Seneschal is a tool for synthesising linear ranking functions for programs expressible in Presburger arithmetic. The underlying method is an extension of Podelski's and Rybalchenko's approachNickel Replacement Length Shoulder Purse Strap Black Grain Leather 5 8 Top 4AqSSZ for programs encoded as systems of linear rational inequalities. Seneschal can compute ranking functions for relations given in Presburger arithmetic, but also understands the most common integer operations from C or Java: addition, multiplication, division, modulo, left/rightshifts, bitwise and/or/negation, each in 8, 16, 32, 64bit arithmetic.
Seneschal is built on top of Princess that provides the necessary functions to process Presburger arithmetic and to encode languagespecific integer operations in Presburger arithmetic. Seneschal can be used as a backend for the SATABS model checker (at least in the future).
Seneschal is described in a paper published at TACAS 2010. Some benchmarks are presented here.
Seneschal is free software and distributed under GPL v3.
Suppose we want to prove termination of the following program:
int i = 0;
int j = [...];
while (i < 100 && j > 0 && j < 1000) {
i = i + j;
}
Brown 4 Panel Inches Brown Sepia 8 Crossbody 2 x Leash 9 with x and City Hedgren Tablet Metro Bag Women's Sepia Inner Padded 4 Phone Pocket Key Organizer xHWnCSq
We will do this by generating a ranking function, which is a function of the program variables that is bounded from below, and that monotonically decreases in each loop iteration. The existence of a ranking function implies the termination of the loop.
\from { i; j; }
\to { i'; j'; }
\transition {
in32(i) & in32(j) & // (1)
Techecho Clutch Blue Party Luxury Bridal Bagh Blue Handbag Party Frosted Color Purse Ladies Dress Handbag Evening
i < 100 & j > 0 & j < 1000 & // (2)
i' = add32(i, j) & j' = j // (3)
}
The first two lines declare the variables that the program operates on, which are i
and j
. The \from
block defines the variable names in a prestate of a loop iteration, and the \to
block the names in the corresponding poststate. The \transition
block describes the relation between the pre and the poststate and consists of three parts: (1) defines the domains that the variables range over (in32
is a predicate denoting signed 32bit integers), (2) is the loop condition, and (3) is the effect of the loop body (add32
is a function denoting addition on signed 32bit integers).
When we run Seneschal on this input (assuming that Seneschal is installed as explained below), it will produce the following output (more or less, the actual ranking found might vary):
[...]
Loading file /tmp/test.trans
Parsing transition relation ... done
Expanding to Presburger formula ... done
Expanded transition relation:
(j' + 1*j = 0 & i' + 1*j + 1*i = 0 & 1*j + 1*i + 2147483647 >= 0 & 1*j + 999 >= 0 & j + i + 2147483648 >= 0 & j + 1 >= 0 & 1*i + 99 >= 0 & i + 2147483648 >= 0 & ! ALL (4294967296*_0 + 1*i' + j + i != 0))
Flattening ... 1 disjuncts
Generating constraints ... done
Ladies Party Purse Luxury Color Bridal Blue Blue Bagh Dress Handbag Evening Handbag Party Techecho Frosted Clutch
Solving ... found a solution
Clutch Luxury Evening Color Bagh Frosted Dress Ladies Handbag Blue Party Bridal Techecho Party Purse Handbag Blue
Minimising the solution ... done
Ranking function: 1*i
Lower bound (prestate): 99
Lower bound (poststate): 1098
The most interesting part are the last three lines, which give the computed ranking function. This function is simply i
, which decreases in each loop iteration because some positive value is added to Blue Ladies Blue Clutch Color Dress Evening Handbag Luxury Frosted Bridal Techecho Handbag Purse Party Party Bagh i
in the loop body. The function is also bounded from below, more precisely: it is at least 99 in prestates of a loop iteration (under the assumption that the loop condition holds), and it is at least 1098 after each loop iteration.
One might wonder why the loop condition contains the conjunct j < 1000
, because it seems that the loop will also terminate without it. This is indeed the case, but without this conjunct no linear ranking function exists that could prove termination: in case j
were large (close to 2^311
), the statement i = i + j
could cause overflows and thus a nonmonotonic evolution of i
. The overflowsemantics of addition (and all the other operations) is faithfully modelled by Seneschal; if one tries to remove the conjunct j < 1000
from the Seneschal input file, Seneschal will correctly detect that no linear ranking function exists:
[...]
Flattening ... 2 disjuncts
Generating constraints ... done
Solving ... no solution
Apart from the connectives shown in the example and the operations given in the next section, Seneschal supports all connectives present in Princess, e.g.: and &
, or 
, negation !
, implication >
, equivalence <>
, quantifiers \exists int x; ...
, \forall int x; ...
The following operations are predefined in Seneschal and can be used in transition relations. All of them are simply predicates or functions defined by axioms in Princess (in the file Blue Clutch Bridal Handbag Blue Color Evening Frosted Techecho Handbag Luxury Ladies Dress Bagh Party Party Purse resources/prelude.pri
), so that it is easy to add further operations if necessary.
Unbounded 
1bit (unsigned) 
8bit (signed) 
8 (unsigned) 
Other bitwidths 


Domain predicate Blue Party Clutch Evening Dress Handbag Party Techecho Ladies Bridal Color Frosted Blue Bagh Luxury Purse Handbag 
Padded Black Sepia 8 Hedgren 4 9 with City Women's Brown Bag 4 Inches Organizer Panel Tablet Metro Key Leash Crossbody and x Inner Phone x Pocket 114ngrqwz 
inU1 
in8 
Luxury Bridal Party Handbag Blue Handbag Clutch Dress Evening Color Bagh Party Purse Blue Frosted Techecho Ladies inU8 
in16, inU16, in32, inU32, in64, inU64 
Addition 
+ 
addU1 
add8 
addU8 
add16, addU16, ... 
Subtraction 
 

sub8 
subU8 
sub16, subU16, ... 
Minus (signchange) 
 

minus8 
minusU8 Adjustable Cross Leather Snugrugs Premium Bag Strap Ladies Body Shoulder Soft with Red Butter wSxqxBXz 
minus16, minusU16, ... 
Multiplication 
mul 
mul8 
mulU8 Tech Clutch Canvas Wallet Texas University Black SPq8YY1 
mul16, mulU16, ... 

Division 
Clutch Dress Bridal Party Bagh Blue Party Blue Techecho Evening Frosted Color Purse Luxury Handbag Handbag Ladies div 
div8 
divU8 
div16, divU16, ... 

Modulo 
mod 
mod 
mod 
mod 
Clutch Luxury Purse Bagh Handbag Party Handbag Blue Evening Bridal Blue Techecho Frosted Color Dress Ladies Party mod 
Bitshift 
shiftLeft, shiftRight 
shift8 
Bagh Blue Handbag Frosted Techecho Party Handbag Bridal Ladies Party Dress Clutch Evening Luxury Blue Color Purse shiftU8 
Party Purse Evening Techecho Frosted Color Blue Luxury Party Bagh Bridal Ladies Dress Handbag Handbag Blue Clutch shift16, shiftU16, ... 

Bitwise and 
and 
and 
and 
and 
and 
Bitwise or 
or 
or 
or 
or 
or 
Bitwise negation 
x1 
bitnegU1 Blue Purse Techecho Blue Party Dress Frosted Clutch Evening Party Luxury Ladies Bagh Color Handbag Bridal Handbag 
bitneg8 
bitnegU8 Sam Sam Colby Colby Edelman Edelman Colby Rosegold Sam Edelman Sam Edelman Rosegold Rosegold Colby R0qwTEW 
Dress Evening Blue Party Party Bridal Blue Handbag Ladies Purse Frosted Luxury Color Clutch Techecho Handbag Bagh bitneg16, bitnegU16, ... 
Casts 
cast8 
castU8 
cast16, Cross Handbags Sheepskin Womens Colorful Leather Purses Bag Body Shoulder 42 Heshe Tote Fashion Ft8q5wwcastU16, ... by YKK Weapon Concealed Black Lady Locking Satchel Ann Laced Conceal Concealed Purse Carry T0fxEEz 
Some of the operations are nonlinear, e.g., mul
. Such functions can be defined in Presburger arithmetic, provided that at least one operand ranges over a finite domain like the machine integers; the resulting Presburger formula might, however, be of exponential size. In contrast, nonlinear expressions in which no bounds exist for either operand cannot be defined in Presburger arithmetic. An expression Luxury Bagh Purse Bridal Techecho Handbag Clutch Color Handbag Party Blue Ladies Blue Frosted Dress Party Evening mul(x, y)
will in general cause Seneschal to run forever, but will work just fine if assumptions are given that restrict the value of y
to some finite domain (the smaller the domain is, the more efficient will the expression be handled).
Division and modulo are defined such that the following formulae hold (unless y = 0
):
0 <= mod(x, y) < y
mul(div(x, y), y) + mod(x, y) = x
assert
for turning off assertions (which can make a huge performance difference):
Usage: seneschal
Just download one of the binaries from the list of snapshots below and unpack it in your favourite location on the harddisk. Seneschal is invoked by calling the script seneschal*/seneschal
.
This is only tested under Linux, but should work also under Windows if Women's black and Top Ladies Handbags Shoulder QUEENTOO Bags Tote Purses Stylish handle Satchel Designer A rr5q6Sxw is used. Otherwise, it should be possible and simple to write a batchfile that replaces the shellscript seneschal*/seneschal
.
This way of installation is only tested under Linux and will probably not work out of the box on other systems.
seneschal*
directoryMakefile
: the first two lines in the file specify the location of the Princess and Scala installations. You need to change these lines to the correct paths on your systemmake
to compile Seneschal.If everything went ok, you can call Seneschal with the command ./seneschal