Available via license: CC BY 4.0
Content may be subject to copyright.
Commutativity for Concurrent Program
Termination Proofs
Danya Lette(B
)and Azadeh Farzan
University of Toronto, Toronto, Canada
danya@cs.toronto.edu,azadeh@cs.toronto.edu
Abstract. This paper explores how using commutativity can improve
the efficiency and efficacy of algorithmic termination checking for concur-
rent programs. If a program run is terminating, one can conclude that
all other runs equivalent to it up-to-commutativity are also terminat-
ing. Since reasoning about termination involves reasoning about infinite
behaviours of the program, the equivalence class for a program run may
include infinite words with lengths strictly larger than ωthat capture
the intuitive notion that some actions may soundly be postponed indefi-
nitely. We propose a sound proof rule which exploits these as well as clas-
sic bounded commutativity in reasoning about termination, and devise
a way of algorithmically implementing this sound proof rule. We present
experimental results that demonstrate the effectiveness of this method
in improving automated termination checking for concurrent programs.
1 Introduction
Checking termination of concurrent programs is an important practical problem
and has received a lot of attention [3,29,35,37]. A variety of interesting tech-
niques, including thread-modular reasoning [10,34,35,37], causality-based rea-
soning [29], and well-founded proof spaces [15], among others, have been used
to advance the state of the art in reasoning about concurrent program termi-
nation. Independently, it has been established that leveraging commutativity in
proving safety properties can be a powerful tool in improving automated check-
ers [16–19]. There are many instances of applications of Lipton’s reductions [32]
in program reasoning [14,28]. Commutativity has been used to simultaneously
search for a program with a simple proof and its safety proof [18,19]andto
improve the efficiency and efficacy of assertion checking for concurrent programs
[16]. Recently [17], abstract commutativity relations are formalized and combined
to increase the power of commutativity in algorithmic verification.
This paper investigates how using commutativity can improve the efficiency
and efficacy of proving the termination of concurrent programs as an enhance-
ment to existing techniques. The core idea is simple: if we know that a program
run ρabρis terminating, and we know that aand bcommute, then we can con-
clude that ρbaρis also terminating. Let us use an example to make this idea
concrete for termination proofs of concurrent programs. Consider the two thread
c
The Author(s) 2023
C. Enea and A. Lal (Eds.): CAV 2023, LNCS 13964, pp. 109–131, 2023.
https://doi.org/10.1007/978-3-031-37706-8_6
110 D. Lette and A. Farzan
assume(barrier >= producer_num);
while (j < consumer_limit){
j--;
C--; // consume content
}
while (i < producer_limit){
C++; // produce content
i++
}
barrier++;
Producer Thread: Consumer Thread:
Fig. 1. Producer/Consumer Template
templates in Fig. 1: one for a producer thread and one for a consumer thread,
where iand jare local variables. The assumption is that barrier and the local
counters iand jare initialized to 0. The producer generates content (modelled
by incrementing of a global counter C++) up to a limit and then, using barrier,
signals the consumer to start consuming. Independent of the number of produc-
ers and consumers, this synchronization mechanism ensures that the consumers
wait for all producers to finish before they start consuming. Note that the pro-
ducer threads fully commute—each statement in a producer commutes with each
statement in another. A producer and consumer only partially commute.
In a program with only two producers, a human would argue at the high level
that the independence of producer loops implies that their parallel composition
is equivalent, up to commutativity, to their sequential composition. Therefore, it
suffices to prove that the sequential program terminates. In other words, it should
suffice to prove that each producer terminates. Let us see how this high level
argument can be formalized using commutativity reasoning. Let λ1and λ2stand
for the loop bodies of the two producers. Among others, consider the (syntactic)
concurrent program run (λ1λ2)ω; this run may or may not be feasible. Since λ1
and λ2commute, we can transform this run, by making infinitely many swaps,
to the run λω
1λω
2. The model checking expert would consider this transformation
rather misguided: it appears that we are indefinitely postponing λ2in favour of
λ1. Moreover, a word with a length strictly larger than ω, called a transfinite
word, does not have an appropriate representation in language theory because
it does not belong to Σω. Yet, the observation that (λ1λ2)ω≡λω
1λω
2is the
key to a powerful proof rule for termination of concurrent programs: If λω
1is
terminating and λ1commutes against λ2, then we can conclude that (λ1λ2)ωis
terminating. In other words, the termination proof for the first producer loop
implies that all interleaved executions of two producers terminate, without the
need for a new proof. Note that the converse is not true; termination of λω
1λω
2
does not necessarily imply the termination of λω
2. So, even if we were to replace
the second producer with a forever loop, our observation would stand as is.
Hence, for the termination of the entire program (and not just the run (λ1λ2)ω),
one needs to argue about the termination of both λω
1and λω
2, matching the
high level argument. In Sect. 3, we formally state and prove this proof rule,
called the omega-prefix proof rule, and show how it can be incorporated into an
algorithmic verification framework. Using this proof rule, the program consisting
of Nproducers can be proved terminating by proving precisely Nsingle-thread
loops terminating.
Now, consider adding a consumer thread to our two producer threads. The
consumer loop is independent of the producer threads but the consumer thread,
Commutativity for Concurrent Program Termination Proofs 111
as a whole, is not. In fact, part of the work of a termination prover is to prove that
any interleaved execution of a consumer loop with either producer is infeasible
due to the barrier synchronization and therefore terminating. Again, a human
would argue that two such cases need to be considered: the consumer crosses
the barrier with 0 or 1 producers having terminated. Each case involves several
interleavings, but one should not have to prove them correct individually. Ideally,
we want a mechanism that can take advantage of commutativity for both cases.
Before we explore this further, let us recall an algorithmic verification tem-
plate which has proven useful in incorporating commutativity into safety rea-
soning [16–19] and in proving termination of sequential [25] and parameterized
concurrent programs [15]. The work flow is illustrated in Fig. 2. The program and
the proof are represented using (B¨uchi) automata, and module (d) (and conse-
quently module (a)) are implemented as inclusion checks between the languages
of these automata. The iteratively refined proof—a language of infeasible syn-
tactic program runs—can be annotated Floyd-Hoare style and generalized using
interpolation as in [25]. For module (b), any known technique for reasoning about
the termination of simple sequential programs can be used on lassos.
The straightforward way to account for commutativity in this refinement
loop would involve module (c): add to Πall program runs equivalent to the
existing ones up to commutativity without having a proof for them. In the safety
context, it is well-known that checking whether a program is subsumed by the
commutativity closure of a proof is undecidable. We show (in Sect. 3)thatthe
same hurdle exists when doing inclusion checks for program termination.
In the context of safety [16–19], program reductions were proposed as an
antidote to this undecidability problem: rather than enlarging the proof, one
reduces the program and verifies a new program with a subset of the original
program runs while maintaining (at least) one representative for each commu-
tativity equivalence class. These representatives are the lexicographically least
members of their equivalence classes, and are algorithmically computed based
on the idea of the sleep set algorithm [22] to construct the automaton for the
reduced program. However, using this technique is not possible in termination
reasoning where lassos, and not finite program runs, are the basic objects.
To overcome this problem, we propose a different class of reductions, called
finite-word reduction. Inspired by the classical result that an ω-regular language
can be faithfully captured as a finite-word language for the purposes of certain
Add lto proof Π
Generalize Π
Is lterminating?
Pick a program lasso l
Does Π subsume
all program lassos?
yes
no
no
yes
Program is terminating. Program may
not terminate.
(a) (b)
(c)
(d)
Fig. 2. Refinement Loop For Proving Termination.
112 D. Lette and A. Farzan
checks such as inclusion checks [4], we propose a novel way of translating both the
program and the proof into finite-word languages. The classical result is based on
an exponentially sized construction and does not scale. We propose a polynomial
construction that has the same properties for the purpose of our refinement loop.
This contribution can be viewed as an efficient translation of termination analysis
to safety analysis and is useful independent of the commutativity context. For the
resulting finite-word languages, we propose a novel variation of the persistent set
algorithm to reduce the finite-word program language. This reduction technique
is aware of the lasso structure in finite words.
Used together, finite-word reductions and omega-prefix generalization pro-
vide an approximation of the undecidable commutativity-closure idea discussed
above. They combine the idea of closures, from proof generalization schemes
like [15] and reductions from safety [16], into one uniform proof rule that both
reduces the program and generalizes the proof up to commutativity to take as
much advantage as possible. Neither the reductions nor the generalizations are
ideal, which is a necessity to maintain algorithmic computability. Yet, together,
they can perform in a near optimal way in practice: for example, with 2 produc-
ers and one consumer, the program is proved terminating by sampling precisely
3 terminating lassos (1 for each thread) and 2 infeasible lassos (one for each
barrier failure scenario).
Finally, mostly out of theoretical interest, we explore a class of infinite word
reductions that have the same theoretical properties as safety reductions, that is,
they are optimal and their regularity (in this case, ω-regularity) is guaranteed.
We demonstrate that if one opts for the Foata Normal Form (FNF) instead
of lexicographical normal form, one can construct optimal program reductions
in the style of [16,18,19] for termination checking. To achieve this, we use the
notion of the FNF of infinite words from (infinite) trace theory [13], and prove
the ω-regular analogue of the classical result for regular languages: a reduction
consisting of only program runs in FNF is ω-regular, optimal, and can be soundly
proved terminating in place of the original program (Sect.3).
To summarize, this paper proposes a way of improving termination checking
for concurrent programs by exploiting commutativity to boost existing algorith-
mic verification techniques. We have implemented our proposed solution in a
prototype termination checker for concurrent programs called TerMute,and
present experimental results supporting the efficacy of the method in Sect. 6
2 Preliminaries
2.1 Concurrent Programs
In this paper, programs are languages over an alphabet of program statements
Σ. The control flow graph for a sequential program with a set of locations
Loc, and distinct entry and exit locations, naturally defines a finite automaton
(Loc,Σ,δ,entry,{exit}). Without loss of generality, we assume that this automa-
ton is deterministic and has a single exit location. This automaton recognizes
a language of finite-length words. This is the set of all syntactic program runs
that may or may not correspond to an actual program execution.
Commutativity for Concurrent Program Termination Proofs 113
For the purpose of termination analysis, we are also interested in
infinite-length program runs. Given a deterministic finite automaton AL=
(Q, Σ, δ, q0,F) with no dead states, where L(AL)=L⊆Σ∗is a regular language
of finite-length syntactic program runs, we define B¨uchi(AL)=(Q, Σ , δ, q0,Q),
aB¨uchi automaton recognizing the language Lω={u∈Σω:∀v∈pref (u).v ∈
pref (L)}, where pref(u) denotes {w∈Σ∗:∃w∈Σ∗∪Σω.w ·w=u}and
pref (L)=v∈Lpref (v). These are all syntactic infinite program runs that may
or may not correspond to an actual program execution.
We represent concurrency via interleaving semantics. A concurrent program
is a parallel composition of a fixed number of threads, where each thread is
a sequential program. Each thread Piis recognized by an automaton Ai
P=
(Loci,Σ
i,δ
i,entryi,{exiti}). We assume the Σi’s are disjoint. The DFA recogniz-
ing P=P1|| ...||Pnis constructed using the standard product construction for a
DFA APrecognizing the shuffle of the languages of the individual thread DFA’s.
The language of infinite runs of this concurrent program, denoted Pω,isthe
language recognized by B¨uchi(AP). Note that a word in the language Pωmay
not necessarily be the shuffle of infinite runs of its individual threads.
Pω={u∈Σω|∃i:u|Σi∈Pω
i∧∀j:u|Σj∈pref(Pj)∪Pω
j}
In the rest of the paper, we will simply write Pwhen we mean Pωfor brevity.
Note that Pωincludes unfair program runs, for example those in which individual
threads can be indefinitely starved. As argued in [15], this can be easily fixed by
intersecting Pωwith the set of all fair runs.
2.2 Termination
Let Xthe domain of the program state, Σa set of statements, and denote
.:Σ∗→P(X×X) a function which maps a sequence of statements to a
relation over the program state, satisfying s1s2=s1·s2for all s1,s
2∈Σ∗.
Define sequential composition of relations in the usual fashion: r1r2={(x, y):
∃z.(x, z)∈r1∧(z, y)∈r2}. We write s(x) to denote {y:(x, y )∈s}⊆X.
We say that an infinite sequence of statements τ∈Σωis infeasible if and
only if ∀x∈X∃k∈Ns1...s
k(x)=∅, where siis the ith statement in the
run τ. A program—an ω-regular language P⊆Σω—is terminating if all of its
infinite runs are infeasible.
∀τ∈P, τ is infeasible
Pis terminating (Term)
Lassos. It is not possible to effectively represent all infinite program runs, but
we can opt for a slightly more strict rule by restricting our attention to ultimately
periodic runs UP ⊆Σω. That is, runs that are of the form uvωfor some finite
words u, v ∈Σ∗. These are also typically called lassos.
It is unsound to replace all runs with all ultimately periodic runs in rule
Term.Pmay be non-terminating while all its ultimately periodic runs are
114 D. Lette and A. Farzan
terminating. Assume that our program Pis an ω-regular language and there is a
universe Tof known terminating programs that are all omega-regular languages.
Then, we get the following sound rule instead:
∃Π∈T.P ⊆Π
Pis terminating (TermUP)
If the inclusion P⊆Πdoes not hold, then it is witnessed by an ultimately
periodic run [4]. In a refinement loop in the style of Fig. 2, one can iteratively
expand Πbased on this ultimately periodic witness (a.k.a. a lasso), and hence
have a termination proof construction scheme in which ultimately periodic runs
(lassos) are the only objects of interest. Note that if Pincludes unfair runs of a
concurrent program, rather than fixing it, one can instead initialize Πwith all
the unfair runs of the concurrent program, which is an ω-regular language. This
way, the rule becomes a fair termination rule.
2.3 Commutativity and Traces
An independence (or commutativity) relation I⊆Σ×Σis a symmetric, anti-
reflexive relation that captures the commutativity of a program’s statements:
(s1,s
2)∈I=⇒s1s2=s2s1. In what follows, assume such an Iis fixed.
Finite Traces. Two finite words w1and w2are equivalent whenever we can
apply a finite sequences of swaps of adjacent independent program statements to
transform w1into w2. Formally, an independence relation Ion statements gives
rise to an equivalence relation ≡Ion words by defining ≡Ito be the reflexive
and transitive closure of the the relation ∼I, defined as us1s2v∼Ius2s1v⇐⇒
(s1,s
2)∈I. A Mazurkiewicz trace [u]I={v∈Σ∗:v≡Iu}is the corresponding
equivalence class; we use “trace” exclusively to denote Mazurkiewicz traces.
Infinite Traces. Traces may also be defined in terms of dependence graphs (or
partial orders). Given a word τ=s1s2..., the dependence graph corresponding
to τis a labelled, directed, acyclic graph G=(V,E) with labelling function
a
b
c
a
b
(i)
a
b
c
a
b
a
b
a
b
(ii)
Fig. 3. Hasse diagrams.
L:V→Σand vertices V={1,2,...},
where L(i)=si, and (i, i)∈Ewhenever
i<i
and (L(i),L(i)) ∈ I. Then, [τ]∞
I,the
equivalence class of the infinite word τ,ispre-
cisely the set of linear extensions of G. There-
fore, τ≡Iτiff τis a linear extension of G.
For example, Fig. 3(i) illustrates the Hasse
diagram of the finite trace [abcba]I,and
Fig. 3(ii), the Hasse diagram of the infinite
trace [abc(ab)ω]∞
I, where I={(a, b),(b, a)}.
For an infinite word τ,theinfinite trace
[τ]∞
Imay contain linear extensions that do not
Commutativity for Concurrent Program Termination Proofs 115
correspond to any word in Σω. For example, if I={(a, b),(b, a)}, then the trace
[(ab)ω]∞
Iincludes a member (infinite word) in which all as appear before all bs.
We use aωbωto denote this word and call such words transfinite. This means
that [τ]∞
I⊆ Σω, even for an ultimately periodic τ.
Normal Forms. A trace, as an equivalence class, may be represented unam-
biguously by one of its member words. Lexicographical normal forms [13]arethe
most commonly used normal forms, and the basis for the commonly known sleep
set algorithm in partial order reduction [22]. Foata Normal Forms (FNF) are
less well-known and are used in the technical development of this paper:
Definition 1 (Foata Normal Form of a finite trace [13]). For a finite trace
t, define FNF(t)as a sequence of sets S1S2...Sk(for some k∈N)wheret=Πk
iSi
and for all i:
∀a, b ∈Sia=b=⇒(a, b)∈I(no dependencies in Si)
∀b∈Si+1 ∃a∈Si(a, b)∈ I(Sidependent on Si+1 )
Given a trace’s dependence graphs, the FNF can be constructed by repeat-
edly removing sets of minimal elements, that is, sets with no incoming edges.
Although we have defined a trace’s FNF as a sequence of sets, we will generally
refer to a trace’s FNF as a word in which the elements in each set are assumed
to be ordered lexicographically. For example, FNF([abcba]I)=ab ·c·ab, where
I={(a, b),(b, a)}. We overload this notation by writing FNF([u]I)asFNF(u),
and, for a language L,FNF(L)={FNF(u):u∈L}.
Theorem 1 ([13]). Lis a regular language iff the set of its Foata (respectively
Lexicographical) normal forms is a regular language.
3 Closures and Reductions
Commutativity defines an equivalence relation ≡Iwhich preserves the termina-
tion of a program run.
Proposition 1. Fo r τ, τ∈Σωand τ≡Iτ,τis terminating iff τis terminat-
ing.
In the context of a refinement loop in the style of Fig.2, Proposition 1suggests
one can take advantage of commutativity by including all runs that are equivalent
to the ones in Π(which are already proved terminating) in module (c). We
formally discuss this strategy next.
Given a language Land an independence relation I, define [L]∞
I=∪τ∈L[τ]∞
I.
Recall from Sect. 2that, in general, [τ]∞
I⊆ Σω. Since programs are represented
116 D. Lette and A. Farzan
by ω-regular languages in our formalism, it is safe for us to exclude transfinite
words from [τ]∞
Ifrom commutativity closures computation. Define:
[L]ω
I=∪τ∈L[τ]∞
I∩Σω(ω-closure)
The following sound proof rule is a straightforward adaptation of Rule
TermUP that takes advantage of commutativity-based proof generalization:
∃Π⊆T.P ⊆[Π]ω
I
Pis terminating (TermClosure)
Recall the example from Sect. 1with two producers. The transfinite program
run λω
1λω
2that is the sequential compositions of the two producers looping forever
back to back does not belong to the ω-closure of any ω-regular language. We
generalize the notion of ω-closure to incorporate the idea of such runs in a new
proof rule.
Let τa transfinite word (like aωbω). Let τa prefix of τ.If|τ|=ω,we
say that τis an ω-prefix of τ,orτ∈pref ω(τ). A direct definition for when a
transfinite word τis terminating would be rather contrived, since a word such as
aωbωdoes not correspond to a program execution in the usual sense. However,
a very useful property arises when considering the ω-words of pref ω(τ): If an
ω-prefix τof a transfinite word τis terminating, then all words in [τ]ω
Iare
terminating.
Theorem 2 (Omega Prefix Proof Rule). Let τ ,τ∈Σω,τ a transfinite
word, if τ≡Iτ and τ∈pref ω(τ),τterminates ⇒τ terminates.
Remark that [τ]ω
I⊆Σω, so the former theorem uses the usual definition of
termination, i.e. termination of ω-words; however; this theorem implicitly defines
a notion of termination for some transfinite words.
Define [τ]pω
I,theomega-prefix closure of τas
[τ]pω
I=[τ]ω
I∪
τ.τ ∈pref ω(τ)
[τ]ω
I.
Theorem 2guarantees that, if τterminates, then all of [τ]pω
Iterminates. The
converse, however, does not necessarily hold: [τ]pω
Iis not an equivalence class.
Example 1. Continuing the example in Fig. 1, recall that λ1and λ2are inde-
pendent. Let us assume we have a proof that λω
1is terminating. The class
[λω
1]ω
I={λω
1}does not include any other members and therefore we cannot con-
clude the termination status of any other program runs based on it. On the other
hand, since λω
1∈pref ω(λω
1λω
2)and[(λ1λ2)ω]ω
I=[λω
1λω
2]ω
I,(λ1λ2)ω∈[λω
1]pω
I.
Therefore, we can conclude that (λ1λ2)ωis also terminating. Note that λ2can
be non-terminating and the argument still stands.
One can replace the closure in Rule TermClosure with omega-prefix closure
and produce a new, more powerful, sound proof rule. There is, however, a major
obstacle in the way of an algorithmic implementation of Rule TermClosure
with either closure scheme: the inclusion check in the premise is not decidable.
Commutativity for Concurrent Program Termination Proofs 117
Proposition 2. [L]ω
Iand [L]pω
Ifor an ω-regular language Lmay not be ω-
regular. Moreover, it is undecidable to check the inclusions L1⊂[L2]ω
Iand
L1⊂[L2]pω
Ifor ω-regular languages L1and L2.
3.1 The Compromise: A New Proof Rule
In the context of safety verification, with an analogous problem, a dual approach
was proposed as a way forward [18] based on program reductions.
Definition 2 (ω-Reduction and ωp-Reduction). A language R⊆Pis an
ω-reduction (resp. ωp-reduction of P) of program Punder independence relation
Iiff for all τ∈Pthere is some τ∈Rsuch that τ∈[τ]ω
I(resp. τ∈[τ]pω
I).
The idea is that a program reduction can be soundly proven in place of the
original program but, with strictly fewer behaviours to prove correct, less work
has to be done by the prover.
Proposition 3. Let Pbe a concurrent program and Πbe ω-regular. We have:
–P⊆[Π]ω
Iiff there exists an ω-reduction Rof Punder Isuch that R⊆Π.
–P⊆[Π]pω
Iiff there exists an ωp-reduction Rof Punder Isuch that R⊆Π.
An ω/ωp-reduction Rmay not always be ω-regular. However, Proposition 3
puts forward a way for us to make a compromise to rule TermClosure for the
sake of algorithmic implementability. Consider a universe of program reductions
Red(P), which does not include all reductions. This gives us a new proof rule:
∃Π∈T.∃R∈Red(P).R ⊆Π
Pis terminating (TermReduc)
If Red(P) is the set of all ω-reductions (resp. ωp-reductions), then Rule
TermReduc becomes logically equivalent to Rule TermClosure (resp. with
[Π]pω
I). By choosing a strict subset of all reductions for Red(P), we trade the
undecidable premise check of the proof rule TermClosure with a new decidable
premise check for Rule TermReduc. The specific algorithmic problem that this
paper solves is then the following: What are good candidates for Red(P) such
that an effective and efficient algorithmic implementation of Rule TermReduc
exists? Moreover, we want this implementation to show significant advantages
over the existing algorithms that implement the Rule TermUP.
In Sect. 5,weproposeFoata Reduction as a theoretically clean option for
Red(P) in the universe of all ω-reductions. In particular, they have the algo-
rithmically essential property that the reductions do not include any transfinite
words. In the universe of ωp-reductions, which does account for transfinite words,
such a theoretically clean notion does not exist. This paper instead proposes the
idea of mixing both closures and reductions as a best algorithmic solution for the
undecidable Rule TermClosure in the form of the following new proof rule:
118 D. Lette and A. Farzan
∃Π⊆T.∃R∈Red(P).R ⊆[Π]opg
I
Pis terminating (TermOP)
In Sect. 3.2, we introduce [Π]opg
Ias an underapproximation of [Π]pω
Ithat is
guaranteed to be ω-regular and computable. Then, in Sect. 4, we discuss how,
through a representation shift from infinite words to finite words, an appropriate
class of reductions for Red(P) can be defined and computed.
3.2 Omega Prefix Generalization
We can implement the underapproximation of [Π]pω
Iby generalizing the proof
of termination of each individual lasso in the refinement loop of Fig. 2.Let
u1, ...um,v
1, ...vm∈Σand consider the lasso uvω, where u=u1...um,v=
v1...vm,andm>0. Let Auv ω=(Q, Σ, δ, q0,{qm})aB¨uchi automaton consist-
ing of a stem and a loop, with a single accepting state qmat the head of the
loop, recognizing the ultimately periodic word uvω—in [25], this automaton is
called a lasso module of uvω.LetΣIloop ⊆Σ={a:{v1, ..., vm}×{a}⊆I}
the statements that are independent with the statements v1,...,v
mof the loop,
and ΣIstem ⊆ΣIloop ={a:{u1,...,u
m,v
1,...,v
m}×{a}⊆I}the statements
that are independent of all statements appearing in uvω.
Define OPG(Aτ)=(Q∪{q},Σ,δ
OPG ,q
0,{qm}) for a lasso τ=uvωwhere
δOPG (q, a)=
⎧
⎪
⎪
⎪
⎪
⎪
⎪
⎨
⎪
⎪
⎪
⎪
⎪
⎪
⎩
qif q∈{q0, ..., qm−1}∧a∈ΣIstem
or if q∈{qm+1 , ..., qm+m}∪{q}∧a∈ΣIloop
qif q=qm∧a∈ΣIloop or m=1anda=v1
δ(qm,v
1)ifq=q∧a=v1
δ(q, a) o.w.
We refer to the language L(OPG(Aτ)) recognized by this automaton as [τ]opg
I
for short. Note that this construction is given for individual lassos; we may
generalize this to a (finite) set of lassos by simply taking their union. For a lasso
τ=uvω,OPG(Aτ) is a linearly-sized B¨uchi automaton whose language satisfies
the following:
Proposition 4. [τ]opg
I⊆[τ]pω
I.
Intuitively, this holds because this automaton simply allows us to inter-
sperse the statements of uvωwith independent statements; when considering the
Mazurkiewicz trace arising from a word interspersed as described, these added
independent statements may all be ordered after uvω, resulting in a transfinite
word with ω-prefix uvω.
Theorem 3. If τis terminating, then every run in [τ]opg
Iis terminating.
This follows directly from Theorem 2and Proposition4, and concludes the
soundness and algorithmic implementability of Rule TermOP if Red(P)={P}.
Commutativity for Concurrent Program Termination Proofs 119
4 Finite-Word Reductions
In this section, inspired by the program reductions used in safety verification, we
propose a way of using those families of reductions to implement Red(P) in Rule
TermReduc. This method can be viewed as a way of translating the liveness
problem into an equivalent safety problem.
In [4], a finite-word encoding of ω-regular languages was proposed that can
be soundly used for checking inclusion in the premise of rules such as Rule
TermReduc:
Definition 3 ($-language [4]). Let L∈Σω. Define the $-language of Las
$(L)={u$v|u, v ∈Σ∗∧uvω∈L}.
If Lis ω-regular, then $(L) is regular [4]. This is proved by construction, but
the one given in [4] is exponential. Since the B¨uchi automaton for a concurrent
program Pis already large, an exponential blowup to construct $(P) can hardly
be tolerated. We propose an alternative polynomial construction.
4.1 Efficient Reduction to Safety
Our polynomial construction, denoted by fast$, consists of linearly many copies
of the B¨uchi automaton recognizing the program language.
Definition 4 (fast$). Given a B¨uchi automaton A=(Q, Σ, δ, q0,F), define
fast$(A)=(Q$,Σ ∪{$},δ
$,q
0,F
$)with Q$=Q∪(Q×Q×{0,1}),F$=
{(q, q, 1) : q∈Q},andforq, r ∈Q,i∈{0,1}:
δ$(q, a)={(q, q, 0)}if a=$
δ(q, a)o.w.
δ$((q, r,i),a)={(q, r,1) : r∈δ(r, a)}if i=0 and r∈F
{(q, r,i):r∈δ(r, a)}o.w.
Let Lbe an ω-regular language and Abe a B¨uchi automaton recognizing L.
We overload the notation and use fast$(L) to denote the language recognized by
fast$(A). Note that fast$(L), unlike $(L), is a construction parametric on the
B¨uchi automaton recognizing the language, rather than the language itself. In
general, fast$(L) under-approximates $(L). But, under the assumption that all
alphabet symbols of Σlabel at most one transition in the B¨uchi automaton A
(recognizing L), then fast$(L)=$(L). This condition is satisfied for any B¨uchi
automaton that is constructed from the control flow graph of a (concurrent)
program since we may treat each statement appearing on the graph as unique,
and these graph edges correspond to the transitions of the automaton.
Theorem 4. For any ω-regular language L, we have fast$(L)⊆$(L).IfPis a
concurrent program then fast$(P)=$(P).
120 D. Lette and A. Farzan
First, let us observe that in Rule TermUP, we can replace Pwith fast$(P)
and Πwith fast$(Π) (and hence the universe Twith a correspondingly appro-
priate universe) and derive a new sound rule.
Theorem 5. The finite word version of Rule TermUP using fast$ is sound.
The proof of Theorem 5follows from Theorem 4.Usingfast$, the program is
precisely represented and the proof is under-approxiamted, therefore the inclu-
sion check implies the termination of the program.
4.2 Sound Finite Word Reductions
With a finite word version of the Rule TermUP, the natural question arises
if one can adopt the analogue of the sound proof rule used for safety [18]by
introducing an appropriate class of reductions for program termination in the
following proof rule:
∃Π∈T.∃R∈Red($(P)).R ⊆fast$(Π)
Pis terminating (FiniteTermReduc)
A language Ris a sound reduction of $(P) if the termination of all ultimately
periodic words uvω, where u$v∈R, implies the termination of all ultimately
periodic words of P. Since, in u$v,thewordurepresents the stem of a lasso and
the word vrepresents its loop, it is natural to define equivalence, considering
the two parts separately, that is: u$v≡Iu$viff u≡Iu∧v≡Iv. One can use
any technique for producing reductions for safety, for example sleep sets for lexi-
cographical reductions [18], in order to produce a sound reduction that includes
representatives from this equivalence relation. Assume that $ does not commute
with any other letter in an extension I$of Iover Σ∪{$}and observe that the
standard finite-length word Mazurkiewicz equivalence relation of u$v≡I$u$v
coincides with u$v≡Iu$vas defined above. Let FRed($(P)) be the set of all
such reductions. An algorithmic implementation of Rule FiniteTermReduc
with Red($(P)) = FRed ($(P)) may then be taken straightforwardly from the
safety literature.
Note, however, that reductions in FRed ($(P)) are more restrictive than their
infinite analogues; for example, uv$v∈ [u$v]I, whereas uvvω=uvωand there-
fore uvvω≡Iuvωfor any I. By treating $(P)’s $-word as a a finite word without
recognizing its underlying lasso structure, every word uvωin the program neces-
sarily engenders an infinite family of representatives in R—one for each $-word
{u$v, uv$v, u$vv,...}⊆$(P) corresponding to uvω∈P.
We define dollar closure as variant of classic closure that is sensitive to the
termination equivalence of the corresponding infinite words:
[u$v]$
I={x$y:uvω∈[xyω]pω
I}
The termination of uvωis implied by the termination of any xyωsuch that x$yis
amemberof[u$v]$
I(see Theorem 2). However, the converse does not necessarily
Commutativity for Concurrent Program Termination Proofs 121
hold. Therefore, like omega-prefix closure, [u$v]$
Iis not an equivalence class. It
suggests a more relaxed condition (than the one used for FRed ($(P))) for the
soundness of a reduction:
Definition 5 (Sound $-Program Reduction). A language R⊆Pis called
asound $-program reduction of $(P)under independence relation Iiff for all
uvω∈Pwe have [u$v]$
I∩R=∅.
A $-reduction Rsatisfying the above condition is obviously sound: It must
contain a $-representative x$y∈[u$v]$
Ifor each word uvωin the program. If R
is terminating, then xyωis terminating, and therefore so is uvω. Moreover, these
sound $-program reductions can be quite parsimonious, since one word can be
an omega-prefix corresponding to many classes of program behaviours.
Under this soundness condition, we may now include one representative of
[u$v]$
Ifor each uvω∈Pin a sound reduction of P. For example, R={$a, $b}
is a sound $-program reduction of P=aω||bωwhen (a, b)∈I. To illustrate,
note that the only traces of P are the three depicted as Hasse diagrams in Fig. 4;
the distinct program words (ab)ω,(aba)ω,(abaa)ω, ... all correspond to the same
infinite trace shown in Fig. 4(iii). A salient feature of Fig. 4(iii) is that aωand bω
correspond to disconnected components of this dependence graph. The omega-
prefix rule of Theorem 2can be interpreted in this graphical context as follows:
if any connected compo nent of the trace is terminating, then the entire class is
terminating.
a a a
(i)
b b b
(ii)
a a a
b b b
(iii)
Fig. 4. The only three traces in P=aω||bωwhen (a, b)∈I.
Recall that module (d) of the refinement loop of Fig. 2may naturally be
implemented as the inclusion check P⊆Π, or one of its variations that appear
in the proof rules proposed throughout this paper. In a typical inclusion check, a
product of the program and the complement of the proof automata are explored
for the reachability of an accept state. Therefore, classic reduction techniques
that operate on the program by pruning transitions/states during this explo-
ration are highly desirable in this context. We propose a repurposing of such
techniques that shares the simplicity and efficiency of constructing reductions
from FRed ($(P))) (in the style of safety) and yet takes advantage of the weaker
soundness condition in Definition 5and performs a more aggressive reduction.
In short, a reduced program may be produced by pruning transitions while per-
forming an on-the-fly exploration of the program automaton. In pruning, our
122 D. Lette and A. Farzan
goal is to discard transitions that would necessarily form words whose suffixes
lead us into the disconnected components of the program traces underlying the
program words that have been explored so far. This selective pruning technique
is provided by a straightforward adaptation of the well-known safety reduction
technique of persistent sets [22]. Consider the program illustrated in Fig. 5(a). In
the graph in Fig. 5(b), the green states are explored and the dashed transitions
are pruned. This amounts to proving two lassos terminating in the refinement
loop of Fig. 2, where each lasso corresponds to one connected component of a
program trace.
1while x < z:
2x++
3end
1while y < z:
2y++
3end
1,1
1,3 2,1 1,2 3,1
2,3 2,2 3,2
[y >= z] [x >= z]
[x <z] x++ [y <z]
[y <z] [y <z] y++
[y >= z]
(a)
(
b
)
Fig. 5. Example of persistent set selective search.
We compute persistent sets using a variation of Algorithm 1 in Chap. 4 of
[22]. In brief, a∈P ersistent≺(q)ifais the lexicographically least enabled
state at qaccording to thread order ≺,ifais an enabled statement from
Algorithm 1: PersistentSS
Input: fast$(AP)=(Q, Σ, δ, q0,F)
Output: x$y
1H←∅,S ←{(q0,“”)}
2while (q, w)=S.pop() do
3if q∈ Hthen
4if q∈Fthen
5return w
6for a∈Σ∩Persistent(q)do
7S.push(δ(q, a),w·a)
8H←H∪{q}
9return “EMPTY”
the same thread as another state-
ment a∈P ersistent≺(q), or if
ais dependent on some statement
a∈P ersistent≺(q)fromadif-
ferent thread than a. In addition,
$ is also persistent whenever it is
enabled. This set may be computed
via a fixed-point algorithm; when-
ever a statement that is not enabled
is added to P ersistent≺(q), then
P ersistent≺(q) is simply the set of
all enabled states. Intuitively, this
procedure works because transitions
are ignored only when they are nec-
essarily independent from all the statements that will be explored imminently;
these may soundly be ignored indefinitely or deferred. Transitions that are
Commutativity for Concurrent Program Termination Proofs 123
deferred indefinitely are precisely those that would lead into a disconnected
component of a program traces.
The reduced program that arises from the persistent set selective search
of fast$(AP) based on thread order ≺is denoted by PersistentSS≺($(P)).
Figure 5(b) illustrates a reduced program; note that $-transitions are omitted
for simplicity. The reduced program corresponds to the states shown in green.
The other program states are unreachable because the only persistent transitions
correspond to statements from the least enabled thread; the transitions shown
with dashed lines are not persistent.
Theorem 6 (soundness of finite word reductions). Rule
FiniteTermReduc is a sound proof rule when Red($(P)) = {∀ ≺:
PersistentSS≺($(P))}.
The theorem holds under the condition that the set Tfrom Rule
FiniteTermReduc is the set of all terminating ω-regular languages, and the
under the assumption that the program is fair (or, equivalently, that the proof
includes the unfair runs of P, as discussed in Sect. 2.2), where a fair run is one
where no enabled thread action is indefinitely deferred. The proof of soundness
appears in the extended version of this paper [31]. Intuitively, it relies on the
fact that PersistentSS≺($(P)) is a $-program reduction for all the fair runs in
P.
Example 2. Recall the producer-consumer in Fig. 1, and consider the program
with two producers P1and P2and one consumer C.Letλ1denote the loop body
of P1,andλ2that of P2. Concretely, λ1=[i < producer limit] ; C++ ; i++
where [...] is an assume statement, and similarly for λ2. In addition, each
loop has an exit statement, which we denote by ι1and ι2. For instance, ι1=
[i >= producer limit].Let≺such that P1≺P2≺C.
In A=PersistentSS≺($(P)), P1is the first thread and therefore persistent;
that is, the word $λ1—the $-word corresponding to λω
1– is in the reduction. Since
λ1is independent of all statements in P2and C, any run in which P1enters the
loop (and does not exit via ι1) will not be included in the reduction. In effect,
this means that λω
1is the only representative of [λω
1]pω
I=[λω
1]ω
I∪[λω
1·(P2+C)ω]ω
I
in the program reduction.
Even though P2seems identical to P1, the same is not true for P2because
it appears later in the thread order. In this case, [λ2]pω
Iis represented by the
family of words (λ1)∗ι1λω
2.
5 Omega Regular Reductions
In the classic implementation of Rule TermUP [25], ω-regular languages are
used to represent the program Pand the proof Π.Itisthereforenaturaltoask
if Red(P) in Rule TermReduc can be a family of ω-regular program reductions.
For finite program reductions [16–19], and also for classic POR, lexicographical
normal forms are almost always the choice. Infinite traces have lexicographic
124 D. Lette and A. Farzan
normal forms that are analogous to their finite counterparts [13]. However, these
normal forms are not suitable for defining Red(P). For example, if (a, b)∈I,
then the lexicographic normal form of the trace [(ab)ω]∞
Iis aωbωif a<bor
bωaωotherwise; both transfinite words. Fortunately, Foata normal forms do not
share the same problem.
Definition 6 (Foata Normal Form of an infinite trace[13]). Foata Normal
Form FNF(t)of an infinite trace tis a sequence of non-empty sets S1S2... such
that t=Πi≤ωSiand for all i:
∀a, b ∈Sia=b=⇒(a, b)∈I(no dependencies in Si)
∀b∈Si+1 ∃a∈Si(a, b)∈ I(Sidependent on Si+1 )
For example, FNF([(ab)ω]∞
I)=(ab)ωif (a, b)∈I. To define a reduction
based on FNF, we need a mild assumption about the program language.
Definition 7 (Closedness). A language L⊆Σ∞is closed under the indepen-
dence relation Iiff [L]∞
I⊆Land is ω-closed under Iiff [L]ω
I⊆L.
It is straightforward to see that any concurrent program P(as defined in
Sect. 2.1), and any valid dependence relation I, we have that Pis ω-closed.
This means that for any (infinite) program run τ, any other ω-word τthat is
equivalent to τis also in the language of the program.
The key result that makes Foata normal forms amenable to automation in
the automaton-theoretic framework is the following theorem.
Theorem 7. If L⊆Σωis ω-regular and closed, FNF(L)is ω-regular.
The proof of this theorem provides a construction for the B¨uchi automa-
ton that recognizes the language FNF(L); see [31] for more detail. However,
this construction is not efficient since, for a program P,ofsizeΘ(n), the B¨uchi
automaton recognizing FNF(P) can be as large as O(n2n). Finally, Foata reduc-
tions are minimal in the same exact sense that lexicographical reductions of
finite-word languages are minimal:
Theorem 8 [Theorem 11.2.15 [13]]. If L⊆Σωis ω-regular and closed, then
for all τ∈L,τ∈FNF(L)∩[τ]ω
I=⇒τ=τ.
Our experimental results in Sect. 6suggest that this complexity is a big bot-
tleneck in practical benchmarks. Therefore, despite the fact that Foata nor-
mal forms put forward an algorithmic solution for the implementation of Rule
TermReducTermReduc, the inefficiency of the solution makes it unsuitable
for practical termination checkers.
Commutativity for Concurrent Program Termination Proofs 125
6 Experimental Results
The techniques presented in this paper have been implemented in a prototype
tool called TerMute written in Python and C++. The inputs are concurrent
integer programs written in a C-like language. TerMute may output “Termi-
nating”, or “Unknown”, in the latter case also returning a lasso whose termina-
tion could not be proved. Ranking functions and invariants are produced using
the method described in [24], which is restricted to linear ranking functions of
linear lassos. Interpolants are generated using SMTInterpol [6] and MathSAT
[7]; the validity of Hoare triples are checked using CVC4 [2].
TerMute may be run in several different modes. FOATA is an imple-
mentation of the algorithm described in Sect. 5. The baseline is the core
counterexample-guided refinement algorithm of [25], which has been adapted
to the finite-word context in order to operate on the automata fast$(P)and
fast$(Π) of Sect. 4.1. All other modes are modifications of this baseline, main-
taining the same refinement scheme, so that we can isolate the impact of adding
commutativity reasoning. Hoare triple generalization (“HGen”) augments the
baseline by making solver calls after each refinement round in order to deter-
mine if edges may soundly be added to the proof for any valid Hoare triples
not produced as part of the original proof. “POR” implements the persistent set
technique of Sect. 4.2 and “OPG” is the finite-word analogue of the ω-prefix gen-
eralization in Sect. 3.2.TerMute can also be run on any combinations of these
techniques. In what follows, we use TerMute to refer to the portfolio winner
among all algorithms that employ commutativity reasoning, namely POR, OPG,
POR + HGen, POR + OPG, and POR + OPG + HGen.
See [31] for more detail regarding our experimental setup and results.
Benchmarks. Our benchmarks include 114 terminating concurrent linear inte-
ger programs that range from 2 to 12 threads and cover a variety of patterns
commonly used for synchronization, including the use of locks, barriers, and
monitors. Some are drawn from the literature on termination verification of
concurrent programs, specifically [29,34,37], and the rest were created by us,
some of which are based on sequential benchmarks from The Termination Prob-
lem Database [38], modified to be multi-threaded. We include programs whose
threads display a wide range of independence—from complete independence (e.g.
the pro ducer threads in Fig. 1), all the way to complete dependence—and demon-
strate a range of complexity with respect to control flow.
Results. Our experiments have a timeout of 300s and a memory cap of 32
GB, and were run on a 12th Gen Intel Core i7-12700K with 64 GB of RAM
running Ubuntu 22.04. We experimented with both interpolating solvers and
the reported times correspond to the winner of the two. The results are depicted
in Fig. 6(a) as a quantile plot that compares the algorithms. The total number
of benchmarks solved is noted on each curve. FOATA times out on all but the
simplest benchmarks, and therefore is omitted from the plot.
126 D. Lette and A. Farzan
The portfolio winner, TerMute, solves 101 benchmarks in total. It solves
any benchmark otherwise solved by algorithms without commutativity reasoning
(namely, the baseline or HGen). It is also faster on 95 out of 101 benchmarks
it solves. The figure below illustrates how often each of the portfolio algorithms
emerges as the fastest among these 95 benchmarks.
HGen aggressively generalizes the proof and consequently, it forces convergence
in many fewer refinement rounds. This, however, comes at the cost of a time
overhead per round. Therefore, HGen helps in solving more benchmarks, but
whenever a benchmarks is solvable without it, it is solved much faster. The
scatter plot in Fig. 6(b) illustrates this phenomenon when HGen is added to
POR+OPG. The plot compares the times of benchmarks solved by both algo-
rithms on a logarithmic scale, and the overhead caused by HGen is significant
in the majority of the cases.
Fig. 6. Experimental results for TerMute: (a) quantile plot for the throughput of
each algorithm, and (b) scatter plot for the impact of thread order on efficiency.
Recall, from Sect. 4, that the persistent set algorithm is parametrized on an
order over the participating threads. The choice of order centrally affects the
way the persistent set algorithm works, by influencing which transitions may
be explored and, by extension, which words appear in the reduced program.
Experimentally, we have observed that the chosen order plays a significant role
in how well the algorithms work, but to varying degrees. For instance, for POR,
the worst thread order times out on 16% of the benchmarks that the best order
solves. For POR+OPG+HGen, the difference is more modest at 7%. In practice,
it is sensible then to instantiate a few instances of the TerMute with a few
different random orders to increase the chances of getting better performance.
Commutativity for Concurrent Program Termination Proofs 127
7 Related Work
The contribution of this paper builds upon sequential program termination
provers to produce termination proofs for concurrent programs. As such, any
progress in the state of the art in sequential program termination can be used
to produce proofs for more lassos, and is, therefore, complementary to our app-
roach. So, we only position this paper in the context of algorithmic concurrent
program termination, and the use of commutativity for verification in general,
and skip the rich literature on sequential program termination [11,36] or model
checking liveness [8,9,26,33].
Co ncu rren t Prog ram Terminat ion . The thread-modular approach to prov-
ing termination of concurrent programs [10,34,35,37] aims to prove a thread’s
termination without reasoning directly about its interactions with other threads,
but rather by inferring facts about the thread’s environment. In [37], this app-
roach is combined with compositional reasoning about termination arguments.
Our technique can also be viewed as modular in the sense that lassos – which,
like isolated threads, are effectively sequential programs – are dealt with inde-
pendently of the broader program in which they appear; however, this is distinct
from thread-modularity insofar as we reason directly about behaviours arising
from the interaction of threads. Whenever a thread-modular termination proof
can be automatically generated for the program, that proof is the most efficient
in terms of scalability with the number of threads. However, for a thread-modular
proof to always exist, local thread states have to be exposed as auxiliary infor-
mation. The modularity in our technique does not rely on this information at
all. Commutativity can be viewed as a way of observing and taking advantage
of some degree of non-interference, different from that of thread modularity.
Causal dependence [29] presents an abstraction refinement scheme for prov-
ing concurrent programs terminating that takes advantage of the equivalence
between certain classes of program runs. These classes of runs are determined
by partial orders that capture the causal dependencies between transitions, in a
manner reminiscent of the commutativity-based partial orders of Mazurkiewicz
traces. The key to scalability of this method is that they forgo a containment
check in the style of module (d) of Fig. 2. Instead, they cover the space of program
behaviour by splitting it into cases. Therefore, for the producer-only instance of
the example in Sect. 1, this method can scale to many many thread easily, while
our commutativity-based technique cannot. Similar to thread-modular approach,
this technique cannot be beaten in scalability for the programs that can be split
into linearly many cases. However, there is no guarantee (none given in [29]), that
a bounded complete causal trace tableau for a terminating program must exist;
for example, when there is a dependency between loops in different threads that
would cause the program to produce unboundedly many (Mazurkiewicz) traces
that have to be analyzed for termination. The advantage of our method is that,
once consumers are added to the example in Sect. 1, we can still take advantage
of all the existing commutativity to gain more efficiency.
128 D. Lette and A. Farzan
Similar to safety verification, context bounding [3] has been used as a way of
under-approximating concurrent programs for termination analysis as well.
Commutativity in Verification. Program reductions have been used as a
means of simplifying proofs of concurrent and distributed programs before. Lip-
ton’s movers [32] have been used to simplify programs for verification. CIVL
[27,28] uses a combination of abstraction and reduction to produce layered
prog rams ; in an interactive setup, the programmer can prove that an imple-
mentation satisfies a specification by moving through these layered programs
to increasingly more abstract programs. In the context of message-passing dis-
tributed systems [12,21], commutativity is used to produce a synchronous (rather
than sequential) program with a simpler proof of correctness.
In [16–19] program reductions are used in a refinement loop in the same style
as this paper to prove safety properties of concurrent programs. In [18,19], an
unbounded class of lexicographical reductions are enumerated with the purpose
of finding a simple proof for at least one of the reductions; the thesis being that
there can be a significant variation in the simplicity of the proof for two different
reductions. In [19], the idea of contextual commutativity—i.e. considering two
statements commutative in some context yet not all contexts—is introduced and
algorithmically implemented. In [16,17], only one reduction at a time is explored,
in the same style as this paper. In [16], a persistent-set-based algorithm is used
to produce space-efficient reductions. In [17] the idea of abstract commutativity
is explored. It is shown that no best abstraction exists that provides a maximal
amount of commutativity and, therefore, the paper proposes a way to combine
the benefits of different commutativity relations in one verification algorithm.
The algorithm in this paper can theoretically take advantage of all of these
(orthogonal) findings to further increase the impact of commutativity in proving
termination.
Non-termination. The problem of detecting non-termination has also been
directly studied [1,5,20,23,30]. Presently, our technique does not accommodate
proving the non-termination of a program. However, it is relatively straightfor-
ward to adapt any such technique (or directly use one of these tools) to accommo-
date this; in particular, when we fail to find a termination proof for a particular
lasso, sequential methods for proving non-termination may be employed to deter-
mine if the lasso is truly a non-termination witness. However, it is important to
note that a program may be non-terminating while all its lassos are terminat-
ing, and the refinement loop in Fig. 2may just diverge without producing a
counterexample in this style; this is a fundamental weakness of using lassos as
modules to prove termination of programs.
8 Conclusion
In the literature on the usage of commutativity in safety verification, sound pro-
gram reductions are constructed by selecting lexicographical normal forms of
equivalence classes of concurrent program runs. These are not directly applica-
ble in the construction of sound program reductions for termination checking,
Commutativity for Concurrent Program Termination Proofs 129
since the lexicographical normal forms of infinite traces may not be ω-words.
In this paper, we take this apparent shortcoming and turn it into an effective
solution. First, these transfinite words are used in the design of the omega prefix
proof rule (Theorem 2). They also inform the design of the termination aware
persistent set algorithm described in Sect. 4.2. Overall, this paper contributes
mechanisms for using commutativity-based reasoning in termination checking,
and demonstrates that, using these mechanisms, one can efficiently check the
termination of concurrent programs.
References
1. Atig, M.F., Bouajjani, A., Emmi, M., Lal, A.: Detecting fair non-termination in
multithreaded programs. In: Madhusudan, P., Seshia, S.A. (eds.) CAV 2012. LNCS,
vol. 7358, pp. 210–226. Springer, Heidelberg (2012). https://doi.org/10.1007/978-
3-642-31424-7 19
2. Barrett, C., et al.: CVC4. In: Gopalakrishnan, G., Qadeer, S. (eds.) CAV 2011.
LNCS, vol. 6806, pp. 171–177. Springer, Heidelberg (2011). https://doi.org/10.
1007/978-3-642-22110- 1 14
3. Baumann, P., Majumdar, R., Thinniyam, R.S., Zetzsche, G.: Context-bounded ver-
ification of liveness properties for multithreaded shared-memory programs. Proc.
ACM Program. Lang. 5(POPL), 1–31 (2021)
4. Calbrix, H., Nivat, M., Podelski, A.: Ultimately periodic words of rational ?-
languages. In: Brookes, S., Main, M., Melton, A., Mislove, M., Schmidt, D. (eds.)
MFPS 1993. LNCS, vol. 802, pp. 554–566. Springer, Heidelberg (1994). https://
doi.org/10.1007/3-540-58027-1 27
5. Chatterjee, K., Goharshady, E.K., Novotn`y, P., ˘
Zikeli´c, -
D.: Proving non-
termination by program reversal. In: Proceedings of the 42nd ACM SIGPLAN
International Conference on Programming Language Design and Implementation,
pp. 1033–1048 (2021)
6. Christ, J., Hoenicke, J., Nutz, A.: SMTInterpol: an interpolating SMT solver.
In: Donaldson, A., Parker, D. (eds.) SPIN 2012. LNCS, vol. 7385, pp. 248–254.
Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-31759- 0 19
7. Cimatti, A., Griggio, A., Schaafsma, B.J., Sebastiani, R.: The MathSAT5 SMT
solver. In: Piterman, N., Smolka, S.A. (eds.) TACAS 2013. LNCS, vol. 7795, pp.
93–107. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36742- 7 7
8. Cohen, A., Namjoshi, K.S.: Local proofs for linear-time properties of concurrent
programs. In: Gupta, A., Malik, S. (eds.) CAV 2008. LNCS, vol. 5123, pp. 149–161.
Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-70545- 1 15
9. Cook, B., Koskinen, E., Vardi, M.: Temporal property verification as a program
analysis task. In: Gopalakrishnan, G., Qadeer, S. (eds.) CAV 2011. LNCS, vol.
6806, pp. 333–348. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-
642-22110-1 26
10. Cook, B., Podelski, A., Rybalchenko, A.: Proving thread termination. In: Proceed-
ings of the 28th ACM SIGPLAN Conference on Programming Language Design
and Implementation, pp. 320–330 (2007)
11. Cook, B., Podelski, A., Rybalchenko, A.: Proving program termination. Commun.
ACM 54(5), 88–98 (2011)
130 D. Lette and A. Farzan
12. Desai, A., Garg, P., Madhusudan, P.: Natural proofs for asynchronous programs
using almost-synchronous reductions. SIGPLAN Not. 49(10), 709–725 (2014).
https://doi.org/10.1145/2714064.2660211
13. Diekert, V., Rozenberg, G.: The Book of Traces. World scientific (1995)
14. Elmas, T., Qadeer, S., Tasiran, S.: A calculus of atomic actions. In: Shao, Z.,
Pierce, B.C. (eds.) Proceedings of the 36th ACM SIGPLAN-SIGACT Symposium
on Principles of Programming Languages, POPL 2009, Savannah, GA, USA, 21–23
January 2009, pp. 2–15. ACM (2009)
15. Farzan, A., Kincaid, Z., Podelski, A.: Proving liveness of parameterized programs.
In: Proceedings of the 31st Annual ACM/IEEE Symposium on Logic in Computer
Science, LICS 2016, pp. 185–196. Association for Computing Machinery, New York
(2016). https://doi.org/10.1145/2933575.2935310
16. Farzan, A., Klumpp, D., Podelski, A.: Sound sequentialization for concurrent pro-
gram verification. In: Proceedings of the 43rd ACM SIGPLAN International Con-
ference on Programming Language Design and Implementation, pp. 506–521 (2022)
17. Farzan, A., Klumpp, D., Podelski, A.: Stratified commutativity in verification algo-
rithms for concurrent programs. Proc. ACM Program. Lang. 7(POPL), 1426–1453
(2023)
18. Farzan, A., Vandikas, A.: Automated hypersafety verification. In: Dillig, I., Tasiran,
S. (eds.) CAV 2019. LNCS, vol. 11561, pp. 200–218. Springer, Cham (2019).
https://doi.org/10.1007/978-3-030- 25540-4 11
19. Farzan, A., Vandikas, A.: Reductions for safety proofs. Proc. ACM Program. Lang.
4(POPL), 1–28 (2019)
20. Frohn, F., Giesl, J.: Proving non-termination via loop acceleration. arXiv preprint
arXiv:1905.11187 (2019)
21. Gleissenthall, K.V., Kıcı, R.G., Bakst, A., Stefan, D., Jhala, R.: Pretend synchrony:
Synchronous verification of asynchronous distributed programs. Proc. ACM Pro-
gram. Lang. 3(POPL) (2019). https://doi.org/10.1145/3290372
22. Godefroid, P.: Partial-Order Methods for the Verification of Concurrent Sys-
tems: An Approach to the State-Explosion Problem. Springer, Heidelberg (1996).
https://doi.org/10.1007/3-540-60761- 7 31
23. Gupta, A., Henzinger, T.A., Majumdar, R., Rybalchenko, A., Xu, R.G.: Proving
non-termination. In: Proceedings of the 35th annual ACM SIGPLAN-SIGACT
Symposium on Principles of Programming Languages, pp. 147–158 (2008)
24. Heizmann, M., Hoenicke, J., Leike, J., Podelski, A.: Linear ranking for linear lasso
programs. In: Van Hung, D., Ogawa, M. (eds.) ATVA 2013. LNCS, vol. 8172, pp.
365–380. Springer, Cham (2013). https://doi.org/10.1007/978-3-319-02444-8 26
25. Heizmann, M., Hoenicke, J., Podelski, A.: Termination analysis by learning termi-
nating programs. In: Biere, A., Bloem, R. (eds.) CAV 2014. LNCS, vol. 8559, pp.
797–813. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-08867-9 53
26. Koskinen, E., Terauchi, T.: Local temporal reasoning. In: Henzinger, T.A., Miller,
D. (eds.) Joint Meeting of the Twenty-Third EACSL Annual Conference on Com-
puter Science Logic (CSL) and the Twenty-Ninth Annual ACM/IEEE Symposium
on Logic in Computer Science (LICS), CSL-LICS 2014, Vienna, Austria, 14–18
July 2014, pp. 59:1–59:10. ACM (2014)
27. Kragl, B., Enea, C., Henzinger, T.A., Mutluergil, S.O., Qadeer, S.: Inductive
sequentialization of asynchronous programs. In: Donaldson, A.F., Torlak, E. (eds.)
Proceedings of the 41st ACM SIGPLAN International Conference on Program-
ming Language Design and Implementation, PLDI 2020, London, UK, 15–20 June
2020, pp. 227–242. ACM (2020)
Commutativity for Concurrent Program Termination Proofs 131
28. Kragl, B., Qadeer, S.: Layered concurrent programs. In: Chockler, H., Weis-
senbacher, G. (eds.) CAV 2018. LNCS, vol. 10981, pp. 79–102. Springer, Cham
(2018). https://doi.org/10.1007/978-3-319- 96145-3 5
29. Kupriyanov, A., Finkbeiner, B.: Causal termination of multi-threaded programs.
In: Biere, A., Bloem, R. (eds.) CAV 2014. LNCS, vol. 8559, pp. 814–830. Springer,
Cham (2014). https://doi.org/10.1007/978-3-319- 08867-9 54
30. Le, T.C., Antonopoulos, T., Fathololumi, P., Koskinen, E., Nguyen, T.: Dynamite:
dynamic termination and non-termination proofs. Proc. ACM Program. Lang.
4(OOPSLA), 189:1–189:30 (2020)
31. Lette, D., Farzan, A.: Commutativity for concurrent program termina-
tion proofs (extended version). https://www.cs.toronto.edu/∼azadeh/resources/
papers/cav23-extended.pdf
32. Lipton, R.J.: Reduction: a method of proving properties of parallel programs. Com-
mun. ACM 18(12), 717–721 (1975)
33. Liu, Y.C., et al.: Proving LTL properties of bitvector programs and decompiled
binaries. In: Oh, H. (ed.) APLAS 2021. LNCS, vol. 13008, pp. 285–304. Springer,
Cham (2021). https://doi.org/10.1007/978-3-030- 89051-3 16
34. Malkis, A., Podelski, A., Rybalchenko, A.: Precise thread-modular verification. In:
Nielson, H.R., Fil´e, G. (eds.) SAS 2007. LNCS, vol. 4634, pp. 218–232. Springer,
Heidelberg (2007). https://doi.org/10.1007/978-3-540-74061- 2 14
35. Pani, T., Weissenbacher, G., Zuleger, F.: Rely-guarantee bound analysis of param-
eterized concurrent shared-memory programs: with an application to proving that
non-blocking algorithms are bounded lock-free. Formal Methods Syst. Des. 57(2),
270–302 (2021)
36. Podelski, A., Rybalchenko, A.: Transition invariants. In: 19th IEEE Symposium
on Logic in Computer Science (LICS 2004), Turku, Finland, 14–17 July 2004,
Proceedings, pp. 32–41. IEEE Computer Society (2004)
37. Popeea, C., Rybalchenko, A.: Compositional termination proofs for multi-threaded
programs. In: Flanagan, C., K¨onig, B. (eds.) TACAS 2012. LNCS, vol. 7214, pp.
237–251. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-28756-
517
38. The termination problem database (2023). https://github.com/TermCOMP/
TPDB
Open Access This chapter is licensed under the terms of the Creative Commons
Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/),
which permits use, sharing, adaptation, distribution and reproduction in any medium
or format, as long as you give appropriate credit to the original author(s) and the
source, provide a link to the Creative Commons license and indicate if changes were
made.
The images or other third party material in this chapter are included in the
chapter’s Creative Commons license, unless indicated otherwise in a credit line to the
material. If material is not included in the chapter’s Creative Commons license and
your intended use is not permitted by statutory regulation or exceeds the permitted
use, you will need to obtain permission directly from the copyright holder.
