The state of the art in termination analysis includes advanced techniques developed for logic and functional programming [12, 4, 9, 11, 10] and imperative languages [2, 5, 8, 6, 10], as well as for term rewriting systems [10]. In [6, 5] tools for proving termination of large industrial code are presented. However, termination of low-level languages, such as Java bytecode, has received little

This paper compares two different styles of reasoning with inductively defined predicates, each style being encapsulated by a corresponding sequent calculus proof system. The first system supports traditional proof by induction, with induction rules formulated as sequent rules for introducing inductively defined predicates on the left of sequents. We show this system to be cut-free complete with respect to a natural class of Henkin models; the eliminability of cut follows as a corollary. The second system uses infinite (non-well-founded) proofs to represent arguments by infinite descent. In this system, the left rules for inductively defined predicates are simple case-split rules, and an infinitary, global condition on proof trees is required to ensure soundness. We show this system to be cut-free complete with respect to standard models, and again infer the eliminability of cut. The second infinitary system is unsuitable for formal reasoning. However, it has a natural restriction to proofs given by regular trees, i.e. to those proofs representable by finite graphs. This restricted “cyclic ” system subsumes the first system for proof by induction. We conjecture that the two systems are in fact equivalent, i.e., that proof by induction is equivalent to regular proof by infinite descent.

It is important to prove that supposedly terminating programs actually terminate, particularly if those programs must be run on critical systems or downloaded into a client such as a mobile phone. Although termination of computer programs is generally undecidable, it is possible and useful to prove termination of a large, nontrivial subset of the terminating programs. In this paper we present our termination analyser for sequential Java bytecode, based on a program property called path-length. We describe the analyses which are needed before the path-length can be computed, such as sharing, cyclicity and aliasing. Then we formally define the path-length analysis and prove it correct w.r.t. a reference denotational semantics of the bytecode. We show that a constraint logic program PCLP can be built from the result of the path-length analysis of a Java bytecode program P and formally prove that if PCLP terminates then also P terminates. Hence a termination prover for constraint logic programs can be applied to prove the termination of P. We conclude with some discussion of the possibilities and limitations of our approach. Ours is the first existing termination analyser for Java bytecode dealing with generic data structures dynamically allocated on the heap and which does not require any help or annotation on the part of the user.

We present a logic for relating heap-manipulating programs to numeric abstractions. These numeric abstractions are expressed as simple imperative programs over integer variables and have the property that termination and safety of the numeric program ensures termination and safety of the original, heap-manipulating program. We have implemented an automated version of this abstraction process and present experimental results for programs involving a variety of data structures.

Abstract. Specifications of Object-Oriented programs conventionally employ Boolean expressions of the programming language for assertions. Programming errors can be discovered by checking at runtime whether an assertion, such as a precondition or class invariant, holds. In this work, we show how separation logic can be used to verify that these executable specifications will always hold at runtime. Both the program and its executable assertions are verified with respect to separation logic specifications. A novel notion called relative purity embraces historically problematic side-effects in executable specifications, and verification boils down to proving connecting implications. Even model-based specifications can be verified. The framework is also well-suited to separation logic proof tools and now implemented in jStar. Numerous automatically verified examples illustrate the framework’s use and utility.

Abstract. In earlier work, we developed a technique to prove termination of Java programs automatically: first, Java programs are automatically transformed to term rewrite systems (TRSs) and then, existing methods and tools are used to prove termination of the resulting TRSs. In this paper, we extend our technique in order to prove termination of algorithms on cyclic data such as cyclic lists or graphs automatically. We implemented our technique in the tool AProVE and performed extensive experiments to evaluate its practical applicability. 1

Abstract. These are the notes to accompany a course at the Marktoberdorf PhD summer school in 2011. The course consists of an introduction to separation logic, with a slant towards its use in automatic program verification and analysis.

Abstract. We propose a logical framework for specifying and proving assertions about program termination and non-termination. Although program termination has been well studied, it is usually added as an external component to a specification logic. Here we propose to integrate termination requirements directly into our specification logic, as temporal constraints for each execution phase of every method. Our temporal constraints can specify a strict decrease in some bounded measure for termination proofs or the unreachability of method exit for nontermination proofs. The reasoning on these temporal constraints is supported by a novel temporal entailment procedure. Furthermore, our termination-enhanced logic can leverage on richer specification logics to help conduct more intricate termination reasoning for programs with heap manipulation or multiple terminating phases. Through a seamless integration into the specification logics, we expect our termination reasoning to benefit from any future improvements to our logics, and vice-versa. With an experimental evaluation, we report on the usability and practicality of our approach for capturing both termination and non-termination reasoning for an existing verification system. 1