Determining Numerical Cycle Dependencies from Locally

The core of our NCD determination method is to estimate, for each condition statement(B)in a cyclec, the maximal number of timesmax(B) thatccan be successively repeated during which (1) the variables inEc(B) are only modified within c and (2) the condition B still remains true. Having determined such max(B), we know that every max(B) times that the cycle is executed some cycles must be executed at least once to modify the variables inEc(B). However, it is in general impossible to precisely determinemax(B) and we will hence resort to computing an upper boundnformax(B). It is easy to see that this is a safe approximation: The restriction that other cycles have to be executed every n times that c is executed does not exclude the possibility that other cycles are executed everymax(B) times thatcis repeated.

Our method can only apply to a condition statement in a cycle such that (1) the boolean condition in the condition statement contains only linear expres-sions; and (2) inside the cycle only linear expressions can be assigned to any variable in the considered condition statement. We notice that this is not overly constraining since Promela code respecting the above restrictions is commonly observed in real life models. We currently also do not consider complex data structures such as arrays and records, among others, to simplify our analysis.

These complex data structures will be considered in future work.

Given a condition statement (B) in a cycle c, suppose that B is locally determined and in its disjunctive normal formd1∨ · · · ∨dnwhere each disjunct diis a conjunction of several linear inequalitiesai1, . . . , aimi. We further assume that each inequality is in the formeij ≥fij whereeij is a linear combination of the variables inB andfij is a constant.

For each disjunct di of B, we denote by max(di) the maximal number of times that c can be repeated during which the variables Ec(di) are modified withincanddiremains true. If for anydiand any inequalityeij ≥fij indithe value ofeij is changed monotonically withinc, thenmax(B) is bounded by the sum of allmax(di) values – once somedi becomes false, it cannot become true again without the variables inEc(di) to be modified outsidec. Therefore, the problem of estimating max(B) can be reduced to the problem of determining each max(di) value. Similarly, for each inequality aij in di, we can estimate themax(aij) value. Themax(di) value is the minimum of allmax(aij) values, because if any inequality aij is not satisfied then di is not satisfied. We can

therefore further reduce the computation of max(di) to the computation of max(aij) values.

Example 12.3. Consider as an example the cycle in the control flow graph in Figure 12.3 wherexand yare integer variables. Before the cycle is entered, x is initialized to 6 andyis initialized to -1. During each execution of the cycle, the variable x is decremented by 2 and y is incremented by 1. We use B to denote the boolean condition (x+y≥3)∨(−y≥0) in the condition statement in the cycle. Let d1 = a11 = x+y≥ 3, and d2 = a21 = −y≥ 0. It can be manually determined thatmax(d1) =max(a11) = 3,max(d2) =max(a21) = 2, andmax(B) = 3. However, our method would determine an upper bound for max(B) as 5 (3 + 2). Such an upper bound is based on the assumption that only one disjunct is true at any time, and when it becomes false another disjunct immediately becomes true to make the whole boolean condition true. We can easily see that it is not the case in this particular example, which indicates the potential coarseness of our method when dealing with boolean conditions with disjunctions.

x=6 y=−1

((x+y>=3)||(−y>=0))

ch!msg

y=y+1 x=x−2

Figure 12.3: A control flow graph.

In the following we show how to determinemax(aij) for an inequalityaij = eij ≥fij. An upper bound onmax(aij) can be obtained if (1) an upper bound on the initial value ofeij before the cycle is entered can be determined; and (2) it can be determined that the value ofeij is always decreased, therefore changed monotonically, in each iteration of the cycle.

Determining Initial Values. It is certainly impossible in general to deter-mine the possible initial values of an expression before the cycle is entered. We use an incomplete solution that employs backward depth first searches to check each acyclic path leading to one of the exit points of the cycle whethereij re-ceives a constant value on that path before the cycle is entered. If there exists an acyclic path along whicheij does not receive a constant value, then our attempt to determine the initial value foreij fails. Otherwise, we take the maximum of all determined constant values as the initial value ofeij in the determination of max(aij).

Determining Step Values. The Promela code in the cycle determines how the value ofeij is changed during cycle executions. We refer to the maximal difference of the values ofeij before and after one cycle execution as the step

value of eij. If the step value is negative, i.e., the value of eij is always de-creased, then the linear inequalityaij cannot remain true without the variables inEc(ai) being modified outside the cycle. Determining the step value ofeij is also impossible in general. We propose an incomplete method based on linear program (LP) solving.

We generate a set of LP problems from the cycle code, whose constraints reflect how the runtime values of variables are changed and constrained by the cycle code. The objective functions of these LP problems are the difference of the values of eij before and after one cycle execution. We maximize the objective function to get the step value ofeij under the constraints of the linear inequalities to which the cycle code is transformed. The generation of the LP problem constraint involves the transformation of each Promela statement in the cycle code into one or more inequalities. The transformation is described as follows. We introduce a subscripted variable for each of the variables used in the cycle code. All subscripts have an initial value as 0. We start the transformation from the considered condition statement (B). We also create a set of LP problems Lconsisting of one LP problem containing currently no constraint. We treat different kinds of statements in different ways as explained below:

• For the considered statement (B), if it is the first time to process this statement, then we construct a linear inequality as the same as eij by substituting each variable with its corresponding subscripted variable. We add this linear inequality to the LP problem inL. The subscripts remain unchanged, and we move to the next statement in the cycle. If it is the second time to encounter this statement, then we terminate the transfor-mation procedure.

• For any other condition statement (B^′), we convertB^′ to its disjunctive normal formd^′₁, . . . , d^′_n. For eachd^′_k, we construct a set of linear inequal-ities. Each constructed inequality is obtained from one inequality l ind^′_k by substituting each variable inl with its corresponding subscripted vari-able. Next, we construct n new LP problem for each LP problem P in L such that each k-th new LP problem is obtained by adding to P the inequalities that we construct for d^′_k. The subscripts remain unchanged, and we move to the next statement in the cycle.

• For an assignment x = e, we construct an equation xk+1 = e^′ where k is the current subscript for the variable x and e^′ is obtained from e by substituting each variable with its corresponding subscripted variable. We add this equation to every LP problem inL. All subscripts except the one forxremain unchanged. The subscript forxis incremented by 1, i.e., the new subscript isk+ 1. We move to the next statement in the cycle.

• For a message sending statement, we simply move to the next statement in the cycle without doing anything.

• For a message receiving statement, we increase the subscripts for all the variables in the statement by 1. In this way, for any variable in the state-ment, we do not have any connection between the current version of the variable and the previous version. This corresponds to the fact that the

variable may receive an arbitrary value by the message receiving state-ment. This results in imprecision and may fail the cycle iteration time estimation. We then move to the next statement in the cycle.

After the transformation procedure ends, we add the same objective function to every LP problem inL: We usee^init_ij to denote the version ofeijwhere all the variable subscripts are 0, and e^final_ij to denote the version of eij with the final version of each variable subscript. The objective function is thene^final_ij −e^initij . Example 12.4. Consider the example in Figure 12.3. The cycle code is trans-formed into the following LP problem for determining step values forx+y, the first inequality in the condition statement.

max:x1+y1−x0−y0 (12.36)

x0+y0≥3 (12.37)

x1=x0−2 (12.38)

y1=y0+ 1 (12.39)

We solve all the LP problems for determining the step value for eij. If the optimal solutions to the objective function of all LP problems are negative, then we know that the value ofeij is always decreased during cycle executions. In this case, we take the maximum of all optimal solutions as the step value of eij. Otherwise, if some optimal solution is positive or 0, then it is possible that the value of eij can be increased or unchanged after one cycle execution. In this case, we cannot determine if aij will eventually become false or not, and the estimation ofmax(B) also fails because we lose the monotonicity property.

In the above example, we can easily compute that the optimal solution to the objective function (12.36) is -1. Therefore, the step value ofx+yis -1.

Computingmax(aij). Once we obtain the step valuesvand the initial value iv foreij, an upper bound onmax(aij) is simply⌈(fij−(iv + 1))/sv⌉¹. In the above example, if the initial value ofx+yis 5, thenmax(x+y≥3) = 3.

Determining Numerical Cycle Dependencies After we successfully de-terminemax(B), we can construct two NCDs as

(max(B), c, C)

where (c, C) is the ACD that we obtain using the algorithm in Listing 11.5 with respect to the conditionB, and

(max(B), c, Nc) whereNc is the set of neighbors ofc.

1⌈·⌉is the ceiling function that returns the smallest integer greater than the input real number.

Complexity. The method for determining NCDs requires the estimation of cycle iteration times by transforming cycle code into a set of LP problems and the solving of these LP problems. If a control flow cycle contains integer vari-ables, the constructed LP problems are then ILP problems or mixed LP prob-lems. Since these ILP or mixed LP problems are not homogeneous in general, the solving of them is NP-hard. However, we usually obtain small LP problems from cycle code in practice, which can be solved in short time. In order to further improve the efficiency, we may slice the cycle code to remove all the statements irrelevant to the satisfaction of the considered boolean condition [114]. More precisely, given a cycle c and a condition statement (B), when we transform the code in c to LP problems for the estimation of max(B), we can disregard all condition statements that contain no variables inEc(B), and all assignment statements and message receiving statements that do not change any variables inEc(B). This is because no variables outsideEc(B) have influence on the value of the boolean conditionB as explained in Section 11.3.1. The slicing strategy may reduce the size of the constructed LP problems as observed in practice.

The method proposed in this section can be used to prove termination for control flow cycles and estimate cycle iteration times. Given a cycle, if we can determine max(B) for every condition statement (B), then the cycle is terminating. Letm be the minimum of all determinedmax(B) values. Then, the cycle cannot be repeated without interruption more than mtimes.