés.
Experiments with Non-Termination Analysis for Java Bytecode
Etienne Payet, Fausto Spoto
To cite this version:
Etienne Payet, Fausto Spoto. Experiments with Non-Termination Analysis for Java Bytecode. Fourth
Workshop on Bytecode Semantics, Verification, Analysis and Transformation (BYTECODE 2009),
Mar 2009, York, United Kingdom. pp.83–96, �10.1016/j.entcs.2009.11.016�. �hal-01188696v2�
Exper iments w ith Non-Term inat ion Ana lys is forJava Bytecode
Et ´ iennePayet
1IREMIA Universit´edeLa R´eunion
France
FaustoSpoto
2DipartimentodiInformatica Universit`adi Verona
Italy
Abstract
Non-termination analysis proves that programs, or parts of a program, do not terminate. This isimportantsince non-termination isoften an unexpected behaviour of computer programs and exposes a bug intheir code. While research has found ways of proving non-termination of logicprograms and of term rewriting systems, this ishardly the case for imperative programs. In this paper, we describe and experiment with a technique for proving non-termination of imperative, bytecode programs by relating their non-termination to that of a (constraint) logicprogram. Moreover, we show that our non-termination test effectively helps a termination test, by avoiding expensive search for termination proofs of those portions of the code where such proofs do not exist.
1 Introduct ion
Javabytecode[8]istheresu lto fthecomp i lat iono fJava ,aswe l laso fotherpro- gramm inglanguages .Itisalow- leve l ,object-or iented ,type-sa felanguagewh ichis d istr ibutedina mach ine- independentformat ,henceexecutab leond ifferentarch i- tectures .Itisthetargeto fcho iceforthecomp i lat iono fapp l icat ionsthat must bedown loadedfromthenetintoc l ientcomputersor mob i lephones . Therecent Andro idsystembyGoog le[1]usestheJavabytecodeasthetargeto fthecomp i la- t iono fAndro idprograms ,be foretrans lat ingitintoa mach ine-centeredlower- leve l bytecode .
1Email: epayet@univ-reunion.fr
2Email: fausto.spoto@univr.it
Asaconsequenceo fthew ideuseo fJavabytecode ,researchisincreas ing lyfo- cusedoncheck ing ,inanautomat icway ,thatJavabytecodeapp l icat ionsarenot harm fu l .Th isinc ludestheproo fthat ,forinstance ,theydonotoverusetheresources o fthesystem . Onesuchresourceist ime .Inpart icu lar ,proo fso fterm inat iono f Javabytecodeprogramsguaranteethattheyw i l lactua l lyterm inate .Suchproo fs areimportantfortheso ftwaredeve loper ,s incetheysupportthequa l itystandardso f h isproduct . Neverthe less ,term inat iono fcomputerprogramsbe inganundec idab le property ,theterm inat iono f many methodsrema insunprovedandsuch methods m ighthencebepotent ia l lynon-term inat ing . Ad irectproo fo fthe irnon-term inat ion becomesdes irab le ,s inceitexh ib itsanactua l ,typ ica l lyunexpectedbehav iouro fthe programando ften meansthatthenon-term inat ing methodsconta inabug . Cur- rent ly ,nosystemex iststoprovethenon-term inat iono fJavabytecode methods , s inceresearchhas ma in lybeenfocusedonproo fso fnon-term inat ionforlog icpro- grams[4, 11, 10, 2, 16, 15]andtermrewr it ingsystems[ 21, 5, 24, 22, 23, 9] .Intherecent paper[7] ,theauthorscons idernon-term inat iono fCprogramsand[ 6, 14]prov ide sometechn iquesfortest ingCprogramsthatdetecterrorssuchasprogramcrashes , assert ionv io lat ionandnon-term inat ion .In[20] ,anapproachtoautomat ica l lycheck non-term inat iono fimperat iveprogramsisintroduced ;itisbasedonthegenerat ion o finvar iantsthatareusedtoprovethatsomepotent ia lloopsareneverex ited ;the techn iqueisexper imentedonaseto fprogramswr itteninafragmento fJavaand doesnotcons iderheapdatastructures .Inth ispaper ,weprov ideanexamp lewhere ourapproachsuccess fu l lyprovesthenon-term inat iono faprogramwhereadata structureisdefined .
Th ispaperprov idesafirstexper imentat ion w iththeautomat icder ivat iono f
non-term inat ionproo fsforJavabytecodeprograms . Westartfromourprev ious
workonatoo lJu l ia+B inTermfortheterm inat ionana lys iso fJavabytecode[ 19] .
There ,wetrans latedtheor ig ina lJavabytecodeprogramP intoaconstra intlog ic
programP
CLPwhoseterm inat ionenta i lsthato fP. Here ,weshowhow ,inthose
cases whentheapprox imat iono fthebytecodesisexact,thenon-term inat iono f
P
CLPenta i lsthato fP. Hence ,weusethesametoo lasin[ 19]toprovethenon-
term inat iono fJavabytecodeprogramsbyexp lo it ingprev iousresu ltsfromnon-
term inat ionana lys iso flog icprograms[10] ;name ly ,weprovethenon-term inat iono f
P
CLPandhencein fer ,whenposs ib le ,thato fP. A lthoughtheseresu ltsarefarfrom
be ingadefin iteso lut iontotheprob lemo fnon-term inat ionana lys iso fJavabytecode
programs ,theyrepresentafirststepinthatd irect ionandh igh l ightweaknesseso fthe
currentapproach ,that mustbeso lvedi fnon-term inat ionana lys is mustbeapp l ied
torea lJavaandJavabytecodeso ftware . Notethat ,wh i leanot iono fex istent ia l
non-term inat ionforCiscons ideredin[7] ,weinsteadcons ideranot iono fun iversa l
non-term inat ionherefortheCLPprogramder ivedfromtheJavabytecodeprogram .
Th ispapera lsoshowsthatournon-term inat iontesteffect ive lyhe lpstheterm i-
nat iontestdefinedin[19] . Name ly ,weuseournon-term inat iontesttos igna ltothe
term inat ionproverin[19]thatsomec lausesinP
CLPd iverge ,sothatitisuse lessto
lookforan(o ftenexpens ive)term inat ionproo fforthem . Notethatth istechn ique
isapp l icab leandprofitab lefora l lJavabytecodeprograms ,a lsowhentheapprox i-
mat iono fthe irbytecodesisnotexactorwhena l lthe irmethodsactua l lyterm inate .
Ourterm inat iontestisapp l ied ,indeed ,totheCLP program ,whosec lauses m ight
notterm inatebecauseo ftheapprox imat ionsinducedbytheabstract ionfromPto P
CLP.
2 Comp i lat ionofJava bytecodeintoconstra intlog ic programs
Javabytecodeisalow- leve lobject-or ientedtype-sa felanguage .Itsstat icana lys is iscomp l icatedbythefactthatithasnoexp l ic itstructure ,d ifferent lyfromh igh- leve llanguages ,andthatitusesastacko ftemporaryvar iab les . Hencethenumber andtypeo fthevar iab lesared ifferentatd ifferentprogrampo intsins idethesame method .
Wehaverecent lydeve lopedastat icana lys iso fJavabytecodeprograms(and henceo fJavaprograms)thatprovestheterm inat iono f most methodso fapro- gram[19] . TheideaisthattheJavabytecodeprogramisfirsttrans latedintoits bas icb locksandthenanabstractinterpretat ion[3] ,basedonadenotat iona lseman- t icsoverthoseb locks ,isapp l iedbyus ingd ifferentabstractdoma inso fana lys is . Thelatterprov ideaconservat iveapprox imat iono fthenumer ica landstructura l constra intsonthenumbersordatastructureusedbytheprogram :afirstdoma in , forshar ing[ 13] ,determ ineswhendatastructuresboundtoprogramvar iab lesm ight sharelocat ionsontheheap ,sothatanupdateo fonevar iab le m ighta lsoaffectthe others . Th isin format ionisexp lo itedintheseconddoma in ,forcyc l ic ity[ 12] ,wh ich determ ines whenthedatastructureboundtoaprogramvar iab le m ightconta in loopso flocat ions ,sothataniterat ionoverthatdatastructurem ightnotnecessar i ly term inate . Bothk indso fin format ionarethenusedinapath- lengthdoma in[17, 19] , thatcomputesthere lat ionsh ipbetweenthes izeo fprogramvar iab lesbe foreand a ftertheexecut iono feachinstruct ioninthebytecode :thes izeorpath- lengtho f avar iab leboundtoadatastructureisthe max ima llengtho fpo intersthatone canfo l lowfromthatvar iab le ;thepath- lengtho favar iab leboundtoanarrayis thelengtho fthearray ;thepath- lengtho fanumer ica lvar iab leisitsva lue ;the path- lengtho faBoo leanvar iab leis0forfa lseand1fortrue. Theresu lto fthe path- lengthisfina l lyusedtoexpressthere lat ionsh ipbetweenthes izeo fthevar i- ab lesatthebeg inn ingandattheendo feachbas icb locko ftheprogram . Th isis wr ittenintermso faconstra intlog icprogramP
CLPoverl inearconstra ints ,whose pred icatesb(vars)correspondtoeachbas icb lockbo fPandvarsarethevar iab les atthebeg inn ingo ftheexecut iono fb. Theseapprox imat ionsbu i ldconstra intsthat arelaterusedinordertoder iveboundsontheva lueso fvar iab lesinprograms , wh ichiscruc ia lforterm inat ionandnon-term inat ionana lysestowork . The ma in resu ltprovedin[19] ,wrt .term inat ionana lys is ,isthefo l low ing :
Theorem2 .1 LetP beaJavabytecodeprogramandbabas icb locko fP.I fthe queryb(vars)hason lyterm inat ingcomputat ionsinP
CLP,fora l lfixedintegerva lues forvars,thena l lexecut ionso faJavaV irtua l Mach inestartedatbterm inate . ✷
Theconverse ,however ,doesnotho ldingenera l : wecanfindprogramsP and
abas icb lockbo fPsuchthat ,inthetrans lat ionP
CLP,pred icateb(vars)doesnot
term inateforsomefixedin it ia lintegerva luesforvars,a lthougha l lexecut ionso f
P start ingatbdoterm inate . Th isisduetotheapprox imat ionsdonedur ingthe
trans lat iono fPintoP
CLP:bothshar ingandcyc l ic ityana lysesareapprox imated , sothat ,forinstance ,theana lyserm ightnotnecessar i lyprovethatanon-cyc l ica ll ist isactua l lynon-cyc l ica l . Moreover ,somebytecodeshaveaninherent lynon- l inear behav iour ,suchasmu lt ip l icat ionsandd iv is ions ,andcannothencebeapprox imated byus ingthel inearconstra intsava i lab leforthepath- length .
Thetrans lat ionfromJavaorJavabytecodetoCLPmakesitun i formthetreat- mento fanyk indo floops : for,whileloops ,recurs ion ,loopshav ingex itcond it ions depend ingonnumer ica l ,re ferenceorBoo leanvar iab les ,loopsex it ingbecomeo fthe breakstatement ,a l lbecomealoopinthegrapho fb lockso fP
CLP. Theterm inat ion o fP
CLPcanhencebeestab l ishedinaun i formway ,a lsointhepresenceo fBoo lean var iab leass ignedins ideanifstatementandhence mak ingaloopex it .
Animportantpo intabouttheprogram P
CLPisthatitsterm inat ionis mean- ing fu lforgroundinputson ly ,wherea l lvar iab leshavebeenboundtothe irinteger path- length(Theorem2 .1) . Moreover ,thec lauseso fP
CLPareb inary,thatis ,they havetheformp(˜ X)← c ,q(˜ Y) ,w ithon lyonepred icateonther ight .
Theterm inat iono fP
CLPisprovedbytheB inTerm too lbyF . Mesnard ,that findsdecreas ing measuresacrossiterat ionso f mostloopsinP
CLP. Thecomputa- t iona lcosto fthetoo ldecreasesbyreduc ingthenumbero fc lausesinP
CLP:name ly , on lyc lausesinalooparecons idered ,s incetheycorrespondtoloopsorrecurs ion intheor ig ina lprogramP andarethosethatdeterm inetheterm inat ionornon- term inat iono ftheprogram . Moreover ,itscostisreduceda lsobydecreas ingthe ar ityo fthepred icates ,whenitisc learthattheremovedargumentsareirre levant fortheterm inat iono fthepred icates . Theseopt im isat ionsaredefinedandproved correctin[18] . Asaconsequence ,ina l lourexamp les ,theCLPprogramw i l lexpress thepath- lengthre lat ionsh ipsfortheloopso ftheprogramon ly .
A lthoughtheconverseo fTheorem2 .1doesnotho ldingenera l ,thereare many caseswhentheapprox imat iono ftheor ig ina lprogramPintopath- lengthisexact, inthesensethata l ldenotat ionsrepresentedbytheP
CLPprogramareactua ldeno- tat ionsthatrepresentrea l ,concreteexecut ionso fP. Th isisthecase ,forinstance , o ftheapprox imat ionso ftheinstruct ionsdea l ingw ithintegerva lues ,w iththeno- tab leexcept iono f mu lt ip l icat ionsandd iv is ions ;aswe l laso finstruct ionsdea l ing w ithdatastructuresthathavebeensuccess fu l lyprovedtobenon-cyc l ica lbythe cyc l ic ityana lys is .Inthosefrequentcases ,aproo fo fnon-term inat ionfortheCLP programinducesaproo fo fnon-term inat ionfortheor ig ina lJavabytecodeprogram . Inthefo l low ing ,wed iscusshowproo fso fnon-term inat ionforCLP programscan beconstructedandexemp l i fy manycaseswhenwecanconc lude(ornot)thatthe or ig ina lJavabytecodeprogramdoesnotterm inatee ither .
3 Prov ingnon-term inat ionofconstra intlog icprograms
Anon-term inat ioncr iter ionisprov idedin[10]forthestandardoperat iona lseman- t icso fconstra intlog icprogramm ing ,wherefreevar iab les mayoccurinaca l ltoa pred icate . Thespec ia l isat iono fth iscr iter iontothesemant icswecons iderinth is paper( freevar iab lesarenota l lowedinaca l ltoapred icate)isbr ieflydescr ibedin th issect ion .
Wecons iderconstra intlog icprogramsoverpath- lengthpo lyhedra(CLP(PL)) .
Welet ˜ tdenoteasequenceo fterms ,˜ X and˜ Ydenotesequenceso fd ist inctvar iab les , pandqdenotepred icatesymbo lsandcdenoteapath- lengthconstra int . Anatom hastheformp(˜ t)wherethelengtho f˜ tequa lsthear ityo fp. Aqueryhastheform p(˜ X)|c. Ac lausehastheformp(˜ X)← c ,q(˜ Y)where˜ X and˜ Yared is jo intandthe var iab lesoccurr ingincnecessar i lyoccurin ˜ X∪˜ Y. ACLP(PL)programisafin ite seto fc lauses . Weuse∃
X˜casashortcutfor∃X
1...∃X
ncwhereX
1,...,X
n:=˜ X.
Thepro ject iono fcontothesequence ˜ X isdenotedby∃
X˜candistheconstra int
∃
Var(c)\˜Xc, whereVar(c)istheseto fvar iab lesoccurr inginc. Thesetdescr ibed byaqueryQ:=p(˜ X)|c isdenotedbySet(Q) ;itcons istso fa l ltheatomso fthe formp(v(X
1),...,v (X
n))whereX
1,...,X
n:=˜ X andvisagroundso lut iono fc.
Wesaythat Set(Q)isnon-term inat ing wrt .aCLP(PL)programP whenfora l l p(v(X
1),...,v (X
n))∈Set(Q) ,thequery
p(X
1,...,X
n)|X
1=v(X
1),...,X
n=v(X
n)
isnon-term inat ingwrt .Pbyus ingthestandardsemant icso fconstra intlog icpro- grams . Th is meansthataninfin itecomputat ioncanbebu i ltforthatqueryinthe programP. Notethatwedonotcons ideranyprecedencebetweenthec lauseso fP, thatis ,weassumeanon-determ in ist icreso lut iono fapred icatew itha l lthec lauses thatdefinethatpred icate . Thefo l low ingresu ltsprov ides imp lenon-term inat ion cond it ionsforconstra intlog icprograms .
Theorem3 .1( [10])Letp(˜ X)← c ,p(˜ Y)bearecurs ivec lauseinaCLP(PL)pro- gramP. I fSet(p(˜ Y)|∃
Y˜c)⊆ Set(p(˜ X)|∃
X˜c)thenSet(p(˜ X)|∃
X˜c)isnon-
term inat ingwrt .P. ✷
Theorem3 .1meansthati ftheseto fva luesass ignedto ˜ Ybya l ltheso lut ionso fc isinc ludedintheseto fva luesass ignedto˜ X bya l ltheso lut ionso fc,thenanyva lue ass ignedto˜ X byaso lut iono fcprov idesanon-term inat inggroundquery .Indeed , intu it ive ly ,theconstra int∃
X˜cistheguardo fthec lauseandSet(p(˜ Y)|∃
Y˜c)⊆
Set(p(˜ X)|∃
X˜c) meansthateveryoutputva lueo fthec lausesat isfiesth isguard . Hence ,i fava luesat isfiestheguard ,thenitentersthec lauseandthecorrespond ing outputsat isfiestheguard ,soth isoutputcana lsoenterthec lauseandthenext outputsat isfiestheguard ,andsoon . Not icethattheconverseo ftheimp l icat ionin Theorem3 .1doesnota lwaysho ld :cons iderforinstancetherecurs ivec lausep(X)←
X ≥3,p (Y) ;wehavethatSet(p(X)|∃
XX ≥3) ,i .e .Set(p(X)|X ≥3) ,isnon- term inat ingwrt .th isc lausea lthoughSet(p(Y)|∃
YX ≥3) ,i .e .Set(p(Y)|true) , isnotinc ludedinSet(p(X)|X ≥3) .
Theorem3 .2( [10])Letq(˜ X)← c ,p(˜ Y)beac lauseinaCLP(PL)programPand Q beaquerysuchthatSet(Q)isnon-term inat ingwrt .P.I fSet(p(˜ Y)|∃
Y˜c)⊆
Set(Q)thenSet(q(˜ X)|∃
X˜c)isnon-term inat ingwrt .P. ✷ Theintu it iono fTheorem3 .2isthatanyva lueq(˜ x)inSet(q(˜ X)|∃
X˜c)sat isfies
∃
X˜c,theguardo fthec lause ,andthecorrespond ingoutputp(˜ y)isinc ludedin Set(p(˜ Y)|∃
Y˜c) . AsSet(p(˜ Y)|∃
Y˜c)⊆ Set(Q)andSet(Q)isnon-term inat ing wrt .P,thenp(˜ y)doesnotterm inatewrt .P,soq(˜ x)doesnotterm inatea lso .
Thesetheoremsprov ideas imp le mechan ismtoin fergroundnon-term inat ing
quer ies :first ,useTheorem3 .1toin feraseto fnon-term inat ingquer iesfromthe
recurs ivec lauseso ftheprogramandthencomp leteth issetw iththehe lpo fTheo- rem3 .2.
4 Prov ingnon-term inat ionofJavabytecodeprograms
Inth issect ion ,weg ivesevera lexamp leso fs ituat ionswherewecanconc ludethe non-term inat iono ftheor ig ina lprogramfromthato ftheCLP program ,aswe l las examp leswhereinsteadth isisnotposs ib le .
4 .1 Exactapprox imat ionsw ithiterat ions
Whentheapprox imat ionintoapath- lengthconstra into ftheJavabytecodeprogram Punderana lys isisexact ,aproo fo fnon-term inat iono fP
CLPisa lsoaproo fo fnon- term inat iono fP. Theforma ldefin it iono fexactrequ iresthebytecodestohavea concretebehav iourwh ichisexact ly matchedbythe irnumer ica labstract ion ,that is ,everypa iro fstatessat is fy ingtheinput/outputabstract iono fthebytecodemust correspondtoanactua l ,concretebehav iouro fthebytecode . Notethattheconverse musta lwaysho ldbythecorrectnesso ftheabstract ion .
Defin it ion4 .1 [ExactAbstract ion ]Letinsbeabytecodeinstruct ion ,forma l ised asaninput/output maponconcreteJVMstates ,asin[19] ,andletins
PLbea correctapprox imat iono fitsbehav iour ,i .e . ,aconstra intoverinputvar iab lesˇ vand outputvar iab lesˆ v. Th isapprox imat ionisexacti fandon lyi f ,fora l linputstates ˇ
σandoutputvar iab leˆ σsat is fy ingthestat icin format ionatins(numberandtype o floca lvar iab lesandstacke lements) , whenever{ˇ v→ path length(ˇ σ(v))}∪{ˆ v→
path length(ˆ σ(v))}|=ins
PLthenσ(ˇ σ)=ˆ σ. ✷ Cons iderforinstancetheprogramAdd1:
publicclassAdd1{
publicstaticvoidmain(Stringargs[]){
intk=3;
for(inti=2;i<2+k;i++);
} }
Theapprox imat iono fthebytecodeprogramcorrespond ingtoAdd1 isexact :the loopguardinvo lvestheaddbytecodeinstruct ionwhoseapprox imat ion ,asprov ided in[ 19] ,is
add
PLq=Unchanged
q(#l ,#s−2)∪{ˇ s
#s−2+ˇ s
#s−1=ˆ s
#s−2}
where #land #sarethenumbero floca lvar iab lesandstacke lementsatprogram
po intqwheretheinstruct ionoccurs ; wed ist ingu ishbetweenvar iab les vatthe
beg inn ingo ftheexecut iono fthebytecode ,wr ittenasˇ v,andvar iab lesatitsend ,
wr ittenasˆ v. Theformu laabovemeansthatadddoesnotmod i fyanyloca lvar iab le
noranystacke lementnotinvo lvedintheadd it ion ; moreover ,thenewtopo fthe
stack(ˆ s
#s−2)ho ldsava luewh ichisequa ltheadd it iono ftheformertwotopmost
stacke lements(ˇ s
#s−2andˇ s
#s−1) . Th isapprox imat ionisexacts ince ,forevery
coup leo finputstateˇ σandoutputstateˆ σsat is fy ingthestat icin format ionatth is
bytecodeandtheapprox imat ionabove ,we musthavethattheloca lvar iab leshave thesameva luesinˇ σandˆ σandthetopo fthestacko fˆ σisthesumo fthetopmost twova luesontopo fthestacko fˇ σ,sothatthosestatesaresuchthatadd
q(ˇ σ)=ˆ σ.
Thecorrespond ingCLP(PL)programAdd1
CLPis :
entry(IL2)←{IL2−OL2 =−1,−IL2≥−4,IL2≥2},entry(OL2) Thepred icateentrydenotestheentrypo into ftheloopo ftheprogram ;loca lvar iab le 2imp lementsiwh i levar iab le khasbeenremoveds inceitisirre levantforthe term inat iono ftheprogram . Th isCLP programhasbeender ivedbyus ingthe abstractinterpretat ionsc itedintheintroduct ion . Name ly ,wehaveusedthepath- lengthabstractana lys is ,wh ichhasder ivedtheconstra intIL2−OL2 =−1(thatis , loca lvar iab le2 ,wh ichisi,decreasesa longiterat ionso ftheloop)andtheconstra ints
−IL2≥−4,IL2≥2 ,wh ichprov ideboundsontheposs ib leva lueso fthatvar iab le ins idetheloop . ThatCLP programterm inates . ByTheorem2 .1weconc ludethat Add1 term inatesa lso .I fweturnAdd1 intothenon-term inat ingprogram :
publicclassAdd2{
publicstaticvoidmain(Stringargs[]){
intk=3;
for(inti=2;i<2+k;i--);
} }
wegettheCLP(PL)programAdd2
CLP:
entry(IL2)←{IL2−OL2 =1,−IL2≥−2},entry(OL2)
wh ichbyTheorem3 .1doesnotterm inatebecausetheproject iono ftheconstra int o fitsun iquec lauseontoIL2(resp .OL2)is−IL2≥−2(resp .−OL2 ≥−1)and wehave
Set(entry(OL2)|− OL2 ≥−1)⊆Set(entry(IL2)|− IL2≥−2).
Here ,wecansa fe lyconc ludethenon-term inat iono fAdd2 fromthato fAdd2
CLP. Ourtechn iqueisa lsoab letohand le morecomp l icateds ituat ions .Forinstance , i fwenestthenon-term inat ingloopo fprogramAdd2 intoaterm inat ingloop ,we get :
publicclassAdd3{
publicstaticvoidmain(Stringargs[]){
intk=3;
for(intj=0;j<10;j++)
for(inti=2;i<2+k;i--);
} }
Thecorrespond ingCLP(PL)programAdd3
CLP: entry(IL3)←{OL3 =2},b lock(OL3)
b lock(IL3)←{IL3−OL3 =1,−IL3≥−2},b lock(OL3)
doesnotterm inate . NotethattheouterloopdoesnotappearintheCLPprogram ,
s incetheex itcond it ioni≥ 2+ko ftheinnerloopisfoundtobefa lsedur ing
thepath- lengthana lys isandnoc lauseisgeneratedw ithafa lseconstra int .Indeed , suchc lausewou ldnotinfluencetheterm inat ionornon-term inat ionbehav iouro fthe program ,s inceitwou ldjuststoptheCLP reso lut ionprocess .Indeed ,byapp ly ing Theorem 3 .1totherecurs ivec lause wegetthatSet(Q)isnon-term inat ingwrt . Add3
CLPwhere
Q:=b lock(IL3)|− IL3≥−2 .
Not icethatwehavetoin feranon-term inat ingqueryo ftheform entry(··· )|···
toconc ludethenon-term inat iono fAdd3
CLPbecausetheentrypo into ftheloops o ftheprogramisthepred icateentry. Theproject iono ftheconstra into fthefirst c lauseontoOL3 isOL3 =2andwehave
Set(b lock(OL3)|OL3 =2 )⊆Set(Q).
Hence ,byTheorem3 .2app l iedtothefirstc lauseo fAdd3
CLPandtoQ,wehave thatSet(entry(IL3)|true)isnon-term inat ingwrt .Add3
CLP(wheretruedenotes thea lwayssat isfiab leconstra int) . There fore ,Add3
CLPdoesnotterm inatesowe conc ludethatAdd3 doesnotterm inatee ither .
I fwenestthenon-term inat ingloopo fprogramAdd2 intoaseparated method , suchasin :
publicclassAdd4{
publicstaticvoidloop(intk){
for(inti=2;i<2+k;i--);
} publicstaticvoidmain(Stringargs[]){
loop(3);
} }
wegettheCLP(PL)programAdd4
CLP:
entry(IL1)←{IL1−OL1 =1,−IL1≥−2},entry(OL1)
wh ichdoesnotterm inate(byTheorem3 .1) . Henceweconc ludethatAdd4 does notterm inatee ither .
4 .2 Exactapprox imat ionsw ithrecurs ion
Thefo l low ingterm inat ingJavaprograminvo lvesarecurs ive method : publicclassRec1{
publicstaticintsum(intn){
if(n<=0)return0;
elsereturnn+sum(n-1);
} publicstaticvoidmain(Stringargs[]){
sum(2);
} }
TheCLP(PL)programRec1
CLP:
entry(IL0)←{IL0−OL0 =1,IL0≥1,−IL0≥−2},entry(OL0) term inates ,hencebyTheorem2 .1weconc ludethatRec1 term inates .I fweturn Rec1intothefo l low ingnon-term inat ingprogram(wheretheprogrammerforgotthe basecaseintherecurs ive method) :
publicclassRec2{
publicstaticintsum(intn){
returnn+sum(n-1);
} publicstaticvoidmain(Stringargs[]){
sum(2);
} }
wegettheCLP(PL)programRec2
CLP:
entry(IL0)←{IL0−OL0 =1,−IL0≥−2},entry(OL0)
ByTheorem3 .1,Rec2
CLPdoesnotterm inate . Astheapprox imat iono fthebyte- codeprogramcorrespond ingtoRec2 isexact , wecansa fe lyconc ludethatRec2 doesnotterm inatee ither .
4 .3 Exactapprox imat ionsw ithdatastructures
A l lexamp lesabovedea l w ithintegerva lueson ly . Letuscons iderthefo l low ing programnow ,whereal istdatastructureisdefinedandrecurs ive lyscanned : publicclassList{
privateinthead;
privateListtail;
publicList(inthead,Listtail){
this.head=head;
this.tail=tail;
} privatevoiditer(){
if(tail!=null)iter();
} publicstaticvoidmain(Stringargs[]){
Listl=newList(0,newList(1,null));
l.iter();
} }
The methoditer( intendedtoper formaniterat ionoveral ist)conta insabugs ince itrecursonthesamel istratherthanonitsta i l( iter()insteado ftail.iter()) . Thebytecodevers iono fth isprogramhasanexactapprox imat ionasourcyc l ic ity ana lys iscorrect lyin fersthatthel istlinthe methodma in isnotcyc l ica l . The correspond ingCLP(PL)programL ist
CLP:
entry← true,entry
(truedenotesthea lwayssat isfiab leconstra int)doesnotterm inate ,hencewesa fe ly conc ludethattheprogramL istdoesnotterm inatee ither .
4 .4 Non-exactapprox imat ions
Cons iderthe mu l bytecodeinstruct ionthatremovesthetwotopoperandstack e lementsandrep lacesthemw iththeresu lto fthe ir mu lt ip l icat ion . Asthereisno l inearwayo fexpress ingaconstra intontheresu lto fthe mu lt ip l icat ion ,wejustset
mu l
PLq=Unchanged
q(#l ,#s−2)
(#land#sarethenumbero floca lvar iab lesandstacke lementsatprogrampo intq wheretheinstruct ionoccurs)mean ingthattheinstruct iondoesnotmod i fyanyloca l var iab lesnoranystacke lementwh icharenotitsoperands ;however ,noconstra int onthenewtopo fthestack(theresu lto fthemu lt ip l icat ion)isgenerated . TheJava program :
publicclassMul{
publicstaticvoidmain(Stringargs[]){
intk=3;
for(inti=2;i<2*k;i++);
} }
term inates . Not icethattheguardo ftheloopinvo lvesa mu lt ip l icat ion . Thecorre- spond ingCLP(PL)programMu l
CLP:
entry(IL2)←{IL2−OL2 =−1,IL2≥2},entry(OL2)
doesnotterm inate .Indeed ,theproject iono ftheconstra into ftheun iquec lauseo f Mu l
CLPontoIL2(resp .OL2)isIL2≥2(resp .OL2 ≥3)andwehave
Set(entry(OL2)|OL2 ≥3)⊆Set(entry(IL2)|IL2≥2).
There fore ,byTheorem3 .1,thenon-emptysetSet(entry(IL2)|IL2≥2)isnon- term inat ingwrt . Mu l
CLP. However ,thenon-term inat iono fMu l doesnotfo l low fromth isresu lt ,s inceweareus ingapprox imatedconstra ints .
Wearefac ingas im i lars ituat ionwhendea l ingw ithnumer icfie lds .The getfie ldf instruct iontakesthere ferencetoanobjectolocatedontopo fthestackandrep laces itw iththeva lueo fo .f.In[ 19]wedefined
getfie ld
PLqf=Unchanged
q(#l ,#s−1)
wheneverthefie ldfhasintegertype(#land #sarethenumbero floca lvar iab les andstacke lementsatprogrampo intqwheretheinstruct ionoccurs) . Noconstra int isgeneratedforthenewtopo ftheoperandstack(theva lueo fthefie ld)s inceits path- lengthisunknown . TheJavaprogram :
publicclassField{
privateintn=6;
publicstaticvoidmain(Stringargs[]){
Fieldf=newField();
for(inti=2;i<f.n;i++);
}
}
term inates . Thecorrespond ingCLP(PL)programF ie ld
CLP: entry(IL2)←{OL2−IL2=1},entry(OL2)
doesnotterm inateastheproject iono ftheconstra into fitsc lauseontoIL2oronto OL2 isthea lwayssat isfiab leconstra inttrueandwehave
Set(entry(OL2)|true)⊆Set(entry(IL2)|true).
5 Us ingnon-term inat ionproofstosupportterm inat ion ana lys isofJavabytecode
Acomp lete lyd ifferentuseo fournon-term inat iontestscons istsinprov ingthenon- term inat iono fc lauseso ftheP
CLPprogramgenerateddur ingtheterm inat ionana l- ys iso faJavabytecodeprogramP. Byremov ingsuchc lauses ,wh ichcannothave anyterm inat ionproo f , wehe lptheterm inat ioncheckerbys imp l i fy ingitstask . S inceournon-term inat iontestsareextreme lyeffic ient ,wh i leathoroughquestfor aterm inat ionproo fisingenera lexpens ive ,thetrade-offispos it iveandwegeta moreeffic ientterm inat ionana lys isst i l lkeep ingthesameprec is ion .
Inpart icu lar , wehaveimp lementedthenon-term inat iontestso fSect ion3to he lptheterm inat ionproverB inTermusedinthetoo lJu l ia+B inTerm[ 19] . G iven aJavabytecodeprogramP,ourapproachcons istsinapre l im inaryana lys iswh ich cons idersthestrong lyconnectedcomponents(SCCs)o fP
CLP;anySCCwherea non-term inat inggroundqueryisfoundisremovedfromP
CLPandtheresu lt ing CLP programP
CLPisana lysedbyB inTerm.
Wehaverun Ju l ia+B inTermonthefo l low ingJavabytecodeprogramsus inga L inux mach inebasedona2 .33GHzInte lCore2Duow ith2g igabyteso fRAM .
P numbero f methodsinP numbero fc lausesinP
CLPJavaCup 270 170
JLex 137 356
K itten 2149 1224
Thenexttab lesummar izestheresu lts .ForeachprogramP,itreports :thenumber o fc lausesremovedfromP
CLPbythenon-term inat ionana lys is ;thenon-term inat ion ana lys ist ime ;theB inTerm runn ingt imeonP
CLP;theB inTerm runn ingt imeon P
CLP. A l lthet imesareinseconds .
c lauses non-term inat ion B inTerm B inTerm P removed ana lys is onP
CLPonP
CLPJavaCup 113 0 .09s 3 .90s 5 .66s JLex 204 0 .20s 21 .20s 55 .30s K itten 288 0 .68s 99 .52s 100 .99s
Intheseexper imentsonlargeprograms ,thecomputat iona loverheado fthenon-
term inat ionana lys isisnotimportantandtherunn ingt imeo fB inTermissma l ler onP
CLPthanonP
CLP. ForJLex ,B inTerm is morethantw icefasteronP
CLPthanonP
CLP,asthenon-term inat ionana lys isremoves204c lausesfromP
CLPout o f356 ;amongtheremovedc lauses ,thereisahugeSCCconta in ing122c lauses wherethear ityo ftheinvo lvedpred icatesymbo lsis8 ,wh ichexp la insthega inin effic iency . Onthecontrary ,thec lausesremovedforK ittenaresevera lbutinc lude re lat ive lysma l lcomponentsandhavesma l lar ity ,sothatthega inineffic iencyis nots ign ificantthere . Th isisbecausethecosto ftheterm inat ionana lys isincreases s ign ificant lyw iththear ityo fthepred icatesand ,byremov ingc lausesw ithsma l l ar ity ,wedonotaffectvery muchtheeffic iencyo ftheterm inat ionana lys is .
6 Conc lus ion
Inth ispaper ,wehavepresentedsomeexper imentsw iththeautomat icder ivat ion o fnon-term inat ionproo fsforJavabytecodeprograms . Whentheapprox imat ion o fthebytecodesintoapath- lengthconstra intisexact ,thenon-term inat iono fthe or ig ina lprogramcanbededucedfromthato fitsCLP trans lat ion . Whenthe approx imat ionisnotexact ,it mayhappenthatthebytecodeprogramterm inates wh i leitsCLPvers iondoesnotterm inate(Sect ion4 .4i l lustratesth iss ituat ion) . As afuturework ,wep lantorep lacesomenon-exactapprox imat ions(suchasthato f thegetfie ldinstruct ionoro fthenon- l inearar ithmet icoperat ions)w ithexactones thataresu itab leforder iv ingnon-term inat ionproo fso fJavabytecodeprograms . Tothatpurpose ,aposs ib i l ityisthato ffind ingspec ificexecut ionsthat makethe programd iverge ,insteado fprov ingaun iversa lnon-term inat ion .Inthatd irect ion , we m ight makesomeprogramvar iab lesground,hencel inear is ingsomeoperat ions . Th iswou ldbes im i lartothetechn iqueusedin[6] .
Wehavea lsoimp lementedthenon-term inat iontestso fSect ion 3inordertohe lp theterm inat ionproverB inTerm usedinthetoo lJu l ia+B inTerm. Theresu ltswe havepresentedinSect ion5areencourag ing ;evenforsomelargeJavabytecodepro- grams ,thecomputat iona loverheado fthenon-term inat ionana lys isisun important ; moreover ,theterm inat ionprover B inTermruns muchfasterwhenthecomponents detectedasnon-term inat ingareremovedfromtheCLP trans lat iono ftheor ig ina l bytecodeprogram .
References
[1] Android- An Open Handset AllianceProject.http://code.google.com/android/.
[2] R.N.Bol, K.R.Apt,andJ. W. Klop. AnAnalysisofLoopChecking MechanismsforLogicPrograms. Theoretical ComputerScience,86:35–79,1991.
[3]P. Cousotand R. Cousot. AbstractInterpretation: A Unified Lattice ModelforStatic Analysisof Programsby Constructionor Approximationof Fixpoints. In Proc.ofthe4th ACM SIGPLAN- SIGACTSymposiumonPrinciplesofProgrammingLanguages(POPL’77),pages238–252,1977. [4] D. De Schreye, K. Verschaetse,and M. Bruynooghe. A Practical Techniquefor Detecting non-
Terminating Queriesfora Restricted Classof Horn Clauses,using Directed, Weighted Graphs. In Proc.ofICLP’90,pages649–663.The MITPress,1990.
[5]J. Giesl, R.Thiemann,andP.Schneider-Kamp. Provingand DisprovingTerminationof Higher-order Functions. In Bernhard Gramlich,editor, Proc.ofthe5thInternational Workshopon Frontiersof CombiningSystems(FroCoS’05),volume3717ofLecture Notesin ArtificialIntelligence,pages216–
231.Springer-Verlag,2005.
[6]P. Godefroid, N. Klarlund,and K.Sen. DART: Directed Automated Random Testing.In V.Sarkar and M. W. Hall,editors,Proc.ofthe ACMSIGPLAN2005 Conferenceon ProgrammingLanguage DesignandImplementation(PLDI’05),pages213–223. ACM,2005.
[7] A. Gupta, T.A. Henzinger, R. Majumdar, A. Rybalchenko,and R.G. Xu. Provingnon-Termination. In G.C. Neculaand P. Wadler,editors,Proc.ofthe35th ACMSIGPLAN-SIGACTSymposiumon PrinciplesofProgrammingLanguages(POPL’08),pages147–158. ACM,2008.
[8] T. Lindholmand F. Yellin. TheJavaTM Virtual Machine Specification. Addison-Wesley,second edition,1999.
[9]´E.Payet.LoopDetectioninTermRewritingUsingtheEliminatingUnfoldings. TheoreticalComputer Science,403:307–327,2008.
[10]´E. Payet and F. Mesnard. A non-Termination Criterion for Binary Constraint Logic Programs. Technical report, IREMIA, Universit´e de La R´eunion, 2008. Available at http://arxiv.org/abs/0807.3451.
[11]´E. Payetand F. Mesnard. Non-TerminationInferenceof Logic Programs. ACM Transactionson ProgrammingLanguagesandSystems,28,Issue2:256–289, March2006.
[12]S.RossignoliandF.Spoto. DetectingNon-CyclicitybyAbstractCompilationintoBooleanFunctions. InE.A.EmersonandK.S.Namjoshi,editors,Proc.ofthe7thInternationalConferenceonVerification, ModelCheckingand AbstractInterpretation(VMCAI’06),volume3855ofLecture NotesinComputer Science,pages95–110,Charleston,SC, USA,January2006.Springer-Verlag.
[13]S. Secciand F. Spoto. Pair-Sharing Analysisof Object-Oriented Programs. In C. Hankinand I.Siveroni,editors,Proc.ofStatic AnalysisSymposium(SAS’05),volume3672ofLecture Notesin ComputerScience,pages320–335,London, UK,2005.
[14] K.Sen, D. Marinov,and G. Agha. CUTE:aConcolic UnitTestingEngineforC.In M. Wermelinger andH.Gall,editors,Proc.ofthe10thEuropeanSoftwareEngineeringConferenceheldjointlywith13th ACMSIGSOFTInternationalSymposiumon FoundationsofSoftware Engineering,pages263–272. ACM,2005.
[15] Y-D.Shen,J-H. You, L-Y. Yuan,S.Shen,and Q. Yang. A Dynamic Approachto Characterizing Terminationof GeneralLogic Programs. ACM Transactionson ComputationalLogic,4(4):417–434, 2003.
[16] Y-D.Shen,L-Y. Yuan,andJ-H. You. Loops ChecksforLogicPrograms withFunctions.Theoretical ComputerScience,266(1-2):441–461,2001.
[17]F.Spoto, P. M. Hill,and´E. Payet. Path-Length Analysisfor Object-Oriented Programs. In First International Workshopon Emerging Applicationsof AbstractInterpretation(EAAI’06), Vienna, Austria, March2006. Availableatthewebaddresshttp://profs.sci.univr.it/∼spoto/papers.html.
[18]F.Spoto,L.Lu,andF. Mesnard. Using CLPSimplificationstoImproveJavaBytecode Termination Analysis.SubmittedforpublicationtoBytecode’09.
[19]F.Spoto,F. Mesnard,and´E.Payet. ATerminationAnalyserforJavaBytecodeBasedonPath-Length. Submittedforpublicationin August2007.
[20] H. VelroyenandP. R¨ummer. Non-TerminationCheckingforImperativePrograms.InB.Beckertand R. H¨ahnle,editors, Proc.ofthe2ndInternational Conferenceon TestsandProofs(TAP’08),volume 4966ofLecture Notesin ComputerScience,pages154–170,Prato,Italy, April2008.Springer. [21]J. Waldmann. Matchbox: A Toolfor Match-boundedString Rewriting. In Vincentvan Oostrom,
editor,Proc.ofthe15thInternationalConferenceonRewritingTechniquesandApplications(RTA’04), volume3091ofLecture Notesin ComputerScience,pages85–94.Springer-Verlag,2004.
[22]J. Waldmann. Compressed Loops (draft). Available at http://dfa.imn.htwk-leipzig.de/matchbox/methods/,2007.
[23] H.Zankland A. Middeldorp. NonterminationofString RewritingusingSAT. InProc.ofthe9th International Workshopon Termination(WST’07),pages52–55,2007.
[24] H.Zantema. TerminationofStringRewritingProvedAutomatically.JournalofAutomatedReasoning, 34(2):105–139,2005.
