Test-Based Inference of Polynomial Loop-Bound Functions

Similar documents
Generalized Edge Coloring for Channel Assignment in Wireless Networks

Generalized Edge Coloring for Channel Assignment in Wireless Networks

CS 106 Winter 2016 Craig S. Kaplan. Module 01 Processing Recap. Topics

BIJECTIONS FOR PLANAR MAPS WITH BOUNDARIES

Ranking Functions for Loops with Disjunctive Exit-Conditions

Divide-and-Conquer Algorithms

A Classification of 3R Orthogonal Manipulators by the Topology of their Workspace

Kinematic Analysis of a Family of 3R Manipulators

Skyline Community Search in Multi-valued Networks

Shift-map Image Registration

Considering bounds for approximation of 2 M to 3 N

1 Surprises in high dimensions

Preamble. Singly linked lists. Collaboration policy and academic integrity. Getting help

Computer Organization

Non-homogeneous Generalization in Privacy Preserving Data Publishing

6 Gradient Descent. 6.1 Functions

Coupling the User Interfaces of a Multiuser Program

Online Appendix to: Generalizing Database Forensics

Intensive Hypercube Communication: Prearranged Communication in Link-Bound Machines 1 2

Almost Disjunct Codes in Large Scale Multihop Wireless Network Media Access Control

Learning convex bodies is hard

Queueing Model and Optimization of Packet Dropping in Real-Time Wireless Sensor Networks

The Reconstruction of Graphs. Dhananjay P. Mehendale Sir Parashurambhau College, Tilak Road, Pune , India. Abstract

Here are a couple of warnings to my students who may be here to get a copy of what happened on a day that you missed.

Particle Swarm Optimization Based on Smoothing Approach for Solving a Class of Bi-Level Multiobjective Programming Problem

Pairwise alignment using shortest path algorithms, Gunnar Klau, November 29, 2005, 11:

Lecture 1 September 4, 2013

APPLYING GENETIC ALGORITHM IN QUERY IMPROVEMENT PROBLEM. Abdelmgeid A. Aly

SURVIVABLE IP OVER WDM: GUARANTEEEING MINIMUM NETWORK BANDWIDTH

Table-based division by small integer constants

Characterizing Decoding Robustness under Parametric Channel Uncertainty

Comparison of Methods for Increasing the Performance of a DUA Computation

Optimal Oblivious Path Selection on the Mesh

Bends, Jogs, And Wiggles for Railroad Tracks and Vehicle Guide Ways

Shift-map Image Registration

Indexing the Edges A simple and yet efficient approach to high-dimensional indexing

Transient analysis of wave propagation in 3D soil by using the scaled boundary finite element method

Learning Polynomial Functions. by Feature Construction

arxiv: v1 [math.co] 15 Dec 2017

2-connected graphs with small 2-connected dominating sets

6.854J / J Advanced Algorithms Fall 2008

Local Path Planning with Proximity Sensing for Robot Arm Manipulators. 1. Introduction

Cluster Center Initialization Method for K-means Algorithm Over Data Sets with Two Clusters

Algebraic transformations of Gauss hypergeometric functions

Throughput Characterization of Node-based Scheduling in Multihop Wireless Networks: A Novel Application of the Gallai-Edmonds Structure Theorem

Classifying Facial Expression with Radial Basis Function Networks, using Gradient Descent and K-means

A Stochastic Process on the Hypercube with Applications to Peer to Peer Networks

Design of Policy-Aware Differentially Private Algorithms

Loop Scheduling and Partitions for Hiding Memory Latencies

B-Splines and NURBS Week 5, Lecture 9

Control-Flow Refinment via Partial Evaluation

Figure 1: 2D arm. Figure 2: 2D arm with labelled angles

Random Clustering for Multiple Sampling Units to Speed Up Run-time Sample Generation

Yet Another Parallel Hypothesis Search for Inverse Entailment Hiroyuki Nishiyama and Hayato Ohwada Faculty of Sci. and Tech. Tokyo University of Scien

Image compression predicated on recurrent iterated function systems

Compiler Optimisation

Politehnica University of Timisoara Mobile Computing, Sensors Network and Embedded Systems Laboratory. Testing Techniques

THE APPLICATION OF ARTICLE k-th SHORTEST TIME PATH ALGORITHM

Variable Independence and Resolution Paths for Quantified Boolean Formulas

Multilevel Linear Dimensionality Reduction using Hypergraphs for Data Analysis

Distributed Line Graphs: A Universal Technique for Designing DHTs Based on Arbitrary Regular Graphs

Optimization of cable-stayed bridges with box-girder decks

Discrete Optimization. Lecture Notes 2

Parallel Directionally Split Solver Based on Reformulation of Pipelined Thomas Algorithm

Solutions to Tutorial 1 (Week 8)

Research Article Inviscid Uniform Shear Flow past a Smooth Concave Body

Overlap Interval Partition Join

Secure Network Coding for Distributed Secret Sharing with Low Communication Cost

MORA: a Movement-Based Routing Algorithm for Vehicle Ad Hoc Networks

Message Transport With The User Datagram Protocol

A Neural Network Model Based on Graph Matching and Annealing :Application to Hand-Written Digits Recognition

Adjacency Matrix Based Full-Text Indexing Models

PDF hosted at the Radboud Repository of the Radboud University Nijmegen

THE BAYESIAN RECEIVER OPERATING CHARACTERISTIC CURVE AN EFFECTIVE APPROACH TO EVALUATE THE IDS PERFORMANCE

Navigation Around an Unknown Obstacle for Autonomous Surface Vehicles Using a Forward-Facing Sonar

NEW METHOD FOR FINDING A REFERENCE POINT IN FINGERPRINT IMAGES WITH THE USE OF THE IPAN99 ALGORITHM 1. INTRODUCTION 2.

Using Vector and Raster-Based Techniques in Categorical Map Generalization

Polygon Simplification by Minimizing Convex Corners

Handling missing values in kernel methods with application to microbiology data

r-tubound: Loop Bounds for WCET Analysis (tool paper)

CS269I: Incentives in Computer Science Lecture #8: Incentives in BGP Routing

Technical Report TR Navigation Around an Unknown Obstacle for Autonomous Surface Vehicles Using a Forward-Facing Sonar

Figure 1: Schematic of an SEM [source: ]

Lab work #8. Congestion control

A Convex Clustering-based Regularizer for Image Segmentation

Offloading Cellular Traffic through Opportunistic Communications: Analysis and Optimization

On the Role of Multiply Sectioned Bayesian Networks to Cooperative Multiagent Systems

Ad-Hoc Networks Beyond Unit Disk Graphs

State Indexed Policy Search by Dynamic Programming. Abstract. 1. Introduction. 2. System parameterization. Charles DuHadway

Questions? Post on piazza, or Radhika (radhika at eecs.berkeley) or Sameer (sa at berkeley)!

An Algorithm for Building an Enterprise Network Topology Using Widespread Data Sources

Animated Surface Pasting

Frequent Pattern Mining. Frequent Item Set Mining. Overview. Frequent Item Set Mining: Motivation. Frequent Pattern Mining comprises

Optimal Link Capacity Dimensioning in Proportionally Fair Networks

Dual Arm Robot Research Report

Proving Vizing s Theorem with Rodin

Modifying ROC Curves to Incorporate Predicted Probabilities

Department of Computer Science, POSTECH, Pohang , Korea. (x 0 (t); y 0 (t)) 6= (0; 0) and N(t) is well dened on the

A Duality Based Approach for Realtime TV-L 1 Optical Flow

Learning Subproblem Complexities in Distributed Branch and Bound

Transcription:

Test-Base Inference of Polynomial Loop-Boun Functions Olha Shkaravska Roy Kersten Rabou University Nijmegen {shkarav,r.kersten}@cs.ru.nl Marko van Eekelen Rabou University Nijmegen an Open Universiteit marko@cs.ru.nl Abstract This paper presents an interpolation-base metho of inferring arbitrary egree loop-boun functions for Java programs. Given a loop, by its loop-boun function we mean a function with the numeric program variables as its parameters, that is use to boun the number of loop-iterations. Using our analysis, loopboun functions that are polynomials with natural, rational or real coefficients can be foun. Analysis of loop bouns is important in several ifferent areas, incluing worst-case execution time (WCET) an heap consumption analysis, optimising compilers an termination-analysis. While several other methos exist to infer numerical loop bouns, we know of no other research on the inference of non-linear loopboun functions. Aitionally, the inferre bouns are provable using external tools, e.g. KeY. To infer a loop-boun function for a given loop it is instrumente with a counter an execute on a well-chosen set of values of the numerical program variables. By well-chosen we mean that using these test values an the corresponing values of the counter, one can construct a unique interpolating polynomial. The uniqueness an the existence of the interpolating polynomial is guarantee if the input values are in the so-calle NCA-configuration, known from multivariate-polynomial interpolation theory. The constructe interpolating polynomial presumably bouns the epenency of the number of loop iterations on arbitrary values of the program variables. This hypothesis is verifie by a thir-party proof assistant. A prototype tool has been evelope which implements this metho. This prototype can infer piecewise polynomial loop-boun functions for a large class of loops in Java programs. Applicability of the prototype has been teste on a series of safety-critical case stuies. For most of the loops in the case stuies, loop-boun functions coul be inferre (an verifie using a proof assistant). Categories an Subject Descriptors F.3. [LOGICS AND MEAN- INGS OF PROGRAMS]: Specifying an Verifying an Reasoning about Programs; D..4 [SOFTWARE ENGINEERING]: Software/Program Verification General Terms Verification, Performance, Reliability This work was fune by the Artemis Joint Unertaking in the CHAR- TER project, grant-nr. 00039, an the Laboratory for Quality Software (LaQuSo). Permission to make igital or har copies of all or part of this work for personal or classroom use is grante without fee provie that copies are not mae or istribute for profit or commercial avantage an that copies bear this notice an the full citation on the first page. To copy otherwise, to republish, to post on servers or to reistribute to lists, requires prior specific permission an/or a fee. PPPJ 0, September 5 7, 00, Vienna, Austria. Copyright c 00 ACM 978--4503-069-... $0.00 Keywors Loop-boun function inference, Program verification, Polynomial interpolation, NCA-configuration, Termination, JML. Introuction Loop-bouns are important in several ifferent fiels. The most obvious are worst-case execution time (WCET) an heap consumption analysis. Both are key issues for safety-critical systems, e.g. automotive an avionics applications. Compiler optimisations that transform loops, e.g. loop-unrolling, may also epen on knowlege about loop-bouns. Furthermore, termination of a program can only be prove if an upper boun on the number of loop iterations exists for each loop in the program. In the presente paper we escribe test-base inference of piecewise polynomial loop-boun functions for Java loops with firstorer numerical loop conitions. Given a program with a loop, the corresponing loop-boun function (LBF) expresses an upper boun on the number of the loop iterations epening on (some of) the numerical program variables an ata sizes. A similar term that is often use is ranking function. However, because our efinition is more specialise (we consier only loops) an to avoi confusion with the term of the same name use in the information retrieval community, we prefer the term loop-boun function. Consier for example the loop in Listing. While several other methos exist that are able to infer a numerical loop boun for certain values of i, for instance minimal or maximal values, we infer the loop-boun function 5-i, which can be use to boun (or in this case, calculate exactly) the number of iterations of this loop for arbitrary values of i. Only one other paper [9] is known to the authors where symbolic bouns are inferre, but there only a limite use of non-linear terms in bouns is possible. In other articles, sounness is not usually iscusse, but the correctness of the LBF inferre by the presente metho can be checke by external tools. By proving correctness of the boun, termination of the loop is also prove inherently. while ( i < 5) { i ++; 3 } Listing. A typical single (i.e. not neste) while-loop. The schema of our approach is as follows. Given a loop, it is first place into a testing metho. The loop in this metho is instrumente with a counter an this testing metho outputs the number of iterations of the loop on given values of the program variables. In this paper, we take into consieration numerical program variables that occur in the loop conition an its boy. Then, the metho is execute on a well-chosen set of inputs, which we call test values or, sometimes, following polynomial-interpolation terminology, test noes. By well-chosen set of test values we mean that using these test values an the corresponing values of the counter, one can construct a unique interpolating polynomial. The uniqueness an

the existence of the interpolating polynomial is guarantee if the input values are in the so-calle NCA-configuration, known from multivariate-polynomial interpolation theory. This issue is highlighte in Section, explaining application of polynomial interpolation. The obtaine ata are use to compute the corresponing interpolating polynomial. The inferring part of the proceure outputs a metho, annotate with the inferre boun, e.g. annotate in JML [5] by the ecreases-expression. The correctness of the annotation is verifie by an external checking tool. In our prototype implementation the metho with the annotate loop is run through KeY [3], which contains a verification-conition generator an a theorem prover. To obtain concrete loop bouns (i.e. the concrete number of iterations on concrete ata), the obtaine LBF may be applie to the results of ata-flow analysis, possibly accelerate by abstract interpretation an/or program slicing. Several examples exist in the literature [7, 4] inicating how this might be implemente. This work buils on our previous research on size analysis [7], where we stuie polynomial epenencies of the sizes of output ata structures (e.g. the length of a linke list) on the sizes of input ata structures. A similar algorithm as is use here for generating loop bouns was use in [8] to infer size relations. The running example throughout this paper is a while-loop with a quaratic LBF, given in Listing. This boun is successfully inferre by the prototype implementation an can be verifie using KeY. while ( x>0 && i>0 && i<x && j>0 && j<=x ) { if ( j==x ) { i ++; j = 0 ; } 3 j ++; 4 } Listing. A single loop with the quaratic LBF x xi j +. This research is conucte in the context of the Critical an High Assurance Requirements Transforme through Engineering Rigour (CHARTER) project. The goal of this project is to ease, accelerate, an cost-reuce the certification of safety-critical embee systems by meling realtime Java, Moel Driven Development, rulebase compilation, an formal verification. It will be part of a larger chain of tools evelope in this project. We recapitulate polynomial interpolation in Section. The LBF inference metho is introuce in Section 3. We then briefly iscuss the prototype implementation an a series of case stuies in Section 4. Extensions to the basic metho, that serve to hanle more complex cases, are iscusse in Section 5. The metho is evaluate in Section 6. Relate work is iscusse in Section 7. We outline future work in Section 8 an conclue the paper in Section 9.. Polynomial Interpolation When the result of a polynomial function is known for certain test values, the values of its coefficients can be erive. Such a polynomial, which interpolates the test results, exists an is unique uner some conitions on the ata, which are explore in polynomial-interpolation theory [5]. For -variable interpolation this conition is well-known: all the test noes must be ifferent. Recapitulate it in more etail. A polynomial p(z) of egree with coefficients a 0,..., a can be written as follows: a 0 + a z +... + a z = p(z) The values of the polynomial function in any pairwise ifferent + points etermine a system of linear equations w.r.t. the polynomial coefficients. More specifically, given the set `z i, p(z i) http://charterproject.ning.com/ of pairs of numbers, where 0 i, an coefficients a 0,..., a, the system of equations can be represente in the following matrix form, where only the a i are unknown: 0 z 0 z z z B........... @ z z z z 0 z 0 z z z 0 C B A @ a 0 a.. a a 0 C A = B @ p(z 0) p(z ). p(z ) p(z ) The eterminant of the matrix is calle a Vanermone eterminant. For pairwise ifferent points z 0,..., z it is non-zero. This means that, as long as the output values p(z i) are known for + ifferent inputs z i, there exists a unique solution for the system of equations an, thus, a unique interpolating polynomial. The conition uner which there exists a unique multivariate polynomial p(z,..., z k ) that interpolates multivariate ata is not trivial. Using the result from [5], we have shown how to generate test ata for size analysis of functional programs in [7]. Here we recall the basic facts from these papers. First, a polynomial p(z,..., z k ) of a egree an imension k (the number of variables) has N k = `+k k coefficients. Let a set of values f i of a real function f be given an let z enote a vector-variable (z,..., z k ). A set W = { w i = (z i,..., z ik ) : i =,..., N k } of points in a real k-imensional space forms the set of interpolation noes if there is a unique polynomial p( z) = Σ 0 j ++j k a j j k z j... zj k k with the total egree with the property p( w i) = f i, where i N k. In this case one says that the polynomial p interpolates the function f at the noes w i. The conition on W, which assures the existence an uniqueness of an interpolating polynomial, is geometrical: it escribes a noe configuration, calle Noe Configuration A, NCA for short, [5], in which the noes from W shoul be place in R k. The multivariate Vanermone eterminant compute from such points is non-zero. Thus, the corresponing system of linear equations w.r.t. the polynomial s coefficients has a unique solution. For a two-imensional polynomial of egree, the conition on the noes that guarantees a unique polynomial interpolation is as follows: N noes forming a set W R lie in a -imensional NCA if there exist lines γ,..., γ + in the space R, such that + noes of W lie on γ + an noes of W lie on γ \ γ +,..., an finally noe of W lies on γ \ (γ... γ + ). A typical instance of such a configuration is a -imensional gri. An example of a two-imensional gri base on integers is given in Figure. For imensions k > the NCA is efine inuctively on k. A set of N k noes is in NCA in R k if an only if C A there is a (k )-imensional hyperplane such that it contains some N k of the given noes lying in (k )-imensional NCA for the egree, there is a (k )-imensional hyperplane such that it contains some N k noes, lying in (k )-imensional NCA for the egree, an these noes o not lie on the previous hyperplane, in general, for any 0 i, there is a (k )-imensional hyperplane such that it contains some N k i noes, lying in (k )-imensional NCA for the egree i, an these noes o not lie on the previous hyperplanes, thus, the remaining noe lies on the remaining hyperplane an oes not belong to the previous ones.

For instance, for the example in Listing, we might assume that the loop-boun function is a quaratic polynomial (so, = ) an epens on three variables, x, i an j. Recall, that a quaratic function of three variables has `5 3 = 0 coefficients: p(x, i, j) = a 00x + a 00i + a 00j + a 0xi + a 0xj + a 0ij + a 00x + a 00i + a 00j + a 000. Therefore we nee 0 three-imensional points in R 3 -NCA. Accoring to the efinition above we nee: A set of `+ = 6 points on a plane in R -NCA: we take the hyperplane j = an the following noes: x i j 3 4 3 4 4 3 These points are given (projecte on the hyperplane j = ) in Figure. A set of `+ = 3 points in R -NCA on another plane: we take the hyperplane j = an noes x i j 3 4 3 A single (`+0 = ) point on yet another plane in R -NCA: we take just (x = 4, i =, j = 3). The corresponing system of linear equations is: 8 a 00 + a 00 + a 00 + a 0 + a 0 + a 0 + a 00 + a 00 + a 00 + a 000 = >< >: 3 a 00 + a 00 + a 00 + 3a 0 + 3a 0 + a 0 + 3a 00 + a 00 + a 00 + a 000 = 6 4 a 00 + a 00 + a 00 + 4a 0 + 4a 0 + a 0 + 4a 00 + a 00 + a 00 + a 000 = 3 a 00 + a 00 + a 00 + 3 a 0 + 3a 0 + a 0 + 3a 00 + a 00 + a 00 + a 000 = 3 4 a 00 + a 00 + a 00 + 4 a 0 + 4a 0 + a 0 + 4a 00 + a 00 + a 00 + a 000 = 8 4 a 00 + 3 a 00 + a 00 + 4 3a 0 + 4a 0 + 3a 0 + 4a 00 + 3a 00 + a 00 + a 000 = 4 3 a 00 + a 00 + a 00 + 3a 0 + 3 a 0 + a 0 + 3a 00 + a 00 + a 00 + a 000 = 5 4 a 00 + a 00 + a 00 + 4a 0 + 4 a 0 + a 0 + 4a 00 + a 00 + a 00 + a 000 = 3 a 00 + a 00 + a 00 + 3 a 0 + 3 a 0 + a 0 + 3a 00 + a 00 + a 00 + a 000 = 4 a 00 + a 00 + 3 a 00 + 4a 0 + 4 3a 0 + 3a 0 + 4a 00 + a 00 + 3a 00 + a 000 = 0 Its solution is (, 0, 0,, 0, 0, 0, 0, 0,, ), which yiels the polynomial p(x, i, j) = x xi j +. 3. Inference of Loop-Boun Functions Our metho is esigne for loops with conitions in the form of propositional logic expressions over numerical (in)equalities. Formally: C := sc C C C C sc := e [<, >,,, =, ] e where e i are arithmetical expressions. For now, we limit our focus to loops where the conitions are conjunctions over linear (in)equalities. The analysis of loops where i 3 0 3 4 Figure. An example of well-chosen test noes for a polynomial g(x, i) = a 0x + a xi + a 0i + a 0x + a 0i + a 00. These may be use to reconstruct a polynomial g(x, i) = p(x, i, ), where p is the polynomial boun for our running example. The grey area represents points that satisfy the conition x < i. the conition contains isjunctions is iscusse in Section 5. Note that the limiting the loop-conitions to linear (in)equalities oes not mean limiting to linear LBFs. The loop in Listing has a non-linear LBF for instance. Rejection: repeat testing with a higher egree Test-base inference proceure (the presente paper) Verifie loop boun Java source External checking tool x Annotate generate metho with the chosen loop Not verifiable automatically Verification Conition Prove manually Figure. Test-base proceure from a helicopter view: infer-ancheck cycle. In Figure we give a helicopter view of the test-base infer-ancheck proceure. First, a user inputs the Java source coe to the inference proceure. Then the proceure makes a hypothesis of a LBF, base on test-runs. This hypothesis is expresse in some conventional annotations, like JML, so the annotate metho output can be rea by an external checker that checks if the inferre boun is correct. Manual steps might be necessary to construct the proof. If the user conclues that such a proof cannot be foun, (s)he might go back to the inference proceure an try again with a higher egree of a polynomial LBF. In Figure 3, we zoom in on the test-base inference moule. We start with Java source coe an pick a loop for which one wants to infer an LBF. The loop is (automatically) inserte in a new metho an instrumente with a counter, which is returne at the en of the metho. The parameters of the metho are the

public voi meth(int x, int i, int j) { while (x > 0 && i > 0 && i < x && j > 0 && j <= x) { if (j==x) { i++;j = 0;} j++; } } Degree of a loop boun (e.g. =) Test runs public int meth(int x, int i, int j) { int count=0; while (x > 0 && i > 0 && i < x && j > 0 && j <= x) { if (j==x) { i++;j = 0;} j++; count++; } return count; } st group: egree NCA on plane n group: egree NCA on plane x=, i=, j= => count = x=3, i=, j= => count=5 x=3, i=, j= => count=6 x=4, i=, j= => count= x=4, i=, j= => count= x=3, i=, j= => count= x=3, i=, j= => count=3 x=4, i=, j= => count=8 3 r group: egree 0 NCA on plane x=4, i=3, j= => count=4 x=4 i=, j=3 => count=0 Fin the interpolating polynomial an generate the metho annotate with the corresponing loop boun: p(x, i, j) = x*x x*i j + ; Figure 3. Test-base inference moule in more etail. The choice of test noes is explaine in Section. numerical variables that occur in the loop conition an in its boy. In Section 8., we iscuss a combination with program slicing techniques, which woul yiel exactly the variables on which the loop boun epens. The new metho is now execute for a given egree an an appropriate set of values of these parameters, i.e. on so calle test noes. For instance, in our running example (x =, i =, j = ) is an amissible test noe. A well-chosen complete set of test noes for this loop is given in the figure. The set consists of 0 noes, since a polynomial of egree of 3 variables has 0 coefficients: p(x, i, j) = a 00x + a 00i + a 00j + a 0xi + a 0xj + a 0ij + a 00x + a 00i + a 00j + a 000. The result of a test run is the number of iterations for the corresponing noe. For instance, with (x =, i =, j = ) the loop boy is execute times, so the test metho returns count =. From the results of the test-runs a polynomial over the parameters can be calculate which interpolates the test results. Multiple tactics are possible to guess the egree of the polynomial. It can be left to the user to supply it as input to the proceure, or an increasing egree can be trie, up to a certain boun. When a egree that is too low is supplie, the metho will still fin an LBF, but the checker will reject it. When a egree that is too high is given, the right polynomial will still be foun, but more test-runs are neee. 3. LBF Inference: The Basic Metho This polynomial interpretation metho was alreay applie to Size Analysis in previous work [7, 8]. The main challenge we face when we ajust the interpolation theory to inferring imperative loop-boun functions is that test ata must not only lie on a gri (or more generally, be in NCA), but also satisfy the loop conition C. In Figure we show the set of points satisfying the (in)equalities i < x, i > 0 an x > 0. This correspons to the loop conition in our running example for the fixe j =. Whenever the loop conition is violate the loop is not execute an the testing metho, which is wrappe aroun the loop, outputs 0. Therefore, if we constructe the interpolation polynomial using a noe(s) that oes not satisfy the loop conition, we woul obtain for sure an incorrect loop boun. The problem of generating test ata for imperative loops is formalise as follows: given: a egree, the number of variables k, on which the loop-boun function epens, a loop conition C, to fin N k noes in NCA that satisfy C. We have reuce this task to the following one: construct an integer gri in R k, such that it is base on + parallel hyperplanes an contains N k noes, where there are some N k noes in (k )-imensional NCA for the egree that lie on one of the hyperplanes an satisfy the corresponing projection of C to this hyperplane, there are some N k noes in (k )-imensional NCA for the egree that lie on another hyperplane an satisfy the projection of C on this hyperplane, there are some N k i noes in (k )-imensional NCA for the egree i that lie on a fresh hyperplane an satisfy the projection of C on this hyperplane, 0 i, an the remaining noe lies on the remaining hyperplane an satisfying the corresponing projection of C. In general terms, our approach is base on search of the appropriate noes on hyperplanes x = i 0,..., i. The search is inuctive on the number of variables k. To boun the search space one uses an external optimisation proceure solving tasks of the form f(x,..., x k ) min, where x,..., x k satisfy the constraints C(x,..., x k ). Currently in our prototype we use a linear programming solver, an therefore, the prototype hanles only linear loop conitions. In general, one may use non-linear optimisation software, such as the implementation of the Augmente Lagrangian Genetic Algorithm (ALGA) by MathWorks or the open-source Java package Sigoa 3. The rest of this subsection is structure as is the inference proceure: generating test-noes, conucting the tests an interpolating a polynomial LBF. 3.. The algorithm for generating test-noes. Run the chosen optimisation proceure for the objective functions x i min, x i max an the constraints constitute from the loop conitions an the aitional bouns m i x i M i, where m i, M i are preefine resp. minimal an maximal amissible values of the variables x i, with i k. The results efine the k-imensional box, that bouns the set efine by C (within the minimal-maximal values). We only look for noes insie this box, because we know that others o not satisfy the loop conition.. Obtain search hyperplanes H j by cutting the bouning box on congruent slices, j = 0,...,. 3. Amongst these hyperplanes, search for one that contains N k noes in (k )-imensional NCA for the egree an the projection of C on this hyperplane, etc. as explaine above. http://www.mathworks.com/access/helpesk/help/toolbox/ gas/bqf8b.html 3 http://sigoa.sourceforge.net/

4. If the search succees, then stop. Otherwise, refine the gri by increasing the number of hyperplanes (e.g. by ecreasing the istance between them) an repeat the search for the refine gri. This proceure fins test-noes that both satisfy the loop conition an lie in NCA, if they exist on a gri within the minimal-maximal values m i, M i. It fins suitable test-noes for the case-stuy examples. To refine the search algorithm, one may a other, than rectangular gris, kins of NCA, like e.g. pencil configurations. 3.. Run tests When suitable test noes have been selecte, we can now run the tests. Of course, because the investigate loops are actually execute, termination of the inference proceure epens on termination of those loops. The LBF inference proceure terminates if the consiere loop terminates for all inputs. Assuming that infinite loops are unesirable in general, but especially for loops for which one seeks to boun the number of iterations, fining non-termination for certain inputs is a valuable result in itself. An implementation can never conclue nontermination, but it may quit execution after a particular amount of time has passe an hint the user that there is a large chance that the loop oes not terminate on the consiere inputs. 3..3 Fin the interpolating polynomial When all the tests have prouce iteration counts (i.e. all have terminate), then we can now fit a polynomial, which interpolates these results. Because the test-noes satisfy NCA, we know that a single interpolating polynomial exists. 3. Dealing with LBFs with rational or real coefficients As state earlier, LBFs can be polynomials with coefficients that are natural, rational or real numbers. However, when a polynomial has rational or real coefficients, its result is not necessarily a natural number, which, of course, any estimate of a number of loop iteration must be. Consier for instance the loop in Listing 3. while ( start < en ) { start += 4 ; 3 } Listing 3. An example with a loop-boun function that is a polynomial over rational coefficients The exact number of iterations of this loop is given by en start. 4 In other wors, when en start oes not equate to a natural number, for instance to 3, it must be ceile. Generally, when the 4 coefficients of the polynomial LBF p( z) are not natural numbers, the actual boun shoul be rea as p( z). When the coefficients are naturals, we omit the ceiling notation. 3.3 Expressing the LBF in JML In this section we iscuss how we can express the foun LBF in JML, in orer to be verifie by an external tool. The result of our metho is Java coe annotate with JML, in which the inferre LBF is expresse. Loop-boun functions are most easily expresse in JML by efining a ecreases clause on the loop. This is an expression which must ecrease by at least on each iteration, an remains greater than or equal to 0, see the JML reference manual [3]. It therefore forms an upper-boun on the number of iterations. We want an external tool to verify the LBF for the case where the loop conition initially hols, otherwise the ecreases-clause is not guarantee to be 0 initially (an the loop will iterate exactly 0 times). Therefore, the loop conition is ae as a preconition to the constructe metho. The example from Listing is shown in annotate form in Listing 4. / @ r e q u i r e s x>0 && i >0 && i<x && j >0 && j <=x ; 3 e n s u r e s t r u e ; 4 / 5 public voi meth ( int x, int i, int j ) { 6 7 / /@ a s s i g n a b l e i, j ; 8 / /@ l o o p i n v a r i a n t t r u e ; 9 / /@ e c r e a s e s x x x i j + ; 0 while ( x>0 && i>0 && i<x && j>0 && j<=x ) { if ( j==x ) { i ++; j = 0;} j ++; 3 } 4 } Listing 4. The inferre LBF for the example in Listing expresse as a JML annotation. Unfortunately, there is no ceiling operation available in JML. We therefore have to overestimate the boun slightly when the LBF has rational or real coefficients. Since p( z) p( z) +, we can o this safely by aing one instea of ceiling. Although our metho works for both integer an floating-point numbers, an JML can hanle them, no verification tools for Java programs annotate with JML are known to the authors that have support for floating-point numbers. 3.4 Complexity: exponential w.r.t. the number of variables k The first sub-proceure in the presente inference metho is an external optimisation proceure use to boun the test-noes search space. Typically, the complexity of optimisation methos epens on the number of (in)equations in the constraints, number of variables (the space s imension) an complexity of (in)equations. For non-linear constraints the worst-case complexity is, as a rule, exponential, but one often uses smart search algorithms proviing better average computation time. For instance, in genetic algorithms the search is irecte by e.g. the value of a penalty function that ecreases when one searches in the right irection. For the remaining parts of the inference metho we can give inepenent estimations of complexity. These parts are: the search of test noes that, as one intuitively expects, has the most significant complexity, which we will iscuss right now, below, the runs (N k = `+k k times) of the test metho on the test noes, solving a system of N k linear equations w.r.t. N k variables that has the worst complexity O((N k ) 3 ); with some avance matrix-multiplication algorithms the complexity may be between O((N k ) ) an O((N k ) 3 ). Searching of test noes is the most time-consuming part of the inference proceure (besies, probably, non-linear optimisation part). Let N (, k) enote the time for fining the noes for a polynomial of the egree with k variables. Consier its behaviour from the best to the worst case, with N min(, k) enoting the best computation time. In the best case we just cut the k-imensional cube by + hyperplanes of the imension k, an fin immeiately N k i points on the i-th hyperplane in time N min( i, k ), where 0 i. Therefore, we may assume that N min(, k ) = N min(, k ) + N min(, k ) +... + N min(, k ) + N min(0, k ) + ( + ) that inclues the time for + recursive calls. We can show by inuction on k that N min(, k) = O`. k k!

Inee, for k = we have to pick up + ifferent points on the line, so N min(, ) = + = O( ). For k = we have N min(, ) = ( + ) + +... + + ( + ) = (+) + ( + ) = O( ). Using the inuction assumption, Nmin(, k) = P ( i)k P i=0 O( )+(+) = O` (k )! (k )! i=0 jk +(+) R O` x (k )! 0 xk + ( + ) = O( k ). k! In the mile case the initial collection of (+) hyperplanes oes have all the points in the necessary configuration, but, roughly, one has to reorer hyperplanes to get the k-imensional NCA configuration. That is, the i = 0-th hyperplane oes not contain enough, i.e. N k, (k )-imensional points, so in general we have to look through all + hyperplanes. Next, for N k points we have to search in remaining hyperplanes, etc. So, for N k i points P we search in + i hyperplanes. Therefore, N (, k) = i=0 `( + i)(n ( i, k ) + ), incluing the recursive calls (with + staying for the recursive call of the proceure for i, k ). Then, the estimate is N (, k) P i=0 `( + i)(n (, k ) + ) = (N (, k ) + ) P i=0 ( + i) = (N (, k ) + )O( ) (N (, k ) + )O( 4 4 ) + O( ) = O(( )k ) Now, it is clear that the the worst-case computation time of noe search is exponential in k. Different versions of the search proceure provie ifferent bases of the exponent or iffer by a multiple, that may be quite large. Here we consier one of the versions (implemente in the prototype) with accelerate generation of new collections of hyperplanes. In the worst case, if we fail to fin enough noes w.r.t. the current collection of hyperplanes, we have to generate another collection of D > + hyperplanes for a refine gri. Similarly to the estimates above, the estimate is N (, k) = P (N (, k )+)O` D (D + i)(n ( i, k ) + ) k. After failing with the first i=0 ` = O D hyperplane collection, D takes consecutively the values ( + ), 8 ( + ), 8i+ ( + ), with 0 i i max an for i max the following hols. It is such that 8imax+ ( + ) M +, where M is the (length of the) sie of the bouning box, generate by the optimisation proceure on the first step. So, we obtain that i max 8 (log M+ ). The worst-case time, when we have to + go through all the possible cuts, is then ` ( 8i+ (+)) P imax i=0 O( k ( + ) k ) P i max k = i=0 O(6k ) i = O` k ( + ) k ( 6k ) imax+ 6k Taking into account the estimate for i max we obtain that N (, k) oes not excee O 6 ( + ) k! M + k «= O ( + ) 7 (M + ) k 4. Prototype an Case Stuies We have create a prototype implementation of the metho in Java. This prototype can be use to loa Java source files, select a loop to analyse, input an expecte egree, infer a loop-boun function (LBF) an output Java coe containing JML annotations in orer to prove this inferre LBF using an external tool, for instance KeY [3] or ESC/Java [5]. For the prototype, existing software packages were use as much as possible, for instance for bouning the test-noe search space an for solving the interpolation matrix. Aroun 3000 lines of coe were ae to create a working prototype, incluing a graphical user interface. JML annotations can be generate for all of the loops liste in this paper. We were able to prove all the inferre LBFs using KeY. Aitionally, we have conucte three case stuies of safetycritical Java systems, suggeste as test cases by the CHARTER partners. Collision etector case stuy from []. The first case is the collision etector example from the paper Provable Correct Loop bouns for Realtime Java Programs by James Hunt et al []. This coe stems from a safety-critical avionics application. DIANA Package. This package is evelope in the FP6 project Distribute, equipment Inepenent environment for Avance avionics Applications (DIANA) 4. The package is escribe in etail in [6]. CDx Collision Detector package. The CDx Collision Detector package 5 is a publicly available Real-Time Java Benchmark. It is escribe in []. Nr. of loops Analysable Percentage Hunt et al 00% DIANA 4 4 00% CDx 38 3 6% Total 44 9 66% Table. Summary of the cases stuie. The results are shown in Table. As can be rea from the table, we can hanle roughly two-thirs of the loops foun in the case stuies. This means that we can infer an LBF for these loops using our prototype an prove it using KeY. All of the foun LBFs were linear, i.e. of egree one. In the case stuies, apparently, enough test-noes are foun after just a few cuts of the k-imensional search space. This leas us to believe that the average complexity of the metho lies somewhere aroun O(D k ) for D = 9 ( + ), rather than near the worstcase complexity. For the examples in the case stuies this amounts to approximately one secon spent in LBF inference. KeY was able to prove all the LBFs fully automatically, for which it requires approximately 5 to 0 secons. 5. Extensions Two extensions were mae to the core metho in orer to eal with a greater class of loops. The first extension enables analysis of loops with isjunctions in their conitions. The secon extension enables analysis of loops with conitionals (if-statements) insie their boies. 4 http://iana.skysoft.pt/ 5 http://aam.lille.inria.fr/soleil/rc/

5. Piecewise LBFs for isjunctive loop conitions Here, we consier loop conitions in isjunctive normal form (DNF) over arithmetical (in)equalities: n_ ` ^ mi (e lij b e rij) i= j= with b {<, >, =,,, }. Note that any expression in propositional logic can easily be converte into DNF, using the laws of istribution an De Morgans theorems. We transform the DNF loop conition into a DNF in which the conjuncts represent pairwise non-overlapping numeric sets. We use the fact that: _ ` ^ B... B n = B j I {,,n},i i I B i \ _ j Ī where Ī enotes the complement of I in {,..., n}. Formally, the V isjunction-splitting operation for e.g. a two-conjunct DNF m i= Ai V m i= Ai, where each Aji is an inequation, is efine by split( V m i= Ai V m i= Ai) := V m,m Vi =,i = Ai ( A i ) m,m Vi =,i = Ai A i m,m i =,i = ( Ai ) A i Together, the isjunctive conjuncts of a loop conition etermine a piecewise LBF. Consier the example given in Listing 5. while ( start<en && ( en<40 en >00)) start ++; Listing 5. While-loop with isjunctions an two parameters in its conition. The proceure first splits up the loop conition into three isjunctive parts (start < en) (en < 40) (en > 00), (start < en) (en > 00) (en < 40) an (start < en) (en < 40) (en > 00). Since (en < 40) an (en > 00) cannot both be true, this can easily be simplifie to the following two pieces: (start < en) (en < 40) an (start < en) (en > 00) Then it constructs test methos for two separate loops, one with each conition. From this point on, the regular inference proceure runs. It generates the following piecewise boun: 8 < : en start if (start < en) (en < 40) en start if (start < en) (en > 00) 0 else In this case the polynomials in both clauses of the isjunction coincie. Disjunction-splitting takes care of loop conitions containing isjunctions, as long as the boy of the loop satisfies the following separate pieces property: For each isjunctive piece of the loop-conition, not overlapping any other pieces, the loop-boy oes not change the program variables in such a way that another piece becomes satisfie. An example of a loop that oes not satisfy this property is given in Listing 6. while ( i < 30 ( i > 9 && i < 0 0 ) ) i ++; Listing 6. Loop in which the pieces are separate, but a jump is mae from one piece to the other 5. Branching insie the loop boy The basic proceure fins correct LBFs for most loops containing branching, such as for example the one in Listing. However, there are cases in which the basic proceure fails, because the ifferent branches affect the boun in ifferent ways. Such a case is shown in Listing 7. while ( i > 0) if ( i > 00) i = 0 ; 3 else i = ; Listing 7. Example where the basic metho supplies an incorrect LBF. Therefore, branch-splitting is applie, yieling the untight, but correct LBF i. To solve this problem, we have invente branch-splitting. This proceure fins LBF for loops where the if-statements, if they exist in a loop boy, have the following worst-case computation branch (WCCB) property: For each loop boy, there is an execution path such that, for any collections of values of the loop variables, if one follows this execution path in every loop iteration one reaches the worst-case, i.e. the upper boun. With branch-splitting, we mean that we generate multiple new loops from the original, one for each possible branch. We then o the analysis for each of these branches. The LBF is then the maximum of all the inferre LBFs. Thanks to the WCCB property, we can easily fin the LBF that always specifies the maximum, by supplying a set of values for the variables (say, all ones) to all the LBFs. For the example in Listing 7, this yiels the LBF i. A simple sub-class of loops with the WCCB property is given by if-statements breaking the loop execution, by a return or break or by throwing an exception. An example is shown in Listing 8. for ( int i = 0 ; i < a. length ; i++) if ( a [ i ] < b [ i ] ) return ; 3 else if ( a [ i ] > b [ i ] ) return +; Listing 8. In this loop removing the if-statement yiels a loop with the exact loop-boun function a.length - i that is the same as the worst-case boun of the original loop. In general, in cases like this one may iscar return-branches completely, since they o not yiel an upper boun. Another simple sub-class of loops with the WCCB property is given by loops containing if-statements, such that for all branches the values of the loop counter are the same. This happens when in the if-statement the values of variables, on which a given loop conition epens, are not change. This is the case, for instance, when in the if-statement one changes the values in an array but not its length. Note, that when the loop parameters are change in the same way in both the if an the else clauses then the ifstatement may be transforme into an equivalent coe fragment where it satisfies the conition above. An example that oes not satisfy the WCCB property is shown in Listing 9. while ( i > 0) if ( i % == 0) i = 3 ; 3 else i ++; Listing 9. Example that oes not satisfy the WCCB property an is therefore not analysable using our metho

C = C ᴠ ᴠ C i ᴠ ᴠ C m where, C i are isjoint: isjunction-splitting C C i C m Basic proceure: the conition is a conjunction of a st-orer arith. preicate LBF rejecte branch-splitting C q C i q i Basic proceure: the loop boy with the -st branch C i p i Basic proceure: the loop boy with the n-th branch C i p in C m q m q i :=select-max(p i,,p in ) (C q ) ᴠ ᴠ (C i q i ) ᴠ ᴠ (C m q m ) Figure 4. Overview of the inference proceure with extensions. This example oes not satisfy the property because executing the else-branch exclusively woul yiel an infinite boun. Not that it woul also be impossible to formulate a correct ecreases-clause for this loop. An overview of the metho with extensions is given in Figure 4. First we apply isjunction splitting, then we execute the basic metho for each of the separate pieces. If this oes not yet yiel a correct LBF, then we apply branch-splitting an take the maximum of each of the LBFs of all the branches as LBF. 6. Evaluation There are still some examples in the case stuies that cannot yet be analyse using our metho. At this point, we o not consier cases where the loop boun epens on: Fiels of reference objects Metho invocations Booleans Different threas A way of hanling bouns that epen on references is escribe in [], which we might incorporate in the future. Furthermore, we require that the loops satisfy the separate pieces an worst-case computation branch properties. We believe that satisfying these properties is only a minor restriction, since rewriting loops to o so is usually fairly straight-forwar. Such properties might even be incluing in the coing style requirements for safety-critical software. For examples that can be hanle by our metho, it usually computes the exact LBF. An exception to this is when branch-splitting is applie. This means that compare to other methos, our metho fins bouns that are equally tight, or tighter. Furthermore, other methos are unable to erive non-linear LBFs. This is iscusse in more etail in the next section. 7. Relate Work Various other research results on bouning the number of loop iterations exist. However, most are concerne with concrete (numerical) bouns, instea of loop-boun functions. Also, most can only hanle (tightly) cases where the boun epens linearly on program variables (we can hanle the polynomial case). In a sense, our technique is more general than the methos iscusse in this section. It may not be the most efficient metho for simple loops, but it can be use to hanle certain more complex cases. This makes it complementary to the other techniques iscusse here. Another common ifference is that other approaches rely on hanmae sounness proofs of their metho, while we rely on a verification tool to ensure that the erive LBFs are correct. In [8], pattern-matching on abstract syntax trees (ASTs) is use by Fulara et al to select one of several syntax-base schemes for generating ecreases-clauses. If the AST matches a given pattern, then parameters from this pattern can be use to form a ecreases-clause. The authors claim to cover 7% of all for-loops in a set of case stuies. It is thinkable that their metho is use in an implementation for the basic cases an our metho is applie when no pattern matches. Abstract interpretation, program slicing an invariant analysis are use by Ermeahl et al in [7] to infer numerical bouns for

C programs. The bouns meant here are integers representing the number of times a certain block of coe is execute. The metho can infer bouns for over 50% of the loops in a set of benchmarks. A similar approach is taken by Lokuciejewski et al in [4], who combine abstract interpretation with polytope moels to calculate numerical loop bouns for C programs. Both upper an lower bouns are calculate an the analysis is accelerate by using program slicing. Even though there are restrictive constraints on the loops that can be analyse, the authors claim that they can hanle 99% of all for-loops in a set of benchmarks. Sounness or verification of the bouns are not iscusse. Abstract interpretation is also use in [6], in combination with flow analysis. Numerical bouns can be foun for 84% of the loops in a benchmark suite. The metho works on C programs. Gulwani uses off-the-shelf linear invariant generation tools to compute symbolic loop bouns in [9]. The authors experiment with ifferent counter instrumentation methos an a technique they name control-flow refinement. Loop-boun functions are presente as right-han sies of the inequations in loop invariants. Inference of invariants is base on linear arithmetic, but some limite use of non-linear terms is possible as well. Given a particular program, the base arithmetic may be extene by a finite set of non-linear operators together with reasoning rules for them. The inference system, first, introuces a fresh variable for each non-linear operator, then eals with linear combinations of such variables (an usual arithmetic variables). The operators an the rules are chosen e.g. by a user, who knows which sort of invariants one can expect in the given coe. In a relate article by the same author(s) [0], pattern-matching against known loop-iteration lemmas is use to establish bouns for C an C++ programs. This last metho can fin bouns for 93% of the loops in a significant Microsoft prouct. In [4], Ben-Amram escribes a metho to erive global ranking functions, base on Size-Change Termination. Such a ranking function is require to ecrease in each basic block of the program. He uses an abstraction calle Monotonicity Constraints an represents them as graphs. Various algorithms are escribe that can be applie to these graphs to juge termination an construct ranking functions. Hunt et al iscuss the expression of manually conceive loopboun functions in JML, their verification using KeY an the combination with ata-flow analysis in []. This article is an important motivation for our work. What is missing in the metho is the automate inference of loop-boun functions, which we supply. In [], Albert et al escribe a system of generating an solving cost recurrence relations. These relations efine functions that represent upper bouns on time or memory usage by a program. To solve a recurrence relation means to fin a close, i.e. a recursionfree, form of the corresponing function. Terms in the system represent monotonic real functions an, besies monotonically increasing polynomials, contain the exponent an the logarithmic functions. 8. Future Work Here we iscuss some areas where we will improve an exten our research an the prototype implementation in the future. 8. Improving test-noe search The first step in improving the implemente generation of testnoes is to replace the linear programming solver that is use in the current prototype with a global optimisation library. This woul enable us to hanle loop conitions containing non-linear (in)equalities. Next, the implemente search algorithm may be optimise, first of all, in its searching hyperplane-by-hyperplane part, probably by memorising hyperplanes that have enough points for exactly a egree i (see Section 3. for more etail). When inferring the LBF for a loop with an increment > the metho oes not always generate correct boun functions. In the case of linear polynomials inferre boun functions are correct but not optimal. In general, for a given loop, the connection between its nonlinear upper boun function, its incremental step an the interpolating polynomial nees to be stuie. We have one the stuy for linear bouns, but the results have not been implemente yet. Now we briefly iscuss our observations about the connection between incremental steps an linear loop-boun functions. Strictly speaking, if m > is an incremental step in a loop, then its worst-case boun is not exactly a polynomial but is of the form p( z). Depening on the test noes, our metho fins a boun of m the form p ( z) + r, where 0 r. This can be explaine by the fact that a graphical representation of p( z) takes a step form, m where the steps are of size m. For the interpolation to be correct, all test-noes must be m apart, such that they are locate at the same point w.r.t. the begin of a step interval. Furthermore, it is possible to infer the optimal polynomial boun (i.e. not ceile) when the right test-noes are chosen. This boun is p( z)+(m ) for LBF-s of the m aforementione form. An example of such a loop is given in Listing 3. We want to choose such testing noes (start i, en i) that en i start i mo 4 == 0. In other wors, test-noes must be multiples of the step. Then the upper boun is g( z) + (or even g( z) + m ), where g( z) is the ata interpolating polynomial. We m have been working on the proceure of generating test noes for loops with steps even of more general form m/n, where m >. The task task is formulate as follows: given a loop, one nees to generate the k-imensional noes, that: as earlier, are in NCA configuration, as earlier, satisfy the loop conition, are of the form ( m n i,..., m n i k). Instea of an original loop conition P (x,..., x k ) consier the preicate P (x,..., x k) = P (mx,..., mx k ). Using alreay existing part of the metho, generate the intermeiate list of integer noes lying in NCA an satisfying this preicate: [(x,..., x k),..., (x N,..., x Nk)] The esirable list of test noes is: [(mx,..., mx k),..., (mx N,..., mx Nk)] Inee, the noes in this list satisfy all three conitions above: they obviously lie in NCA, since it is just scaling of another NCA gri each of them satisfies the loop conition, because this hols: P (mx j,..., mx jk) = P (x j,..., x jk) they are of the form ( m n i,..., m n i k) because so i l = nx jl. (mx j,..., mx jk ) = ( m n nx j,..., m n nx jk ), In the example of this section we interpolate a linear polynomial of two variables p(start, en) = a start + b en + c, which has three coefficients. The intermeiate test noes satisfy the preicate 4 start < 4 en. They are, e.g. (0, ), (0, ), (, ). The corresponing test noes are (0, 4) with the loop-iteration counter value, (0, 8), with the counter an (4, 8) with the

counter. The corresponing interpolating polynomial is en start 4 an a polynomial boun function is en start 4 + 3 4. 8. Program slicing As is one in [7] an [4], we inten to use program slicing to accelerate the analysis. This way, irrelevant parts of the coe can safely be ignore. Slicing gives us exactly the variables on which the loop conition (i.e. the boun) epens. Since the complexity of our analysis is exponential in the number of variables in the polynomial, this is highly beneficial to the performance of the metho. 8.3 Combination with ata-flow analysis The metho coul be combine with ata-flow analysis in orer to yiel concrete numerical bouns. For example, when by flow analysis we can obtain an interval for each variable, then we can obtain a minimum an maximum on the number of loop iterations by searching for minima an maxima of the LBF within this interval. 8.4 Size an heap consumption analysis The analysis shoul be combine with our previous research on size analysis. There is a mutual epenency between the two. What size analysis may a to LBF inference is that a loop boun often epens on the size of a ata structure (e.g. the length of a list). If we can boun this size, then we can boun the number of loop-iterations. What LBF inference may a to size analysis is that often a ata structure gets constructe by executing a loop. Think of iteratively aing elements to a list, for example when converting an array into a list object. If in that case we know the number of loop-iterations, we know the size of the constructe list. Furthermore, objects may be constructe in a loop. This means that LBF inference is also crucial to boun heap-space usage, which is a future goal for the CHARTER project. 9. Conclusions We have presente a way of computing arbitrary egree loopboun functions. By expressing these functions in JML their correctness can be prove, which is very valuable in safety-critical systems. While various other methos for inferring loop-bouns exist, we are not familiar with any other works on generating nonlinear loop-boun functions for Java. Moreover, the technique presente herein is largely complementary to other methos, since it is more general an can solve certain more complex cases, such as quaratic bouns. Using a prototype implementation, loop-boun functions can be inferre for 66% of all loops in a set of case stuies from actual safety-critical systems. References [] E. Albert, P. Arenas, S. Genaim, an G. Puebla. Dealing with numeric fiels in termination analysis of java-like languages. In FTfJP, pages 77 87, 008. [] E. Albert, P. Arenas, S. Genaim, an G. Puebla. Automatic inference of upper bouns for recurrence relations in cost analysis. In SAS, pages 37, 008. [3] B. Beckert, R. Hähnle, an P. H. Schmitt, eitors. Verification of Object-Oriente Software: The KeY Approach. LNCS 4334. Springer- Verlag, 007. [4] A. M. Ben-Amram. Size-change termination, monotonicity constraints an ranking functions. In CAV, pages 09 3, 009. [5] C. K. Chui an M.-J. Lai. Vanermone eterminants an lagrange interpolation in R s. Nonlinear an convex analysis, pages 3 35, 987. [6] M. De Michiel, A. Bonenfant, H. Cassé, an P. Sainrat. Static loop boun analysis of C programs base on flow analysis an abstract interpretation. In RTCSA 08: Proceeings of the 008 4th IEEE International Conference on Embee an Real-Time Computing Systems an Applications, pages 6 66, Washington, DC, USA, 008. IEEE Computer Society. ISBN 978-0-7695-3349-0. [7] A. Ermeahl, C. Sanberg, J. Gustafsson, S. Byge, an B. Lisper. Loop boun analysis base on a combination of program slicing, abstract interpretation, an invariant analysis. In C. Rochange, eitor, 7th Intl. Workshop on Worst-Case Execution Time (WCET) Analysis, Dagstuhl, Germany, 007. Internationales Begegnungs- un Forschungszentrum für Informatik (IBFI), Schloss Dagstuhl, Germany. [8] J. Fulara an K. Jakubczyk. Practically applicable formal methos. In SOFSEM 0: Proceeings of the 36th Conference on Current Trens in Theory an Practice of Computer Science, pages 407 48, Berlin, Heielberg, 00. Springer-Verlag. ISBN 978-3-64-65-. [9] S. Gulwani. SPEED: Symbolic complexity boun analysis. In CAV 09: Proceeings of the st International Conference on Computer Aie Verification, pages 5 6, Berlin, Heielberg, 009. Springer- Verlag. ISBN 978-3-64-0657-7. [0] S. Gulwani, S. Jain, an E. Koskinen. Control-flow refinement an progress invariants for boun analysis. In PLDI 09: Proceeings of the 009 ACM SIGPLAN conference on Programming language esign an implementation, pages 375 385, New York, NY, USA, 009. ACM. ISBN 978--60558-39-. [] J. J. Hunt, F. B. Siebert, P. H. Schmitt, an I. Tonin. Provably correct loops bouns for realtime java programs. In JTRES 06: Proceeings of the 4th international workshop on Java technologies for real-time an embee systems, pages 6 69, New York, NY, USA, 006. ACM. ISBN -59593-544-4. [] T. Kalibera, J. Hagelberg, F. Pizlo, A. Plsek, B. Titzer, an J. Vitek. CDx: a family of real-time java benchmarks. In Proceeings of the 7th International Workshop on Java Technologies for Real-Time an Embee Systems, JTRES 009, Mari, Spain, September 3-5, 009, pages 4 50. ACM, 009. [3] G. T. Leavens, E. Poll, C. Clifton, Y. Cheon, C. Ruby, D. Cok, P. Müller, J. Kiniry, an P. Chalin. JML Reference Manual. Draft Revision.00, Feb. 007. [4] P. Lokuciejewski, D. Cores, H. Falk, an P. Marweel. A fast an precise static loop analysis base on abstract interpretation, program slicing an polytope moels. In CGO 09: Proceeings of the 7th annual IEEE/ACM International Symposium on Coe Generation an Optimization, pages 36 46, Washington, DC, USA, 009. IEEE Computer Society. ISBN 978-0-7695-3576-0. [5] E. Poll, P. Chalin, D. Cok, J. Kiniry, an G. T. Leavens. Beyon assertions: Avance specification an verification with JML an ESC/Java. In In Formal Methos for Components an Objects (FMCO) 005, Revise Lectures, volume 4 of LNCS, pages 34 363. Springer, 006. [6] T. Schoofs, E. Jenn, S. Leriche, K. Nilsen, L. Gauthier, an M. Richar-Foy. Use of PERC Pico in the AIDA avionics platform. In Proceeings of the 7th International Workshop on Java Technologies for Real-Time an Embee Systems, pages 69 78. ACM, 009. [7] O. Shkaravska, M. van Eekelen, an R. van Kesteren. Polynomial size analysis of first-orer shapely functions. Logic in Computer Science, :0(5), 009. [8] R. van Kesteren, O. Shkaravska, an M. van Eekelen. Inferring static non-monotonically size types through testing. In 6th International Workshop on Functional an (Constraint) Logic Programming (WFLP 07), Paris, France, volume 6C of Electronic Notes in Theoretical Computer Science, pages 45 63, 008.