Closed Forms for Numerical Loops∗

ZACHARY KINCAID, Princeton University, USA

JASON BRECK, University of Wisconsin, USA
JOHN CYPHERT, University of Wisconsin, USA
THOMAS REPS, University of Wisconsin, USA and GrammaTech, Inc., USA
This paper investigates the problem of reasoning about non-linear behavior of simple numerical loops. Our
approach builds on classical techniques for analyzing the behavior of linear dynamical systems. It is well-known
that a closed-form representation of the behavior of a linear dynamical system can always be expressed using
algebraic numbers, but this approach can create formulas that present an obstacle for automated-reasoning
tools. This paper characterizes when linear loops have closed forms in simpler theories that are more amenable
to automated reasoning. The algorithms for computing closed forms described in the paper avoid the use of
algebraic numbers, and produce closed forms expressed using polynomials and exponentials over rational
numbers. We show that the logic for expressing closed forms is decidable, yielding decision procedures for
verifying safety and termination of a class of numerical loops over rational numbers. We also show that the
procedure for computing closed forms for this class of numerical loops can be used to over-approximate the
behavior of arbitrary numerical programs (with unrestricted control flow, non-deterministic assignments, and
recursive procedures).
CCS Concepts: • Theory of computation → Program analysis; Logic and verification; • Computing
methodologies → Symbolic and algebraic algorithms;
Additional Key Words and Phrases: Invariant generation, loop summarization, decision procedures
ACM Reference Format:
Zachary Kincaid, Jason Breck, John Cyphert, and Thomas Reps. 2019. Closed Forms for Numerical Loops. Proc.
ACM Program. Lang. 3, POPL, Article 55 (January 2019), 29 pages. https://doi.org/10.1145/3290368

1 INTRODUCTION
Many programs exhibit non-linear behavior, whether explicitlyÐe.g., scientific or cyber-physical
applicationsÐor implicitlyÐe.g., time or space usage of nested loops or recursive procedures. This
paper addresses a problem in the basic science of program analysis: how can we systematically
(i.e., rather than heuristically) reason about non-linear behavior? We consider a simplified model
of numerical loops with linear and polynomial assignments. We identify conditions under which
it is possible to exactly characterize the behavior of such a loop with a logical formula involving
∗ This work was supported in part by a gift from Rajiv and Ritu Batra; by AFRL under DARPA MUSE award FA8750-14-2-0270

and DARPA STAC award FA8750-15-C-0082; by ONR under grant N00014-17-1-2889; and by the UW-Madison Office of
the Vice Chancellor for Research and Graduate Education with funding from WARF. Opinions, findings, conclusions, or
recommendations expressed herein are those of the authors and do not necessarily reflect the views of the sponsoring
agencies.

Authors’ addresses: Zachary Kincaid, [email protected], Princeton University, Princeton, NJ, USA; Jason Breck,
[email protected], University of Wisconsin, Madison, WI, USA; John Cyphert, [email protected], University of Wisconsin,
Madison, WI, USA; Thomas Reps, [email protected], University of Wisconsin, Madison, WI, USA, GrammaTech, Inc. Ithaca,
NY, USA.

Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee 55
provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and
the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses,
This work
contact theisowner/author(s).
licensed under a Creative Commons Attribution 4.0 International License.
© 2019 Copyright held by the owner/author(s).
2475-1421/2019/1-ART55
https://doi.org/10.1145/3290368

Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 55. Publication date: January 2019.
55:2 Zachary Kincaid, Jason Breck, John Cyphert, and Thomas Reps

while (∗) do
while (∗) do
int x old = x; " # (∗)" do # " #
while
int x old = x; " # (∗)" do
while #" #
int yold = y; x 2 1 x x 0 1 x
= x = y; =
x = 2x old + yold ; y 1 2 y y −1 0 y
y = −x old ;
y = x old + 2yold ;
(a) (a ′ ) (b) (b ′ )
Fig. 1. Examples used to illustrate the challenges of finding summaries of linear loops.
exponenentials and polynomials over the rationals, and show that this logical fragment is decidable.
As a consequence, we obtain decidability results for safety and termination problems for a simple
program model that can exhibit non-linear behavior.
Example 1.1. The loops shown in Fig. 1 (a) and (b) are linear loops: non-deterministic loops that
consist of a sequence of affine assignmentsÐor, equivalently loops that can be written in the form
while (∗) do { x = Ax } (Fig. 1 (a ′) and (b ′)), where (∗) denotes a non-deterministic exit condition.
In loop (a), the values of x and y produce the following sequence, as a function of their initial values
x 0 and y0 : ! ! ! !
x0 2x 0 + y0 5x 0 + 4y0 14x 0 + 13y0
, , , ,···
y0 x 0 + 2y0 4x 0 + 5y0 13x 0 + 14y0
The behavior of linear loops is well-studied in the field of dynamical systems (and in program
analysisÐsee, e.g., analysis of termination of linear loops in [Braverman 2006; Tiwari 2004] and
acceleration of linear loops in [Boigelot 2003; Jeannet et al. 2014]). The classical method for obtaining
a closed-form representation of the behavior of a linear loop of the form while (∗) do { x = Ax } is
by symbolically exponentiating the matrix A (see ğ3 for more information). Using symbolic matrix
exponentiation, we can characterize the values of x and y that arise at the head of the loopÐand
thus also the values on exit from the loopÐas a function of the number of iterations k via the
following formula:
   
x ′ = (3k + 1)x 0 /2 + (3k − 1)y0 /2 ∧ y ′ = (3k − 1)x 0 /2 + (3k + 1)y0 /2
Now consider loop (b). In (b), x and y produce the following sequence:
! ! ! ! !
x0 y −x 0 −y0 x
, 0 , , , 0 ,···
y0 −x 0 −y0 x0 y0
Symbolic matrix exponentiation yields the following formula that captures the behavior of this
loop:  
x ′ = x 0 (i k /2 + (−i) k /2) + y0 ((−i)i k /2 + i (−i) k /2)
  (1)
∧ y ′ = x 0 (i k /2 − i (−i) k /2) + y0 (i k /2 + (−i) k /2) .
Notice that this formula makes use of the imaginary unit i: powers of i and −i are used as a kind of
switching network to include/exclude x 0 and y0 for selected powers of k. □
Classical symbolic matrix exponentiation produces a closed-form formula that involves polyno-
mials and exponentials over the eigenvalues of the matrix for the loop. In general, these eigenvalues
are algebraic numbers. For instance, the eigenvalues of the matrix for loop (b) are i and −i (see ğ3),
and the closed-form representation is Eqn. (1). Unfortunately, exponential-polynomial expressions
over algebraic numbers are difficult to reason about. For instance, the problem of determining
whether such an expression has a root in the natural numbers is equivalent to Skolem’s problem
for linear recurrence sequences. The question of whether that problem is decidable has been open
since the 1930s [Ouaknine and Worrell 2015].
An alternative to symbolic matrix exponentiation is given in [Kincaid et al. 2018]. Kincaid et al.
[2018] express a closed-form representation of linear loops using additional function symbols in

Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 55. Publication date: January 2019.
Closed Forms for Numerical Loops 55:3

while (∗) do while (∗) do

 i  1 0 0 0 0  i   i  1 0 0 0 0  i 
for (i = 0; i < N ; i + +)  j  0 1 1  j   j  0 0 0  j 
   0 0      0 1  
3 0
for (j = 0; j < N ; j + +)
a  = 0 0 1 0 a  a  = 0 0 1 3 a 
n 0 0 0 n  n 0 0 0 n 
C[i][j] = A[i][j] + B[i][j];
0 1 0 1
1 0 0 0 0 1 1 1 0 0 0 0 1 1
(a) (b) (c)
Fig. 2. A nested loop that exhibits non-linear behavior
place of exponentials of algebraic numbers. This approach is advantageous because it enables
heuristic reasoning about non-linear behavior using SMT solvers (treating the additional function
symbols as uninterpreted function symbols), but does not allow systematic reasoning: if the function
symbols are interpreted, then the logic is just as expressive as exponential-polynomial arithmetic
over algebraic numbers, and suffers from the same intractability.
This paper gives conditions under which a closed-form representation of a loop can be expressed
in weaker logics that are more amenable to automated reasoning. In particular, we seek closed forms
in decidable logics that avoid the use of algebraic numbers. For instance, our method produces an
alternative closed-form representation for loop (b) by making a case distinction on whether the
loop iteration is even or odd:
 
k ≡ 0 mod 2 ∧ x ′ = (−1) ⌊k /2⌋ x 0 ∧ y ′ = (−1) ⌊k /2⌋ y0
  (2)
∨ k ≡ 1 mod 2 ∧ x ′ = (−1) ⌊k /2⌋ y0 ∧ y ′ = −(−1) ⌊k /2⌋ x 0 .
Although the logical fragment we use to express closed forms of loops is weaker than exponential-
polynomial arithmetic over algebraic numbers, it is still very expressive, allowing us to capture
polynomial and exponential behavior. We show that, despite the high degree of expressivity, the
satisfiability problem for this logic is decidable. As a consequence, we obtain decision procedures
for problems related to safety and termination of linear loops that meet certain efficiently checkable
technical conditions (to be described in ğ5). For instance, we can automatically prove the validity
of the Hoare triple ł{x = 1 ∧ y = 1} Fig. 1(b) {x ≤ 1}ž by proving that the formula łx = 1 ∧ y =
1 ∧ Eqn. (2) ∧ x ′ > 1ž is unsatisfiable.
Although our concern in this paper is with a simplified program model, using the abstraction
techniques of Kincaid et al. [2018, ğ5] our results have immediate applications, as illustrated in the
following example.
Example 1.2. Consider the matrix addition routine in Fig. 2(a). Suppose that we wish to count
the number of memory accesses made by this routine. By introducing (in the innermost loop) a
synthetic variable a that is incremented by 3 (the number of memory accesses in one iteration in
the innermost loop), we can extract (automatically, using [Kincaid et al. 2018, ğ5]) the linear model
of the inner loop shown in Fig. 2(b). The closed form we compute of the inner loop is
∃k ∈ N.i ′ = i ∧ j ′ = j + k ∧ a ′ = a + 3k ∧ n ′ = n ,
which combined with the precondition and post-condition of the innermost loop (see ğ6.3) yields
the following representation of the action of the innermost loop:
∃k ∈ N.i ′ = i ∧ j ′ = n ∧ a ′ = a + 3n ∧ n ′ = n .
Again employing the abstraction technique of [Kincaid et al. 2018, ğ5] (and using the above formula
to summarize the inner loop), we extract the linear model of the outer loop shown in Fig. 2(c), and
compute the closed form
∃k ∈ N.i ′ = i + k ∧ j ′ = n ∧ a ′ = a + 3n 2 ∧ n ′ = n , (3)

Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 55. Publication date: January 2019.
55:4 Zachary Kincaid, Jason Breck, John Cyphert, and Thomas Reps

from which we see that the number of memory accesses in the addition routine is exactly 3n 2 . □

Contributions. Our work makes contributions in three main areas:

(1) We present algorithms that solve the problem of obtainingÐin a decidable logicÐclosed-form
formulas of the kind given in Eqns. (2) and (3), namely, loop summaries that capture the iterated
behavior of a linear loop (or an over-approximation thereof).
• We observe that if a matrix has periodic rational eigenvalues (i.e., each eigenvalue is an nth
root of a rational number for some n), then a closed-form representation of its behavior can
be expressed using polynomials and exponentials over rational numbers. We give polytime
algorithms for testing whether a loop has periodic rational eigenvalues and determining its
closed-form representation. Our algorithms are straightforward to implement, and make no
use of algebraic numbers (ğ5).
• We identify special cases in which our algorithm can be used to compute closed forms in
polynomial arithmetic and linear arithmetic (ğ5.2). In the linear-arithmetic case, our result
coincides with that of Boigelot [2003]; however, our method is polytime, improving upon
Boigelot’s exponential-space algorithm.
• We show how to compute, for any linear loop, a linear loop with periodic rational eigenvalues
that best approximates its behavior (ğ6.1).
• We extend the results for linear loops to the class of solvable polynomial loops with periodic-
rational eigenvalues (ğ8).
(2) We show that the satisfiability problem for the logical fragment that we use to express closed
forms is decidable over the rationals (ğ7). The result yields decision procedures for safety and
termination for a class of linear loops.
(3) We demonstrate that the technique is effective in practice, by using it verify safety properties
of a suite of integer programs. Compared to state-of-the-art software model checkers on this
suite of benchmarks, our abstract interpreter proves the safety of more assertions and is more
consistently performant (ğ9).
ğ2 presents some additional examples to provide intuition. ğ3 provides background needed for
understanding the paper’s results. ğ4 defines a logic of closed forms, and formulates the problems
that the paper addresses. ğ10 discusses related work.

2 OVERVIEW
A central theme of this paper is the intuition that it is easier to reason about rational numbers than
algebraic numbers. Although there are many powerful techniques for computing with algebraic
numbers, basic questions about the behavior of non-linear functions over algebraic numbers remain
open [Ouaknine and Worrell 2015], and reasoning about algebraic numbers incurs a substantial
implementation overhead.
Functions involving exponentials and polynomials over rational numbers are well-behaved in
comparison: rational numbers are totally ordered, and this order yields insight into the asymptotic
behavior of exponential-polynomial termsÐlarge exponential bases dominate smaller ones, and high-
degree polynomials dominate low-degree polynomials (these properties also hold for exponential-
polynomials over algebraic reals; see ğ7.1). This fact, along with quantifier-elimination techniques,
allows us to obtain a decidability result for a logic with exponentials and polynomials over the
rationals and reals (ğ7 and ğ8.1).
This decidability result motivates the question of when it is possible to express the behavior of a
loop using only rational numbers. This question is tied to the nature of the eigenvalues of linear
transformations. For example, the eigenvalues of Fig. 1(a) are rational (1 and 3), and so the loop
admits a closed-form representation over the rationals. The eigenvalues of loop (b) are non-rational

Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 55. Publication date: January 2019.
Closed Forms for Numerical Loops 55:5

while (∗) do
int a old = a;  a ′   0 0   a 
 ′     
1 0 1 0
0 
int f old = f ;
b ′  −1 −1 1 0 0 b 
 c  =  0 0   c 
a = b + d;

0 0 1 0
b = c − b − a old ; d ′   0 0 0 0 1 0  d 
f = −c − d − e − f old ;  e ′   0 1   e 
 ′     
0 0 0 0
−1
c = d;
d = e; f   0 0 −1 −1 −1 f 
e = f old ;
Fig. 3. Loop with periodic behavior, and its associated transition matrix.
(i and −i), which means that symbolic matrix exponentiation gives a closed-form representation
involving non-rational numbers (Eqn. (1)). However, the use of non-rational numbers is not essential
 0 1 2 −1 0 
because the matrix representing the execution of the loop twice, −1 0 = 0 −1 , has only
rational eigenvalues (i.e., −1 with multiplicity 2). The squared matrix captures the periodic nature
of the loop in Fig. 1(b), enabling us to capture the behavior of the loop with a formula over the
rationals by case-splitting on whether the loop iteration is even or odd.
Thus, we can capture the behavior of a linear loop while (∗) do {x = Ax} using rational arithmetic
as long as some power Ap of A has all rational eigenvalues. This observation raises the question of
how high the power p may be required to make all eigenvalues of a matrix A rational. We prove a
bound on the power (as a corollary to Lem. 5.3), but as illustrated by the following example, p may
be exponential in the size of A.
Example 2.1. Consider the loop and corresponding transition matrix shown in Fig. 3. The matrix
has six distinct eigenvalues, none of which are rational. However, the matrix raised to the 15th
power is the 6 × 6 identity matrix. Following the pattern of Fig. 1(b), one can create a disjunction
with 15 cases, as follows:
((k ≡ 0 mod 15) ∧ (a ′ − c ′ = a − c) ∧ (b ′ = b) ∧ (c ′ = c) ∧ (d ′ = d ) ∧ (e ′ = e) ∧ ( f ′ = f ))
∨ ··· ! (4)
(k ≡ 14 mod 15) ∧ (a ′ − c ′ = −(a − c) − b) ∧ (b ′ = a − c) ∧ (c ′ = −c − d − e − f )
∨
∧ (d ′ = c) ∧ (e ′ = d ) ∧ ( f ′ = e)

We observe that although the total period of the loop is 15, its behavior can be decomposed
into two smaller periods, 3 and 5. This idea leads to the following more compact formula that also
summarizes the behavior of the loop in Fig. 3:
(k ≡ 0 mod 5 ∧ c ′ = c ∧ d ′ = d ∧ e ′ = e ∧ f ′ = f )
*.∨ ≡ 1 mod 5 ∧ c ′ = d ∧ d ′ = e ∧ e ′ = f ∧ f ′ = −c − d − e − f ) +//
..(k
..∨ ≡ 2 mod 5 ∧ c ′ = e ∧ d ′ = f ∧ e ′ = −c − d − e − f ∧ f ′ = c) //
≡ 3 mod 5 ∧ c ′ = f ∧ d ′ = −c − d − e − f ∧ e ′ = c ∧ f ′ = d ) //
(k
.∨
(k
(5)
,∨
(k ≡ 4 mod 5 ∧ c ′ = −c − d − e − f ∧ d ′ = c ∧ e ′ = d ∧ f ′ = e) -
(k ≡ 0 mod 3 ∧ a ′ = c ′ + a − c ∧ b ′ = b)
∧ *.∨ (k ≡ 1 mod 3 ∧ a ′ = c ′ + b ∧ b ′ = −(a − c) − b) +/
,∨ (k ≡ 2 mod 3 ∧ a ′ = c ′ − (a − c) − b ∧ b ′ = a − c) -
□
Ex. 2.1 motivates the periodic rational spectral decomposition (ğ5.1), a device that enables the
description of the behavior of a loop in terms of its component periods. The periodic rational
spectral decomposition makes the description of a loop additive rather than multiplicative in the
factors of its component periods, yielding a polynomial-time algorithm for computing a closed-form
representation of the behavior of a loop with periodic rational behavior.

Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 55. Publication date: January 2019.
55:6 Zachary Kincaid, Jason Breck, John Cyphert, and Thomas Reps

Finally, we may ask how these results may be applied to real programs, which do not simply
implement linear transformations. The work of Kincaid et al. [2018, ğ5] shows how to approximate
loops by linear transformations, but these linear transformations may not fall into the class that
can be defined using exponentials and polynomials over rationals. The periodic rational spectral
decomposition provides an answer to this question as well: we can obtain a best approximation of a
linear transformation as a linear transformation that can be described in exponential-polynomial
rational arithmetic (ğ6).

3 BACKGROUND
We begin by reviewing some basic facts and notations for polynomials, matrices, and linear maps.
We use Q to denote the field of rationals. For a field K, we use K[x 1 , ..., x n ] to denote the
ring of polynomials over the variables x 1 , ..., x n with coefficients in K. A univariate polynomial
an x n + an−1x n−1 + · · · + a 0 ∈ K[x] is said to be monic if an = 1. An algebraic number is a
complex number that is a root of some polynomial in Q[x]. We use Q to denote the field of algebraic
def
√
numbers, and |a + bi | = a 2 + b 2 to denote the norm of an algebraic number. Any univariate
polynomial p ∈ Q[x] of degree n splits into n linear factors over Q: p = (x − α 1 )· · · (x − α n ) for
some α 1 , ..., α n ∈ Q (not necessarily all distinct). Each algebraic number α ∈ Q is associated with
a unique minimal polynomial µ α ∈ Q[x], which is the monic polynomial of least degree such
that µ α (α ) = 0. For any univariate polynomial p ∈ Q[x] and any algebraic number α ∈ Q such that
p(α ) = 0, we have that µ α divides p (i.e., there is some q ∈ Q[x] such that p = qµ α ).
We use Q[k, (−) k ] to denote the ring of exponential polynomials in a (single) variable k with
coefficients in Q:

e, e 1 , e 2 ∈ Q[k, (−) k ] ::= λ | k | λk | e 1e 2 | e 1 + e 2 where λ ∈ Q

Similarly, we use Q[k, (−) k ] to denote the ring of exponential-polynomials in a variable k with
coefficients in Q.
n
Let A ∈ Qn×n be a square matrix with rational entries. For any λ ∈ Q and any v ∈ Q such
T T T
that v A = λv (using v denote the row vector obtained by transposing v), we say that v is a
(left) eigenvector of A and λ is an eigenvalue of A. A rank-r generalized (left) eigenvector
of A is a vector v such that vT (A − λI ) r = 0 (in particular, rank-1 generalized eigenvectors
are exactly eigenvectors). The generalized eigenspace of λ is the vector space spanned by the
generalized eigenvectors of λ. The characteristic polynomial of a matrix A ∈ Qn×n is defined to
def
be pA (x ) = det (xI −A); it is a monic polynomial of degree n whose roots are exactly the eigenvalues
of A. The algebraic multiplicity of an algebraic number λ ∈ Q is the number of times (x − λ)
divides pA ; its geometric multiplicity is the dimension of the vector space of eigenvectors of λ.
Let n ∈ N be a natural number. The body of a (deterministic) numerical loop with n variables
can be understood as a function f : Qn → Qn . We say that f is linear if there exists some
matrix A ∈ Qn×n such that f (x) = Ax; f is affine if there exists A ∈ Qn×n and b ∈ Qn such that
f (x) = Ax + b. The behavior of an"affine#map f : Qn → Qn can be understood by analyzing the
A b
behavior of the linear map д(y) = y on the subspace of Qn+1 in which the last coordinate
0 1
is 1. Note that in converting from the affine case to the linear case, the algebraic multiplicity of 1
increases by one; in the remainder of the paper, we present results in terms of linear maps unless
the result is not robust under such a change. For any i ∈ {1, ..., n}, we use fi : Qn → Q to denote
the map f projected onto the i th coordinate.

Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 55. Publication date: January 2019.
Closed Forms for Numerical Loops 55:7

Let f : Qn → Qn be a function. Define f (−) : N → (Qn → Qn ) to be a function that maps each

natural number k ∈ N to the k-fold composition of f :
def
f (k ) = f ◦· · · ◦ f .
| {z }
k times

That is, if f is a function representing the behavior of a loop, then f (k ) is function representing the
behavior of iterating that loop.
Note that if f (x) = Ax is a linear function, then f (k ) (x) = Ak x. Thus, describing the iterated
behavior of a linear or affine map reduces to describing matrix exponentiation symbolically. A
useful tool for describing matrix exponentiation is the Jordan normal form. Every matrix A has a
Jordan normal form A = P JP −1 , where J is almost diagonal. More specifically, J is a block-diagonal
matrix, where each block along the diagonal is a Jordan block. Each Jordan block of A has some
eigenvalue of A as its diagonal elements, ones on the superdiagonal, and zeros everywhere else.
The algebraic multiplicity of the eigenvalue determines the size of the Jordan block. The geometric
multiplicity of an eigenvalue determines the number of Jordan blocks with that eigenvalue on the
diagonal.
Our interest in Jordan normal form stems from the fact that a matrix A in Jordan normal form
can easily be exponentiated symbolically: Ak = P J k P −1 . For example, let A be a 5 × 5 matrix with
two eigenvalues, λ 1 and λ 2 , of geometric multiplicity 1. Suppose that the algebraic multiplicity of
λ 1 is 3, and the algebraic multiplicity of λ 2 is 2. We have Ak = P J k P −1 , where
λ 1 1 0 0 0  k λk1 0 
k  k 
k −1 k−2 0
1 λ1 2  λ1
 0 λ 1 0 0   0  k k−1
0 
   λk1 1 λ1 0
0   0 
1
J =  0 0 λ1 0 0  =  0
k k
 0 0 0 λ   k k−1 
0 λ1
 1   0
 
0 0 λk2 1 λ 2 
2
 0 0 0 0 λ2   0 0 0 0 λk2 
Given a block-diagonal matrix of Jordan blocks, J ∈ K n×n , and variable symbol k, we use exp(J , k )
to denote the matrix with exponential-polynomial entries such that for any natural number c ≥ n,
we have exp(J , k )(c) = J c , where exp(J , k )(c) denotes the matrix obtained by evaluating each
exponential-polynomial entry of exp(J , k ) at c.
The ability to exponentiate symbolically is useful
 0 for characterizing an iterated linear map, which
1
we illustrate using the transition matrix A = −1 0 from Fig. 1(b). A’s eigenvalues are i and −i.
def
Consequently, f (k ) (x) = Ak x equals
(−i ) k i∗(−i ) k
= * i∗i2k i∗(−i + x0 .
(k ) ! ! !k −i 1
! i
! k −i∗i k !
f 1 (x0 ) i −i −i 0 2 x0 2 + 2 2 + 2
= i 1
, 2 − 2 - 0
(k ) 1 1 0 i y0 ) k
ik (−i ) k y
f 2 (x0 ) 2 2
2 + 2
from which one obtains the formula in Eqn. (1).
This example is an illustration of the following well-known fact about the coefficient functions
of an iterated linear map:
Theorem 3.1. Let f (x) = Ax be a linear map. Let λ 1 , ..., λm be the eigenvalues of A. Then for each
i, there exist vectors p1 (k ), ..., pm (k ) ∈ Q[k]n of polynomials with algebraic coefficients such that
fi(k ) (x) = λk1 (p1 (k ) · x) +· · · + λm
k
(pm (k ) · x) (6)
for all k ≥ n. Moreover:
• If each eigenvalue of A is rational, then each pi (k ) has rational coefficients.
• If each eigenvalue of A is either 0 or 1, then fi(k ) (x) is a polynomial.

Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 55. Publication date: January 2019.
55:8 Zachary Kincaid, Jason Breck, John Cyphert, and Thomas Reps

• If each eigenvalue of A is either 0 or 1 and A is diagonalizable, then fi(k ) (x) is a linear function.

4 PROBLEM STATEMENT
We first define the language EPRA of exponential-polynomial rational arithmetic formulas,
which we use to represent the behaviors of numerical loops. Let k denote a distinguished variable
symbol (intuitively, the iteration count of a loop). The syntax of EPRA is as follows:

λ∈Q
m, n ∈ N
x ∈ Var ={x 1 , ..., x n }
s, t ∈ Term ::= λ | k | x | λk | st | s + t
ϕ,ψ ∈ Formula ::= s < t | s ≤ t | s = t | k ≡ m mod n
| ϕ ∨ ψ | ϕ ∧ ψ | ¬ϕ
Observe that Term is equal to (Q[k, (−) k ])[x 1 , ..., x n ]Ðthe set of polynomials over the variables
x 1 , ..., x n with coefficients drawn from the ring Q[k, (−) k ] of exponential-polynomials in k. We
say that a term t is linear over Q[k, (−) k ] if it can be written as a linear term with coefficients
in Q[k, (−) k ]; that is, t = e 1x 1 + ... + en x n , where each ei ∈ Q[k, (−) k ]. Similarly, we say that a
term is linear over Q[k] if it can be written as a linear term with coefficients in Q[k]. We say that a
term is linear over Q (or Z) if it can be written as t = c 0k + c 1x 1 + ... + c n x n with each c i ∈ Q (or
Z); note that such terms may involve k. We say that a formula is linear over Q[k, (−) k ] (or Q[k],
Q, or Z) if all terms in the formula are linear over Q[k, (−) k ] (Q[k], Q, Z, respectively). Note that
the formulas that are linear over Q (or equivalently, Z) are exactly the formulas that are in linear
integer arithmetic. We use EPRAlin , PRAlin , and LRA to denote the fragments of EPRA that use
terms that are linear over Q[k, (−) k ], Q[k], and Q, respectively.
We can extend the syntax of EPRA to admit terms of the form ⌊k/n⌋ and λ ⌊k /n ⌋ (for n ∈ N). We
use a + superscript to denote the extension (e.g., EPRA+ is EPRA extended with such terms). Note
that λ ⌊k /n ⌋ denotes a function of sort N → Q (in contrast to λk /n , which is not rational-valued).
The extension does not change the expressive power of the logic (in a sense formalized in the
following lemma)Ðour interest in the extension is due to the fact that it allows formulas to be more
succinct, which we will take advantage of in ğ5.
Lemma 4.1. There is an effective procedure to compute from any formula ϕ ∈ EPRA+ , a formula
ψ ∈ EPRA that is satisfiable if and only if ϕ is satisfiable. Moreover, (∃k ∈ N.ϕ) and (∃k ∈ N.ψ ) are
equivalent.
Proof. Let ϕ be an EPRA+ formula, and let n be the least common multiple of all n such that
Wn−1
⌊k/n⌋ or λ ⌊k /n ⌋ appears in ϕ. Take ψ = r =0 ϕ[k 7→ nk + r ] (where ϕ[k 7→ nk + r ] denotes
the formula ϕ with the term nk + r substituted for k). Observe that for every term λ ⌊k /n ⌋ in ϕ,
λ ⌊k /n ⌋ [k 7→ nk + r ] simplifies to λ ⌊r /n ⌋ (λn/n ) k (with λ ⌊r /n ⌋ and λn/n both rational numbers). For
every divisibility predicate k ≡ m mod n in ϕ, we let d = gcd(n, n), and let qn and qn be such
that n = dqn and n = dqn Ðif d divides r + m, then (k ≡ m mod n)[k 7→ nk + r ] simplifies to
k ≡ z(r + m)/d mod qn , where z is the multiplicative inverse of qn modulo qn ; if d fails to divide
r + m, then (k ≡ m mod n)[k 7→ nk + r ] simplifies to false. □

Definition 4.2. A function f (−) : N → (Qn → Qn ) is definable in a language L (e.g., EPRA,

PRA, ...) if there exists a formula ϕ ∈ L in 2n + 1 free variables such that for all k ∈ N, x ∈ Qn ,

Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 55. Publication date: January 2019.
Closed Forms for Numerical Loops 55:9

and y ∈ Qn , we have ϕ (k, x, y) if and only if f (k ) (x) = y. If this holds, we say that the formula ϕ
defines f .
In general, what one obtains via Eqn. (6) is difficult for a verification tool to work with because
of the presence of complex numbers. Boigelot investigated the use of weaker logics to express the
closed form of a linear loop, and obtained the following result:
Theorem 4.3 ([Boigelot 2003]). Let f (x) = Ax + b be an affine function. If there exists some
p ≥ 1 such that Ap is diagonalizable and all of its eigenvalues are either 0 or 1, then f (−) is definable
in linear arithmetic.
In this paper, our interest lies in the gap between Thm. 3.1 and Thm. 4.3. The primary goal of the
work is as follows:
Given the transition matrix M for a linear loop, find a succinct formulaÐin a decidable
logicÐthat defines the iterated behavior of M (in the sense of Defn. 4.2).
Toward this end, a secondary goal is to establish that EPRA is decidable (see ğ7).

5 LINEAR LOOPS
This section describes a method for computing succinct formulas that define (in the sense of
Defn. 4.2) the behavior of linear loops. ğ5.1 describes a procedure to compute an EPRAlin+ formula
that defines the iteration of a linear map that meets certain conditions. ğ5.2 extends the result of
Boigelot [2003], and shows how the algorithms of this section produce representations in even
weaker logics in certain cases.

5.1 Logical Exponential-Polynomial Closed Forms

We begin by formalizing the class of matrices in which we are interested, based on properties of
their eigenvalues.

Definition 5.1. Let λ ∈ Q be an algebraic number. We say that λ is a periodic rational if λp ∈ Q

for some p ∈ N with p > 0. If λ is a periodic rational, we define its rational period to be the least
p > 0 such that λp ∈ Q.
Periodic rationals are precisely
√3 the roots
√3 of polynomials of the form bx p − a, where a and b are
integers. Examples include i, 2, and i 2 which have rational periods of 2, 3, and 6 respectively.
In the remainder of this sub-section, we prove the following result:
Proposition 5.2. Let f (x) = Ax be a linear map. There is a polytime algorithm for determining
whether each eigenvalue of A is a periodic rational, and if so, computing an EPRAlin+ formula that
defines f (−) .
As a first step towards Prop. 5.2, we would like to show that it is possible to test whether a given
matrix has periodic rational eigenvalues. Given a matrix A with periodic rational eigenvalues, we
can enumerate powers A1 , A2 , A3 , ... until we find a power Ap with all rational eigenvalues (p is the
least common multiple of the rational periods of the eigenvalues of A), but if A does not have all
rational eigenvalues, this process would go on forever. The following lemma is sufficient to show
that there is an upper bound on the powers of A that we need to test to reveal its periodic rational
eigenvalues.
Lemma 5.3. Let A ∈ Qn×n . If λ is a periodic rational eigenvalue of A with rational period k, then
k ≤ n3 .

Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 55. Publication date: January 2019.
55:10 Zachary Kincaid, Jason Breck, John Cyphert, and Thomas Reps

Proof. Let pA (x ) be A’s characteristic polynomial, and let µ λ be the minimal polynomial of λ.
Since λ is a periodic rational, there is some k ∈ N, and a, b ∈ Z such that λk = ba , and thus λ is a
root of the polynomial bx k − a. It follows that µ λ divides bx k − a and every root of µ λ is a root of
bx k − a. Since the roots of bx k − a are all of the form rζ where r = |λ| and ζ is a root of unity, it
follows that µ λ can be written as (x − rζ 1 )· · · (x − rζm ) with each ζ j a root of unity and such that
rζ 1 = λ. In the following, we use ζ to denote ζ 1 = λr .
Let q be the rational period of r and let m = deg(µ λ ). Since the constant coefficient of µ λ =
(x − rζ 1 )· · · (x − rζm ) is (−1)m Πm m
j=1rζ j and must be rational, r must be rational, and thus q (the
rational period of r ) divides m and so q ≤ m. Because λ is a root of pA , we have that µ λ divides
pA and so deg(µ λ ) ≤ deg(pA ). Summarizing, we have q ≤ m = deg(µ λ ) ≤ deg(pA ) = n, and thus
q ≤ n.
Let µ λ q be the minimal polynomial of λq , and let pAq be the characteristic polynomial of Aq .
k
Reasoning as above, λq is a root of bx q − a and so µ λ q can be written as (x − r q ζ 1′ )· · · (x − r q ζm′ ′ )
with ζ 1′ = ζ q . Then
′
µ λ q (r q x ) = (r q x − r q ζ 1′ )· · · (r q x − r q ζm′ ′ ) = r qm (x − ζ 1′ )· · · (x − ζm′ ′ )
is a rational polynomial with ζ q as a root. Since ζ qj is not real for any j < kq , ζ q is a primitive d th
root of unity for some d ≥ kq ≥ nk . Distinguish two cases:
• Case d > 6. Since ζ q is a primitive d th root of unity, we have that Φd divides µ λ k (r q x ), where Φd is
the d th cyclotomic polynomial. Since µ λ q divides
√ pAq , we must have n√= deg(pAq ) ≥ deg(µ λ q ) ≥
deg(Φd ). Since the degree of Φd is at least d for d > 6, we have n ≥ d, and thus n 2 ≥ d. Since
d ≥ nk , we conclude k ≤ n 3 .
• Case d ≤ 6. Since nk ≤ d ≤ 6, we have k ≤ 6n and thus k ≤ n3 , except when n = 2. When n = 2,
then (reasoning as above) we must have q ∈ {1, 2} and d ∈ {1, 2, 3, 4, 6}. The case q = 2 and d = 6
is not possible by the assumption that ζ qj is not real for j < d (if ζ 2 is a primitive 6th root of
unity, then ζ 6 must be real). All other cases have k = qd ≤ 8 ≤ n 3 . □

As a corollary of this lemma, we see that if A ∈ Qn×n has all periodic rational eigenvalues, then
there is some least power p such that Ap has all rational eigenvalues, and p is bounded by the least
common multiple of {1, ..., n 3 }. By Thm. 3.1, we can symbolically exponentiate Ap and define the
iterated behavior of A via a formula of the form:

* j + * (k ≡ j mod p) ∧ y = Aj exp(Ap , k/p )x+/ .

n p−1
ϕ (k, x, y) = . k = j ∧ y = A x/ ∨ .k > n ∧
_ _  

, j=1 - , j=0 -
However, this approach takes exponential space: it requires p case distinctions, and in the worst
case, p is exponential in the size of A. The essential issue is illustrated by the matrix from Ex. 2.1
(Fig. 3), which we will refer to as A. The eigenvalues of A are all primitive 3rd and 5th roots of unity,
which have rational periods of 3 and 5. The least power p such that Ap has all rational eigenvalues
is 15. However, as we will see in this section, it is possible to describe the iterated behavior of A
by describing the iterated behavior of A3 and A5 on their rational eigenvectors without having to
enumerate the 15 case distinctions needed to describe the iterated behavior of A in terms of A15 .
Our strategy for computing a succinct formula that defines the iterated behavior of a linear map
with periodic rational eigenvalues is based on a novel technical device: the periodic rational spectral
decomposition (PRSD). In the following, we will present our strategy in three parts: first, we define
PRSD and state some of its properties; then, we show how to compute a PRSD of a matrix; and
finally, we show how to compute a formula defining the iterated behavior of a map, given a PRSD.

Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 55. Publication date: January 2019.
Closed Forms for Numerical Loops 55:11

5.1.1 Periodic Rational Spectral Decomposition (PRSD). A periodic rational spectral decomposition
of a matrix A identifies the (generalized) eigenvectors of powers of A that correspond to rational
eigenvalues. For matrices A such that Ap has all rational eigenvalues, the PRSD serves a similar role
to the Jordan normal form of Ap = P −1 JP (noting that the rows of P −1 are generalized eigenvectors
of Ap ). However, unlike with Jordan normal form, the generalized eigenvectors in a PRSD are not
required to synchronize on a single period, which allows for a PRSD to be computed in polytime.
Definition 5.4. Let A ∈ Qn×n be a square rational matrix. A periodic rational spectral decom-
position of A is a set of triples
{(p1 , λ 1 , v1 ), ..., (pm , λm , vm )} ⊂ N × Q × Qn
such that
(1) The set {v1 , ..., vm } is linearly independent
(2) For all i, vi is a generalized eigenvector of Api corresponding to λi (i.e., there exists some r ∈ N
such that vTi (Api − λI ) r = 0).
(3) The set is maximal in the sense that for any vector u for which there exists a rational number λ
and natural numbers p and r such that uT (Ap − λI ) r = 0 (i.e, u is a generalized eigenvector of
some power of A corresponding to a rational eigenvalue), u ∈ span(v1 , ..., vm ).
For example, a PRSD of the matrix from Ex. 2.1 (Fig. 3) is as follows:
{(3, 1, v1 ), (3, 1, v2 ), (5, 1, v3 ), (5, 1, v4 ), (5, 1, v5 ), (5, 1, v6 )}Ðthe vectors v1 and v2 are (left)
eigenvectors of A3 corresponding to the eigenvalue 1 (i.e., v1A3 = v1 and v2A3 = v2 ), and v3
through v6 are eigenvectors of A5 corresponding to the eigenvalue 1.
f g f g f g
vT1 = −1 0 1 0 0 0 vT3 = 0 0 1 0 0 0 vT5 = 0 0 0 0 1 0
f g f g f g
vT2 = 0 1 0 0 0 0 vT4 = 0 0 0 1 0 0 vT6 = 0 0 0 0 0 1
While any matrix has a (possibly empty) periodic rational spectral decomposition, conditions 1
and 3 together imply that if all of the eigenvalues of A are periodic rational, then its PRSD spans
Qn . As a result, describing the iterated behavior of A on each vector in its PRSD is sufficient to
describe the iterated behavior of A.
5.1.2 Computing a Periodic Rational Spectral Decomposition.
Proposition 5.5. Alg. 1 is a polytime algorithm for computing a periodic rational spectral decom-
position of a matrix.
Proof. Let {(p1 , λ 1 , v1 ), ..., (pm , λm , vm )} be the set returned by Alg. 1. Conditions 1 and 2 of
Defn. 5.4 hold trivially. We prove condition 3. Let v ∈ Qn , p, r ∈ N such that vT (Ap − λI ) r = 0. We
must prove that v ∈ span(v1 , ..., vm ).
First, a lemma:
n×n
Lemma 5.6. Let A ∈ Q be a square algebraic matrix, let k ∈ N, and let λ be an
eigenvalue of Ak . The generalized eigenspace of Ak corresponding to λ is exactly the span
of the generalized eigenspaces of A corresponding to the eigenvalues α of A such that
α k = λ.
Proof. Let α 1 , ..., αd ∈ Q be the eigenvalues of A, and let U1 ,...,Ud be the corresponding
generalized eigenspaces of A. Let λ 1 , ..., λe ∈ Q be the eigenvalues of Ak , and let P 1 ,
..., Pe be the corresponding generalized eigenspaces of Ak . For any i let {ji,1 , ..., ji,дi }
be the set of indices such that α jki, 1 = · · · = α jki,д = λi . We must prove that for all i,
i
Pi = span(U ji, 1 , ..., U ji,дi ).

Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 55. Publication date: January 2019.
55:12 Zachary Kincaid, Jason Breck, John Cyphert, and Thomas Reps

First, we prove that Pi must contain U j for any j such that α jk = λi . It is sufficient to
n
prove that for all u ∈ Q , α ∈ Q and r ∈ N, uT (A − αI ) r = 0 implies uT (Ak − α k I ) r = 0.
We proceed by induction on r .
• Base case r = 1. uT (A − αI ) = 0 implies uT A = αuT and so uT Ak = α k uT and
uT (Ak − α k I ) = 0
• Induction step. By the induction hypothesis, we have that for all v, vT (A − αI ) r = 0
implies vT (Ak − α k I ) r = 0. Suppose uT (A − αI ) r +1 = 0. By induction on k, we can
show that uT Ak = α k uT + zT , where zT (Ak − α k I ) r = 0:
ś Base case k = 1 Ð trivial.
ś Inductive step. By the induction hypothesis, uT Ak = α k uT + zT for some z such
that zT (Ak − α k I ) r = 0. Then

uT Ak +1 = uT Ak A
= (α k uT + zT )A
= α k uT A + zT A
= α k (uT A + αuT − αuT ) + zT A
= α k (αuT + uT (A − αI )) + zT A
= α k +1 uT + (α k uT (A − αI ) + zT A)

We now must show that (α k uT (A − αI ) + zT A)(Ak − α k I ) r = 0. We consider the

two parts of the sum separately:
∗ Since (uT (A − αI ))(A − αI ) r = 0, we have by the (outer) induction hypothesis
that (uT (A − αI ))(Ak − α k I ) r = 0, and thus (α k uT (A − αI ))(Ak − α k I ) r = 0
∗ Since zT (Ak − α k I ) r = 0, we have zT A(Ak − α k I ) r = zT (Ak − α k I ) r A = 0A = 0.
Since uT Ak = α k uT + zT , we have uT (Ak − α k I ) = zT and so

uT (Ak − α k I ) r +1 = uT (Ak − α k I )(Ak − α k I ) r = zT (Ak − α k I ) r = 0 .

Since Pi must contain U j for any j such that α jk = λi , we have Pi ⊇ span(U ji, 1 , ..., U ji,дi )
for all i. Since

n = dim(U1 ) +· · · + dim(Ud ) = dim(P1 ) +· · · + dim(Pe ) ,

we have that for all i, Pi is exactly span(U ji, 1 , ..., U ji,дi ). □

p p
Let α 1 , ..., αd ∈ Q be the eigenvalues of A such that α 1 = · · · = αd = λ, and let U1 , ..., Ud be
the generalized eigenspaces of A corresponding to α 1 , ..., αd . From the above lemma, we have
that the generalized eigenspace of Ap corresponding to λ is equal to span(U1 , ..., Ud ), and thus
v ∈ span(U1 , ..., Ud ). Let p1 , ..., pd be the rational periods of α 1 , ..., αd . For each j, U j belongs to the
p
eigenspace of Ap j corresponding to α j j ; since (by Lem. 5.3) p j is bounded above by n3 , we have
that U j is contained in span(v1 , ..., vm ), and therefore v ∈ span(U1 , ..., Ud ) ⊆ span(v1 , ..., vm ).
Clearly the number of iterations of each loop is bounded by a polynomial. On line (3), the set of
rational eigenvalues of Ap (over which the iteration is performed) can be computed in polytime
by computing its characteristic polynomial [Keller-Gehrig 1985] and subsequently factoring it
[Lenstra et al. 1982]. □

Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 55. Publication date: January 2019.
Closed Forms for Numerical Loops 55:13

Algorithm 1: PeriodicRationalSpectralDecomposition(A)
Data: A ∈ Qn×n a square rational matrix
Result: Periodic rational spectral decomposition of A
1 D ← ∅;
2 for p ← 1 to n do
3

3 for each rational eigenvalue λ of Ap do

4 B ← basis for the generalized left eigenspace of A corresponding to λ;
5 for b ∈ B do
6 if b is not a linear combination of vectors in D then
7 D ← D ∪ {(p, λ, b)},
8 return D

5.1.3 Closed Forms from Periodic Rational Spectral Decompositions. Finally, we can prove Prop. 5.2.
Suppose that f : Qn → Qn is a linear map with f (x) = Ax. We may use Alg. 1 to compute (in
polytime) a periodic rational spectral decomposition {(p1 , λ 1 , v1 ), ..., (pm , λm , vm )}. If m is not equal
to n, then A has eigenvalues that are not periodic rationals, so we report failure. Otherwise, m = n
def
and {v1 , ..., vn } spans Qn . For any 1 ≤ i ≤ n, define дi (k, x) = vTi Ak (x) (in the terminology of
loops: дi (k, x) represents the value of the linear term vTi x as a function of the initial values of the
variables x and the iteration number k). Since {v1 , .., vn } spans Qn , we can compute a formula that
defines the iterated map f (k ) by computing formulas that define each of the дi (in the terminology
of loops: the value of any variable can be recovered from the values of the linear terms vT1 x,...,vTn xn ).
Supposing that for each i, ϕ i (k, x, y) is a formula that defines дi , then the following formula defines
f (k ) :
n
^
def
ϕ (k, x, y) = ϕ i (k, x, vTi y) .
i=1
We now address how to compute, for a given i, a formula ϕ i (k, x, y) that defines дi (k, x) =
vTi Ak (x). By assumption, vi is a generalized eigenvector of Api corresponding to the eigenvalue λi ,
so there is some r such that vTi (Api − λi I ) r = 0. We can compute the least such r by taking
def def def
u1 = vi , u2 = (Api − λI )T u1 , u3 = (Api − λI )T u2 , ...
until we reach a number r such that ur +1 = 0 (the sequence u1 , ..., ur is known as the Jordan
chain of vi ). Let U ∈ Qr ×n be the matrix whose rows are u1 , ..., ur . Then the sequence of equations
defining the sequence u1 , ..., ur can be rearranged into the equation U Api = JU , where J ∈ Qr ×r is
f gT
a Jordan block with λi on the diagonal. Let e1 = 1 0 ... 0 . For any k ∈ N, there exists q and
s such that k = qpi + s and 0 ≤ s < pi , and we have
дi (k, x) = vTi Aqpi +s x = eT1 U Aqpi +s x = eT1 J q U As x
It follows that the formula
def * T j + *
mod pi ∧ y = eT1 (exp(J , k/pi )U As x+/
r p_i −1

ϕ i (k, x, y) = . k = j ∧ y = vi A x/∨.k > r ∧

_  
k ≡s
, j=0 - , s=0 -
is an EPRAlin+ formula that defines дi (k, x).

5.2 Polynomial and Linear Closed Forms

In the preceding sections, we showed that a linear loop can be expressed in exponential-polynomial
arithmetic using just rational numbers, provided the transformation matrix has eigenvalues that are

Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 55. Publication date: January 2019.
55:14 Zachary Kincaid, Jason Breck, John Cyphert, and Thomas Reps

all periodic rational. In some applications it may be desirable to express loops in weaker theories,
such as polynomial arithmetic (supported by the NIRA theory in SMTLIB) or linear arithmetic. Both
cases can be handled using essentially the same technique presented previously in this section.
First, we consider the polynomial arithmetic case. Let f (x) = Ax be a linear map. Supposing that
the eigenvalues of A are either 0 or a root of unity, then ğ5.1 computes an exponential-polynomial
formula that defines f (−) . Every sub-term that is an exponential will be of the form 0k , 1k , or (−1) k ,
which can be simplified to 0, 1, and a case split between 1 and -1, respectively. The following result
follows:
Corollary 5.7. Let f (x) = Ax be a linear map. There is a polytime algorithm for determining
whether each eigenvalue of A is a root of unity, and if so, computing a PRAlin+ formula that defines
f (−) .
The question of when an iterated linear map can be expressed in linear arithmetic was resolved
by Boigelot (Thm. 4.3). However, Boigelot’s construction of a formula that defines f (k ) requires
exponential space, because it constructs the power Ap for which A has all eigenvalues in {0, 1}.
By employing the periodic rational spectral decomposition, it is possible to improve on Boigelot’s
result, and construct a linear arithmetic formula in polytime:
Corollary 5.8. Let f (x) = Ax + b be an affine function. There is a polytime algorithm for
determining whether there exists some p ≥ 1 such that Ap is diagonalizable and all of its eigenvalues
are either 0 or 1, and if so, computing an LRA formula that defines f (−) .

6 APPROXIMATING GENERAL LOOPS

The last section showed how to obtain closed-form representations of a simple class of loops
of the form while (∗) do {x = Ax}, where A is a square rational matrix with periodic rational
eigenvalues. In this section, we show how these results can be put to practical use in program
analysis. In particular, we discuss how to obtain formulas that over-approximate the behavior of
linear loops with arbitrary eigenvalues, general loops (with conditional branching, nested loops,
etc.) and recursive procedures, and loops with guards.

6.1 Approximating General Linear Maps

ğ5 showed how to compute closed forms for iterated linear maps that satisfy certain conditions. In
this sub-section, we ask: what can we do with a linear map that does not satisfy these conditions?
We will show that it is possible to compute a best abstraction of a linear map that does satisfy these
conditions, which can be used to over-approximate the iterated behavior of the original map.
The key idea is the observation that if the procedure outlined in ğ5.1 is allowed to continue
(instead of reporting failure) when given an input matrix that has eigenvalues that are not periodic
rationals, it will produce some formula ϕ (k, x, y). The formula always over-approximates the
behavior of the iterated linear map (and captures its behavior exactly when all the eigenvalues are
periodic rationals). The nature of this over-approximation is formalized in the following.
Let f : Qn → Qn be a linear map, and let A be a class of linear maps (e.g., linear maps with
rational eigenvalues). A linear abstraction of f in A consists of a pair of functions α : Qn → Qm
and f ♯ : Qm → Qm such that α ◦ f = f ♯ ◦ α and f ♯ ∈ A. Any linear abstraction of a function
over-approximates its behavior; we are interested in the abstraction that is best (most precise).
We say that a linear abstraction (α, f ♯ ) of f in A is a best abstraction if for any other linear
abstraction (β, д) of f in A, there is some linear transformation α so that α ◦ α = β.1
1 In
the language of category theory: let LDS be the category of linear dynamical systems, where the objects are linear maps
from a rational vector space to itself and arrows are linear simulations: we have an arrow α : f → f ♯ iff α ◦ f = f ♯ ◦ α . We

Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 55. Publication date: January 2019.
Closed Forms for Numerical Loops 55:15

Proposition 6.1. The class of linear maps with rational eigenvalues admits best abstractions.
Proof. Let f (x) = Ax be a linear map of dimension n and let {(p1 , λ 1 , v1 ), ..., (pm , λm , vm )} be a
periodic rational spectral decomposition of A. Let V be the matrix whose rows are vT1 , ..., vTm .
First, we show that there exists a unique square matrix U ∈ Qm×m such that V A = UV . Let P be
the algebraic vector space spanned by the generalized eigenvectors of periodic rational eigenvalues
of A:
P = span{v : ∃λ ∈ Q.∃p ≥ 1.∃r ≥ 1.λp ∈ Q ∧ vT (A − λI ) r = 0} .
It is easy to check that for all v ∈ P we have vT A ∈ P. By Lem. 5.6, {v1 , ..., vm } is a basis for P, so
for all i ∈ {1, ..., m} there exists a unique ui such that vTi A = uTi V . Taking U to be the matrix whose
rows are uT1 , ..., uTm , we have V A = UV .
Next, we show that U has periodic rational eigenvalues. Suppose that w is a nonzero vector
and that wT U = λwT for some λ. Then wT UV = λwT V , and since UV = V A we have (wT V )A =
λ(wT V ). It follows that either wT V is 0 or wT V is a left eigenvector of A with corresponding
eigenvalue λ. Since the rows of V are linearly independent, and w is nonzero, wT V is nonzero.
Since wT V is a left eigenvector of A with corresponding eigenvalue λ and is in P, we have that λ
must be periodic rational.
Finally, we show that (V , U ) is a best abstraction. Suppose that (W ,T ) is another abstrac-
tion of A (i.e., TW = W A and T has periodic rational eigenvalues) with dimension m ′. Let
{(q 1 , α 1 , s1′ ), ...(qm′ , αm′ , sm′ )} be a PRSD of T , and let S be the matrix whose rows are s1 , ..., sm′ . By
′
assumption the eigenvalues of T are periodic rational, so its generalized eigenvalues span Qm and
S is invertible. Observe that for every q, r , and α, we have
r r
(T q − αI ) r W = * T (−α ) r −i + W =
! !
X r qi X r
W Aqi (−α ) r −i = W (Aq − αI ) r .
, i=0 i - i=0
i

We construct a matrix Z such that for each row zTi we have zTi V = sTi W as follows. For each si ,
there is some r such that sTi (T qi − α i I ) r = 0. From the above argument, we have that sTi W (Aqi −
α i I ) r = sTi (T qi − α i I ) r W = 0, and so sTi W is either 0 or a generalized periodic eigenvector of A. In
the former case define zi to be 0, and in the latter define zi to be the unique solution to zTi V = sTi W .
We have ZV = SW , and so by taking W = S −1Z we have W V = S −1ZV = S −1SW = W . □
Example 6.2. Consider the linear loop
while (∗) do
w   1 −1 −2 0  w 
 x   3 2   x 
  =   
1 2
 y  −1 0 0 −1  y  (7)
z   4 1 1 2   z 
| {z }
A
This loop differs from the loops in Fig. 1(a), Fig. 1(b), and Fig. 3, in that its transformation matrix has
eigenvalues that are not periodic rational. That is, there is no power p for which the eigenvalues of
p
AEqn. (7) are rational. However, the transformation matrix of Eqn. (7) does exhibit some periodic

= *.−33 24 +
−4 0 0 0

−12/
66 −28 −66
rational behavior. In particular, the four eigenvalues of A4Eqn. (7) 12 29 are −4,
, 78 −33 −78 29 -

say that a subcategory of LDS admits best abstractions if the inclusion functor into LDS has a left adjoint. See [Kincaid
2018] for more details on this view.

Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 55. Publication date: January 2019.
55:16 Zachary Kincaid, Jason Breck, John Cyphert, and Thomas Reps

with multiplicity 2, and non-rationals that are approximately 33.9706 and 0.0294373. In other words,
p
for p = 4 some of the eigenvalues of AEqn. (7) are rational, and some are not.
√
The eigenvalues of AEqn. (7) are 1 ± i and 1 ± 2. While 1 + i and 1 − i are periodic ratio-
√ √
nals, 1 +f 2 and 1 −g 2 are not.f g
The periodic rational spectral decomposition of AEqn. (7) is

" # " #!
{(4, −4, 1 0 0 0 ), (4, −4, 0 1 2 0 )} from which we see that the best linear abstraction
1 0 0 0 1 −1
of AEqn. (7) is , , which can be realized as the loop
0 1 2 0 1 1

" (∗) do
while # " #" #
w 1 −1 w (8)
=
x + 2y 1 1 x + 2y
This abstraction of Eqn. (7) yields the following over-approximation of Eqn. (7)’s behavior:
 h i h i 
k k
k ≡ 0 mod 4 ∧ w ′ = (−4) 4 w ∧ (x ′ + 2y ′ ) = (−4) 4 (x + 2y)
 h i h i 
k k
∨ k ≡ 1 mod 4 ∧ w ′ = (−4) 4 (w − x − 2y) ∧ (x ′ + 2y ′ ) = (−4)
(w + x − 2y) 4
 h i h i  (9)
k k
∨ k ≡ 2 mod 4 ∧ w ′ = (−4) 4 (−2x − 4y) ∧ (x ′ + 2y ′ ) = (−4) 4 (2w )
 h i h i 
k k
∨ k ≡ 3 mod 4 ∧ w ′ = (−4) 4 (−2w − 2x − 4y) ∧ (x ′ + 2y ′ ) = (−4) 4 (2w − 2x + 4y) .

Eqn. (9) expresses an overapproximation of the behavior of Eqn. (7) because Eqn. (8) tracks only
the values of variable w and the expression x + 2y. Moreover, because Eqn. (8) is the best linear-
loop abstraction of Eqn. (7), Eqn. (9) is the best closed form for Eqn. (7) that is expressible in
exponential-polynomial rational arithmetic. □

6.2 Control Flow and Recursive Procedures

We now discuss how we may analyze the behavior of general programs. First, we consider a simple
structured programming language. Let X denote a finite set of program variables, and define the
syntax of programs as follows:
s, t ∈ Expr ::= x ∈ X | n ∈ Z | s + t | st
c ∈ Cond ::= s ≤ t | s = t | s ≤ c 1 ∧ c 2 | c 1 ∨ c 2 | ¬c
P ∈ Program ::= x := t | P1 ;P 2 | if c then P1 else P2 | while c do P
A transition formula is a formula (in the language defined in ğ4, extended with existential quantifi-
cation) over the program variables X and a set of primed copies X ′, representing the values of the
program variables before and after executing some program. Our goal is to compute, for any given
program P, a transition formula TFJPK that over-approximates its behavior. Such a formula can be
computed by recursion on the program’s syntax:
def
^
TFJx := eK = x′ = e ∧ y′ = y
y,x∈X
def
TFJif c then P1 else P 2 K = (c ∧ TFJP1 K) ∨ (¬c ∧ TFJP 2 K)
def
TFJP1 ;P2 K = ∃X ′′ .TFJP 1 K[X ′ 7→ X ′′] ∧ TFJP 2 K[X 7→ X ′′]
def
TFJwhile c do PK = loop(c ∧ TFJPK) ∧ (¬c[X 7→ X ′])
where loop is a function that over-approximates the transitive closure of a transition formula. Thus,
the essential problem is to design the function loop.

Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 55. Publication date: January 2019.
Closed Forms for Numerical Loops 55:17

We now show how to use the results of the previous section to implement a function loop
that over-approximates transitive closure. Let F be a transition formula. Using the algorithm
from [Kincaid et al. 2018, ğ5.3], we may compute an affine transformation that simulates F , in the
following sense. The algorithm computes a (simulation) matrix S ∈ Qn× |X | , a (transformation) matrix
A ∈ Qn×n , and a vector b ∈ Qn such that F (X , X ′ ) |= Sx′ = A(Sx) + b, where x and x′ are column
vectors containing the variables X and X ′, respectively. The entailment F (X , X ′ ) |= Sx′ = A(Sx) + b
can be understood as saying that for every transition of the formula F , there is a corresponding
transition of the affine map f (y) = Ay + b, where the correspondence between the state-spaces of
F and f is given by the simulation matrix S. We may represent the affine transformation f as a
linear transformation by adding a dimension: define
" # " # " # " ′#
def A b ˆ def S 0 defx def x
 = S = x̂ = x̂′ =
0 1 0 1 1 1
Let {(p1 , λ 1 , v1 ), ..., (pm , λm , vm )} be a periodic rational spectral decomposition of Â. By the results
of the previous section, for each i ∈ {1, ..., m}, we can compute a formula ϕ i (k, y, z) such that
ϕ i (k, y, z) holds exactly when z = vTi Âk (y). Finally, we take:
m
^
def
loop(F ) = ∃k ∈ N. ϕ i (k, Sˆx̂, vTi Sˆx̂′ ) .
i=1

Thus we have shown that the techniques introduced in the last section can be used to analyze
programs in a simple structured programming language. Following [Farzan and Kincaid 2015], this
analysis can be extended to programs with arbitrary control flow (e.g., goto) using the framework
of algebraic program analysis [Tarjan 1981a,b]. Following [Kincaid et al. 2017], this analysis can
extended to a language with recursive procedures (using the same function loop to analyze recursion)
using a tensor-product construction [Reps et al. 2016].
Example 6.3. Consider loop (a) given below:
while (∗) do
int tmp = x + z − y; while" (∗) do
# " #" #
if (∗) x = x + y; x +z 1 1 x +z
= (10)
else z = z + y; y 1 −1 y
y = tmp;
(a) (b)
We cannot characterize the value-sequences of x and z because of the nondeterministic branch
in the loop body; however, we can characterize the value-sequence of the sum x + z. In particular,
the sequence for x + z and y is
! ! ! ! ! !
x0 + z0 x 0 + z 0 + y0 2x 0 + 2z 0 2x 0 + 2z 0 + 2y0 4x 0 + 4z 0 4x 0 + 4z 0 + 4y0
, , , , , ,...
y0 x 0 + z 0 − y0 2y0 2x 0 + 2z 0 − 2y0 4y0 4x 0 + 4z 0 − 4y0

In essence, we can track the values produced by the alternative, non-branching loop (b). From this
loop, we obtain the three-part formula
((x ′ ′ ′
 + z = x 0 + z 0 ) ∧ (y = y0 ) ∧ (k = 0)) 
′
∨ (x + z = 2′ ⌊k /2⌋ (x 0 + z 0 )) ∧ (y ′ = 2 ⌊k /2⌋ y0 ) ∧ (k > 0) ∧ (k ≡ 0 mod 2)
! (11)
(x ′ + z ′ = 2 ⌊k /2⌋ (x 0 + z 0 ) + 2 ⌊k /2⌋ y0 )
∨
∧ (y ′ = 2 ⌊k /2⌋ (x 0 + z 0 ) − 2 ⌊k /2⌋ y0 ) ∧ (k ≡ 1 mod 2)

Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 55. Publication date: January 2019.
55:18 Zachary Kincaid, Jason Breck, John Cyphert, and Thomas Reps

6.3 Approximating Loop Guards

The methods that we have developed so far have assumed that loops have nondeterministic guards.
However, the guard of a loop is typically crucial to reasoning about its behavior. In this section, we
explain how to approximate loop guards.
Given a transition formula F (X , X ′ ) representing the action of the loop, we can recover infor-
mation about the pre-condition of the loop with the formula ∃X ′ .F (X , X ′ ) and we can recover
information about the post-condition of the loop with the formula ∃X .F (X , X ′ ). We may then
strengthen the formula loop(F ) with the conjunct k = 0 ∨ ((∃X ′ .F (X , X ′ )) ∧ (∃X .F (X , X ′ ))).
The strengthened formula ensures that the pre-condition of the loop holds in the initial state (and
the post-condition holds in the final state). Ideally, we would like to have a formula that ensures
that the pre-condition holds at every intermediate state. As shown by Finkel and Leroux [2002],
such a formula can be computed in the case that F is a linear formula and its reachability relation is
definable in Presburger arithmetic, by employing quantifier elimination for Presburger arithmetic.
Using the periodic rational spectral decomposition, we obtain a formula that is equivalent for loops
that satisfy the above condition, and produces an over-approximation for loops that do not.
Let F (X , X ′ ) be a transition formula, let f (y) = Ay + b be an over-approximating affine map with
simulation matrix S, and let Â, S, ˆ x̂, and x̂′ be as above. Let {(p1 , λ 1 , v1 ), ..., (pm , λm , vm )} be a PRSD
T
of Â. For any i, we say that vi Âx̂ is a Presburger-definable term if its dynamics are governed by
a Presburger arithmetic formula (i.e., ϕ i (k, Sˆx̂, vTi Sˆx̂′ ) is in Presburger arithmetic, or equivalently
λi ∈ {−1, 0, 1} and vTi Âp = λi v). Let L be the set of indices of Presburger-definable terms:
def
L = {i ∈ {1, ..., m} : λi ∈ {−1, 0, 1} ∧ vTi Âp = λi vT }

Let F lin be a linear formula that over-approximates F [Farzan and Kincaid 2015, ğIV]. Define a
formula P to be the formula F lin projected onto the space spanned by the Presburger-definable
terms of F :

P = *∃X , X ′ . *F lin (X , X ′ ) ∧ zi = vTi Âx̂++

def
^

, , i ∈L --
where the zi ’s are fresh variables introduced to represent each Presburger-definable term. Define
a formula G that constrains the Presburger-definable terms of F to satisfy the guard P at every
iteration before k:

G = ∀ℓ ∈ N.ℓ < k ⇒ ** ϕ i (ℓ, Sˆx̂, vTi Sˆx̂′ ) + ∧ (P[zi 7→ vTi Âx̂′]i ∈L ) + .

def
^

,,i ∈L - -
The formula G is in Presburger arithmetic, and its quantifiers may be eliminated. Finally, we may
strengthen loop(F ) with G:
m
^
def
loop(F ) = ∃k ∈ N.G ∧ ϕ i (k, Sˆx̂, vTi Sˆx̂′ ) .
i=1

Example 6.4. Consider the following loop:

while (i , 10 ∧ x < 100) do

i = i + 1;
x = x + i;

Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 55. Publication date: January 2019.
Closed Forms for Numerical Loops 55:19

The term i is Presburger-definable, while x is not (i.e., the technique of [Finkel and Leroux 2002]
does not apply). Following the construction above, we obtain
G = ∀ℓ ∈ N.ℓ < k ⇒ i + ℓ , 10 ≡ i > 10 ∨ i + k ≤ 10
loop(F ) = ∃k ∈ N.G ∧ i ′ = i + k ∧ x ′ = i (i + 1)/2 .
As a result, we can prove that if this loop is executed in a state satisfying the precondition i = 0∧x =
0, then the loop will take exactly 10 iterations and terminate in a state satisfying i = 10∧x = 55. That
is, we see that (for this particular example) having exact information about the Presburger-definable
term i allows us to recover exact information about the term x that has non-linear dynamics.

7 DECISION PROCEDURES FOR LINEAR LOOPS

This section establishes decision procedures for fragments of the logic EPRA defined in ğ4, and as
a consequence, proves decidability of some problems related to program verification. The main
technical result of this section is that the logical fragment required to express closed forms of
iterated maps with periodic rational eigenvalues is decidable:
Theorem 7.1. The satisfiability problem for EPRAlin is decidable over the rationals. That is, there
is a procedure that, given a formula ϕ (k, x) ∈ EPRAlin in m free variables x plus the distinguished
variable k, determines whether there exists some m ∈ N and v ∈ Qn such that ϕ (m, v) holds.
From this theorem and the results of last section (Prop. 5.2), the following two corollaries are
immediate:
Corollary 7.2. The following problem is decidable: given linear arithmetic formulas P and Q and
a matrix A with periodic rational eigenvalues, determine whether the Hoare triple
{P } while (∗)do x := Ax {Q }
is valid.
Corollary 7.3. The following problem is decidable: given a rational vector x0 , a linear arithmetic
formula C, and a matrix A with periodic rational eigenvalues, determine whether the program
while (C) do x := Ax
terminates starting from x0 .
The proof of Thm. 7.1 proceeds in two steps:
(1) we show how to obtain an equi-satisfiable formula in which the only free variable is the
distinguished variable k
(2) we show that it is possible to compute a cut-off value N such that testing satisfiability of the
original formula can be reduced to testing satisfiability of a Presburger formula and checking
all values less than N .
(1) Eliminate variables. Given a formula ϕ and a variable x (not the distinguished variable
k), it is possible to compute a quantifier-free formula equivalent to ∃x ∈ Q.ϕ. The method is
essentially the same as [Loos and Weispfenning 1993], adapted to the setting of exponential-
polynomials. The idea behind virtual substitution-based quantifier elimination is that although
existential quantification conceptually corresponds to an infinite disjunction of substitution in-
W
stances, (∃x .ϕ) ≡ t ∈Term ϕ[x 7→ t], it is possible to represent the infinite disjunction with a finite
disjunction of virtual substitution instances. That is, rather than the infinite set Term of terms,
we take the disjunction over a finite set of virtual terms that do not belong to the syntax of our
language, but nonetheless substitution can be defined.

Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 55. Publication date: January 2019.
55:20 Zachary Kincaid, Jason Breck, John Cyphert, and Thomas Reps

Let A(ϕ, x ) denote the set of atomic subformulas of ϕ in which the variable x appears. Without
loss of generality, suppose that each atom in ϕ that contains x is written as ex < s or ex = s (x not
in s in either case). There are three virtual terms of interest: the quotient (s/e), with e assumed to
be positive; the quotient (s/e) − ϵ, offset by an infinitesimal and e assumed to be positive; and ∞.
Define the virtual substitution of a virtual term v for x, denoted [x//v], recursively as follows:
def
(ϕ ∨ ψ )[x//v] = (ϕ[x//v]] ∨ ψ [x//v])
def
(ϕ ∧ ψ )[x//v] = (ϕ[x//v]] ∧ ψ [x//v])
def
(ẽx = t )[x//(s/e)] = (ẽs = et )
def
(ẽx < t )[x//(s/e)] = (ẽs < et )
def
(ẽx = t )[x//(s/e − ϵ )] = (ẽ = 0 ∧ t = 0)
def
(ẽx < t )[x//(s/e − ϵ )] = (ẽ ≤ 0 ∧ ẽs < et ) ∨ (0 < ẽ ∧ ẽs ≤ et )
def
(ẽx = t )[x//∞] = (ẽ = 0 ∧ t = 0)
def
(ẽx < t )[x//∞] = ((ẽ = 0 ∧ 0 < t ) ∨ ê < 0)
def
atom[x//v] = atom for any atom not containing x

Suppose that M is a model of ϕ. Then there are three cases:

(1) There is some ex = s ∈ A(ϕ, x ) such that M |= ex = s and JeKM , 0. If JeKM > 0, then we must
have M |= ϕ[x//(s/e)]; otherwise, we have M |= ϕ[x//((−s)/(−e))].
(2) There is some ex < s ∈ A(ϕ, x ) such that M |= ex < s and JeKM > 0. Suppose further that
ex < s is selected so that JsKM /JeKM is least among all other atoms satisfying this property (i.e.,
if e ′x < s ′ ∈ A(ϕ, x ), M |= e ′x < s ′, and Je ′KM > 0, then JsKM /JeKM ≤ Js ′KM /Je ′KM . Then we
have M |= ϕ[x//s/e − ϵ].
(3) None of the above cases hold. Then we have M |= ϕ[x//∞].
Thus, we may take

ψ = *. (e > 0 ∧ ϕ[x//(s/e)]) ∨ (e < 0 ∧ ϕ[x//((−s)/(−e))]+/

def
_

, (ex =s ) ∈A(ϕ,x ) -

∨ *. (e > 0 ∧ ϕ[x//(s/e − ϵ )]) +/

_

, (ex <s ) ∈A(ϕ,x ) -

∨ ϕ[x//∞]

By the above, ψ is equivalent to ∃x .ϕ.

By applying this procedure to every variable symbol other than the distinguished variable k, we
have reduced the problem of deciding satisfiability of an EPRAlin formula to deciding satisfiability
of an EPRAlin formula in which the only variable is k.

(2) Bound solutions. We further reduce the problem to the case that each exponential term λk has
λ > 0 by observing that if λ < 0 we have the following equivalence:

ψ ≡ (k ≡ 0 mod 2 ∧ ψ [λk 7→ |λ|k ]) ∨ (k ≡ 1 mod 2 ∧ ψ [λk 7→ −|λ|k ]) .

Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 55. Publication date: January 2019.
Closed Forms for Numerical Loops 55:21

So suppose w.l.o.g. that the exponential terms of ψ have positive base. We further suppose that each
atom in ψ is either a divisibility predicate or a comparison written in the form e (k ) ▷◁ 0 (where
▷◁∈ {=, <}).
We will now show that for each comparison atom e (k ) ▷◁ 0 in ψ , there exists some N (atom) ∈ N
such that either atom is true for all k ≥ N (atom) (łatom is ultimately truež) or atom is false for
all k ≥ N (atom) (łatom is ultimately falsež). Let Ultimate(ψ ) denote the (Presburger arithmetic)
formula obtained by replacing each comparison atom with its ultimate truth value, and leaving
the divisibility predicates unchanged. Letting N (ψ ) be the maximum among N (atom) for all atoms
appearing in ψ , we have that ψ is satisfiable if and only if Ultimate(ψ ) is satisfiable or ψ [k 7→ m]
holds for some m ≤ N (ψ ). So provided that N (atom) is computable, decidability of EPRAlin follows.
Non-trivial exponential-polynomial functions are continuous and have finitely many roots. For
any comparison atom e (k ) ▷◁ 0, it is sufficient to choose N (e (k ) ▷◁ 0) to be any upper bound on
the roots of e (k ) (since thereafter e (k ) does not change sign, and the truth value of e (k ) ▷◁ 0 does
not change). Alg. 2 gives an algorithm for finding an upper bound on the roots of an exponential-
polynomial. The algorithm is not newÐe.g., it is a special case of bounding roots of an exponential-
polynomial over the algebraic numbers with a dominant exponential term (see, e.g., [Halava et al.
2005])Ðwe present it here for the sake of completeness and because the rational case is simpler and
more accessible. The idea behind the algorithm is that the behavior of an exponential polynomial
e (k ) = a 1 λk1 k d1 + · · · + an λkn k dn
is eventually dominated by the term am λm k k dm such that (1) λ is greatest among all exponential
m
bases and (2) the degree di is greatest among all terms with exponential base λm . The function
e (k ) tends to ±∞, depending on the sign of the coefficient ai . Suppose that ai is positive (and e (k )
tends to +∞)Ðthe other case is symmetric. Since multiplying a function by an exponential does
not change its sign, it is sufficient to bound the roots of (1/λm ) k (e (k )). We have
n
X
(1/λm ) k (e (k )) = ai (λi /λm ) k k di
i=1

*X +
≥ am k dm + ... ai (λi /λm ) k k di ///
n

,ai <0 -
i=1

* X + * X +
= am k dm + ... ai k di /// + ... ai (λi /λm ) k k di ///
n n

,ai{z }- ,| i }-
i=1 i=1
<0, λ i =λm a <0, λ i ,λm
| {z
polynomial, eventually ≥1 tends to 0

Let ê (k ) denote the exponential polynomial above and let p(k ) denote the polynomial term on
the left-hand side of the sum. We have that p(k ) tends to ∞ unless dm = 1 (in which case p(k ) is
the constant 1 polynomial), and each term ai (λi /λm ) k k di is negative on the domain k ∈ [0, ∞)
(since ai < 0) and tends to 0 (since λi /λm < 1). We may bound the roots of e (k ) by finding a
number B such that p(k ) and each a(λi /λm ) k k di is increasing on the domain k ∈ [B, ∞), and then
subsequently finding a constant N such that ê (N ) is positive: e may have no roots larger than N .
For the polynomial term p(k ), we may find a bound Bp such that p(k ) is positive and increasing on
k ∈ [Bp , ∞) by bounding the roots of p and its first derivative; e.g., Cauchy’s bound gives Bp = 1 −
a j /am , where a j is the smallest (negative) coefficient in p (line (7)). For each exponential-polynomial
term ai (λi /λm ) k k di we can compute a bound Bi as follows. Consider the term ai (λi /λm )k di as a

Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 55. Publication date: January 2019.
 55:22 Zachary Kincaid, Jason Breck, John Cyphert, and Thomas Reps
 ∞
sequence ai (λi /λm ) k k di . The difference between consecutive terms of this sequence is given
k=0
by the exponential polynomial
ai (λi /λm ) k +1 (k + 1)di − ai (λi /λm ) k k di = ai (λi /λm ) k ((λi /λm )(k + 1)di − k di )

= ai (λi /λm ) *. ((λi /λm ) − 1)k di +

di j +
dX
i −1 !
k
k / .
, -
j=0
j

)k
Multiplying the consecutive difference by the exponential (λm /λi gives a polynomial that has the
same sign as the consecutive difference. Again applying Cauchy’s
  bound, we have that the sequence
is negative and increasing on k ∈ [Bi , ∞) where Bi = 1 + ⌊ddi /2⌋
i
/(1 − (λi /λm )) (line (9)). Taking B
to be the maximum among Bp and all Bi , we have that ê (k ) is increasing on k ∈ [B, ∞). We may
then do a linear search starting from B for a value N such that ê (N ) is positive (lines (10)ś(12)).

Algorithm 2: RootBound(e)
Data: e (k ) = a 1 λk1 k d1 +· · · + an λn k dn , each λi > 0
Result: Upper bound on the set {z ∈ N : e (z) = 0}
/* m is the dominant term index */
1 m ← index such that λm = {λ 1 , ..., λn } and the degree dm is maximal;
n
X
2 ê (k ) ← am x dm + ai (λi /λm ) k k di ; /* Sufficient to bound zeros of ê */
i=1
sign(a i ),sign(am )
/* Find interval [B, ∞) on which ê is increasing */
3 B ← 0;
4 for i = 1 to n do
5 if ai and am have unequal sign then
6 if λi = λm then
7 B ← max(B, 1 + |ai /am |);
8 else  
9 B ← max(B, 1 + ⌊ddi /2⌋
i
/(1 − (λi /λm )));
/* Find N ≥ B with ê (E) has the same sign as am */
10 N ← B;
11 while ê (N ) has the same sign as am do
12 N ← N + 1;
13 return N

7.1 Discussion
The key properties of the field of rational numbers that are exploited in our decision procedure
are that (1) all field operations are effective, and (2) rationals are totally ordered. The procedure
(and Thm. 7.1) extends immediately to the field of real algebraic numbers, and Cors. 7.2 and 7.3
extend to the field of periodic real algebraic numbers (algebraic numbers λ such that λp ∈ R for
some p ∈ N with p ≥ 1). Although periodic real algebraic numbers generalize periodic rationals,
there are several reasons to prefer periodic rationals: (1) rationals are conceptually simpler, (2)
rationals impose significantly lower implementation burden, and (3) eigenvalues that are periodic
real algebraic but not periodic rational are rare in our experience (see ğ9).

Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 55. Publication date: January 2019.
Closed Forms for Numerical Loops 55:23

8 SOLVABLE POLYNOMIAL MAPS

This section generalizes the results of ğ5 to solvable polynomial maps. Solvable polynomial maps,
introduced by Rodríguez-Carbonell and Kapur [2004], are polynomial maps that satisfy certain
syntactic conditions (Defn. 8.1) that imply that their dynamics can be captured by a linear map
of higher dimension. This property makes solvable polynomial maps amenable to analysis using
linear techniques [de Oliveira et al. 2016; Rodríguez-Carbonell and Kapur 2004].
Intuitively, a polynomial map f : Qn → Qn is solvable if the dimensions {1, ..., n} can be arranged
into strata so that dimensions have non-linear dependencies only upon dimensions of lower strata.
Definition 8.1 ([Rodríguez-Carbonell and Kapur 2004]). A function f : Qn → Qn is a solvable
polynomial map if there exists S 1 , ..., Sm ⊆ {1, ..., n} such that {S 1 , ..., Sm } is a partition of {1, ..., n}
and for all 1 ≤ i ≤ m we have
f Si (x) = Ai xSi + pi (xp1, ...,pi −1 )
where f Si (x) denotes f (x) projected onto the coordinates Si , xSi denotes x projected onto the coor-
dinates Si , Ai ∈ Q |Si |× |Si | , and pi (xS1, ...,Si −1 ) is a column vector (of dimension |Si |) of polynomials
over the variables x j with j ∈ S 1 ∪· · · ∪ Si−1 . The eigenvalues of a polynomial map are defined
to be the eigenvalues of A1 , ..., Am .
The dynamics of solvable polynomial map can be captured by a linear map by introducing
new dimensions to represent non-linear terms [de Oliveira et al. 2016], as shown in the following
example.
Example 8.2. Consider the map
f (w, x, y, z) = (w + y, −w + x + 2y, x − y, z + wy) .
Observe that f is solvable:
 1 0 1  w 
f 1,2,3 (w, x, y) = −1 1 2   x  f 4 (w, x, y, z) = z + xy
 0 1 −1  y 
The function f 4 contains a non-linear term xy. The dynamics of the term xy is given by the
product of the terms corresponding to x and y:
f 2 (w, x, y) f 3 (w, x, y) = (−w + x + 2y)(x − y) = (−wx + wy + x 2 + xy − 2y 2 )
Similarly, we can compute the dynamics of each degree-2 monomial in w, x, and y, and thereby
linearize the polynomial map f :
 1 0 
k  w 
   
0 1 0 0 0 0 0 0
−1 1 2 0 0 0 0 0 0 0   x 
 0 0   y 

1 −1 0 0 0 0 0 0
e1   0 0   z 
 
0 0 1 0 0 0 0 1
 0 1  w 2 
f (k ) (w, x, y, z) =  2     
e 0 0 0 1 0 1 0 0
e3   0 0 0 0 −1 1 1 1 0 2  wx 
e4   0 1  wy 

0 0 0 0 1 −1 0 1
 0 0 0 0 1 −2 −4 1 4 4   x 2 
 0 −2  xy 
   2 
0 0 0 −1 1 3 0 −1
0 0 0 0 1 0 −2 0 0 1  y 
where e1 , e2 , e3 , e4 are standard basis vectors. □

Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 55. Publication date: January 2019.
55:24 Zachary Kincaid, Jason Breck, John Cyphert, and Thomas Reps

The representation of a solvable polynomial map by a linear transformation means that our
techniques from ğ5 apply. The gap is that we must show that if the eigenvalues of a solvable
polynomial map are periodic rational, then so are the eigenvalues of its associated linear map. This
is indeed the case, yielding the following theorem:

Theorem 8.3. Let f : Qn → Qn be a solvable polynomial map. There is an algorithm for determin-
ing whether each eigenvalue of f is a periodic rational, and if so, computing an EPRA+ formula that
defines f (−) .

Proof. Let f : Qn → Qn be a solvable polynomial map. Consider the ring of polynomials

Q[x 1 , ..., x n ] as an (infinite dimensional) vector space over Q. Then f (and indeed, any polynomial
map) can be extended to be a linear transformation fˆ on this space by defining

fˆ * ai x 1 i, 1 · · · x n i,n ) + =
X d d
X
ai f 1 (x)di, 1 · · · fn (x)di, 1 .
, i - i

The distinguishing feature of solvable polynomial maps is that there is a finite-dimensional invariant
subspace that contains x 1 , ..., x n , so that fˆ can be understood as a linear transformation on that finite-
dimensional subspace. More precisely, define M ⊆ Q[x 1 , ..., x n ] to be the least set of monomials
that contains x 1 , ..., x n and such that if m ∈ M, then M contains all monomials that appear in fˆ (m).
Since f is solvable, we have that M is finite.
d d d d
Enumerate M as m 1 = x 1 1, i · · · x n 1,i , ..., m |M | = xm|M |, 1 · · · x n |M |, n , and let m be the vector of
f gT
monomials m 1 · · · m |M | . Define B ∈ Q |M |× |M | to be the matrix such that row i of B contains
the unique vector bi such that f 1 (x)di, 1 · · · fn (x)di, n = bTi m. Let U be the matrix such that row i of U
contains the unique vector ui such that x i = uTi m. Then we have that f (k ) (x) = U B k m. Supposing
that all eigenvalues of B are periodic rational, then by Prop. 5.2 there is an EPRAlin+ formula
def
ϕ (k, z, z′ ) that defines the iterated linear map д (−) where д(z) = Bz. The formula ψ (k, x, y) =
′ ′
(∃z.y = U z ∧ ϕ (k, z, z ))[z 7→ q] is an EPRA formula (since the existential quantifier can be
+

eliminated) and defines f (−) .

It remains only to show that all eigenvalues of B are periodic rationals. Let A1 , ..., Am . and
y1 , ..., ym be as in Defn. 8.1. We show that the eigenvalues of B are products of eigenvalues
of A1 , ..., Am ; since periodic rationals are closed under products we have the result. We now
consider fˆ as a linear transformation on the vector space of polynomials with algebraic coefficients
Q[x 1 , ..., x n ]. Intuitively, the matrix B is the representation of f with respect to a particular basis
for a particular subspace. We may just as well represent f with respect to another basis, which
|Ai |
we construct as follows. For i ∈ {1, .., m}, let V = {v1 , ..., v |Ai | } be a basis for Q consisting
of generalized eigenvectors of Ai , and take Pi to be the set of polynomials (in fact, linear terms)
Pi = {vTj yi : j ∈ {1, ..., |Ai |}. Let Q be the set of all finite products of polynomials in P, and observe
that Q is a basis for Q[x 1 , ..., x n ].
Let p1 , ..., pn be an enumeration of P in order of increasing Pi , and within each group Pi ordered
by the rank of the eigenvector (with lower rank appearing earlier in the enumeration). For any i, let
λi be the eigenvalue associated with pi . and define a total order ⪯ on Q by: p1d1 · · · pndn ⪯ p1e1 · · · pnen
iff dn · · · d 1 is lexicographically less than or equal to en · · · e 1 . From the fact that each pi corresponds
to a generalized eigenvector of some A j , we have that fˆ (pi ) = λi (pi + pi′ ), where pi′ is a polynomial

Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 55. Publication date: January 2019.
Closed Forms for Numerical Loops 55:25

containing only monomials ≺ pi . As a result, for any q = p1d1 · · · pndn ∈ Q, we have

fˆ (q) = fˆ (p1 )d1 · · · fˆ (pn )dn
= λd1 1 · · · λdnn (p1 + p1′ )d1 · · · (pn + pn′ )dn
= λd1 1 · · · λdnn q + q ′
where q ′ is a polynomial consisting only of monomials that are ≺ q.
Suppose that a polynomial p is an eigenvector of fˆ with eigenvalue λ (i.e., fˆ (p) = λp)Ðwe must
show that λ is a product of eigenvalues of λ 1 , ..., λn . Let q = p1d1 · · · pndn be the greatest monomial
with non-zero coefficient in p, and let a be its associated coefficient. We have
λp = fˆ (p) = fˆ (aq + (p − aq)) = a fˆ (q) + fˆ (p − aq) = aλd1 1 · · · λdnn q + z
where z is a polynomial containing only monomials ≺ q. Since the coefficient of q on the left-hand
side must be the same as the coefficient of q on the right-hand side, we have λ = λd1 1 · · · λdnn . □

8.1 Decision Procedures

This section extends the decidability result established in ğ7 to the full logic EPRA, which allows
multiplication between variables other than the distinguished variable k. The satisfiability problem
for this logic is decidable over the reals.
Theorem 8.4. The satisfiability problem for closed-form formulas is decidable over the reals. That
is, there is a procedure that, given a formula ϕ (k, x) in k and n free variables x, determines whether
there is some c ∈ N and v ∈ Rn such that ϕ (c, v) holds.
Proof. Write ϕ in disjunctive normal form ϕ ≡ ((D 1 ∧ C 1 ) ∨ ... ∨ (D n ∧ Cn )), where each D i is a
conjunction of divisibility atoms and each Ci is a conjunction of comparison atoms. For each Ci we
can compute an equivalent (over the reals) formula C ′ that only involves the distinguished variable
k using quantifier elimination for real closed fields [Tarski 1951]: first replace each exponential term
λk with a fresh variable symbol x λ , then eliminate all variables except k and the x λ variables, then
replace each x λ with λk . Thus we have ϕ ≡ ((D 1 ∧ C 1′ ) ∨ ... ∨ (D n ∧ Cn′ )), with the latter formula
being an EPRAlin formulaÐby the previous section, the satisfiability problem for such formulas is
decidable. □

9 EVALUATION
Our techniques are implemented on top of ICRA [Farzan and Kincaid 2015; Kincaid et al. 2017, 2018],
which uses Z3’s UFLRA solver [de Moura and Bjùrner 2008], and Apron’s NewPolka polyhedron
domain [Jeannet and Miné 2009]. We use the NTL number-theory library for computing and
factoring the characteristic polynomials of matrices [Shoup 2018].
For loops with all rational eigenvaluesÐcommonly arising in our experienceÐwe expect the
results of ICRA using its operational calculus-based recurrence solver (OCRS) [Kincaid et al. 2018]
to be largely the same as the one based on periodic rational spectral decomposition (PRSD), and so
the main experimental question is one of performance. For loops with non-rational eigenvalues,
OCRS introduces function symbols that permit some limited reasoning, while PRSD abstracts away
non-periodic rational eigenspaces and treats the remaining periodic rational eigenspaces precisely.
Thus, the experimental question is how this trade-off affects precision. Last, the technique from
ğ6.3 can improve precision even on loops with rational eigenvalues (and in particular, loops that
only require linear invariant generation), so the experimental question is whether this is effective
and performant in practice.

Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 55. Publication date: January 2019.
55:26 Zachary Kincaid, Jason Breck, John Cyphert, and Thomas Reps

ICRA+OCRS ICRA+PRSD ICRA+PRSD+PG SeaHorn UltAuto

#safe time #safe time #safe time #safe time #safe time
C4B 35 30 25.5 30 25.3 34 27.3 29 1833.0 24 3132.6
HOLA 46 39 45.2 39 44.4 39 49.8 39 1129.9 38 1992.9
lit 20 17 12.9 17 12.8 17 13.4 8 603.7 1 3923.6
total 101 86 83.6 86 82.5 90 90.5 76 3566.6 63 9049.1
Fig. 4. Experimental results

Min Mean Median Max Timeout

ICRA 0.4 0.9 0.7 4.5 0
ICRA+PRSD 0.4 0.9 0.7 4.5 0
ICRA+PRSD+PG 0.3 0.9 0.7 5.5 0
SeaHorn 0.1 3.0 0.2 220.8 11
UltAuto 2.0 16.7 3.4 284.5 26
Fig. 5. Timing summary statistics over C4B/HOLA/lit; times reported in seconds, with timeouts excluded.

We ran ICRA in three different configurations: OCRS (operational calculus recurrence solver),
PRSD (periodic rational spectral decomposition), PRSD+PG (PRSD along with Presburger guards,
ğ6.3). We also compared against two state-of-the-art software model checkers: Ultimate Automizer
[Heizmann et al. 2018] from SV-COMP18, based on predicate abstraction; and SeaHorn [Gurfinkel
et al. 2015] version 0.1.0, a Horn-clause solver based on property-directed reachability. We compared
these programs on a suite of 101 safe programs, including the C4B [Carbonneaux et al. 2015] and
HOLA [Dillig et al. 2013] suites (which exhibit linear or periodic linear behavior) and lit, a selection
of loops with non-linear behavior collected from the literature. Our experiments were conducted on
a machine running Ubuntu 16.04 equipped with an 8-core Intel(R) Core(TM) i7 1.80GHz processor
and 8GB memory, with a time-out of 5 minutes. The experimental results are given in Fig. 4.
We observe that there is no significant performance difference or the number of assertions proved
between the PRSD and OCRS solvers. Note, however, that although ICRA+OCRS and ICRA+PRSD
both prove 17 of the 20 assertions in the lit category, they are not the same 17 assertions. In
particular, ICRA+OCRS can prove the correctness of two examples from [Terauchi and Aiken 2005]
wherein a precise treatment of the Fibonacci function is required to prove secure information flow
(which requires non-periodic rational eigenvalues). ICRA+PRSD can prove a run-time bound for an
example from [Tiwari 2004] and establish bounding constraints for an example from [Miné et al.
2016] in which a figure is rotated and scaled in two dimensional space (both of which require precise
treatment of complex, but periodic rational, eigenvalues). Our results suggest the hypothesis that
loops with eigenvalues that are not periodic rational are rare in practice (only 2 loops among 101
programs), although our suite is not sufficiently comprehensive to draw a conclusion. A possible
explanation is that loops that are written by human programmers typically involve patterns that
result in rational or periodic rational eigenvalues: loop counters, quantities that are doubled or
halved, and cyclic quantities.
Although the Presburger Guard technique does incur a performance penalty, we find that it does
allow an additional 4 benchmarks in the C4B category to be proved correct. Lastly, we observe
that all configurations of ICRA are capable invariant generators: they can prove the correctness
of more assertions than SeaHorn and Ultimate Automizer (even for examples that do not require
non-linear reasoning). The run-times of the ICRA configurations are more consistent than SeaHorn
and Ultimate Automizer (see Fig. 5), and its aggregate run-time is two orders of magnitude faster.

Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 55. Publication date: January 2019.
Closed Forms for Numerical Loops 55:27

10 RELATED WORK
Closed forms for loops. Boigelot [2003] gives necessary and sufficient conditions for an iterated
affine map to be definable in Presburger arithmetic, and also Presburger arithmetic extended with
a single function Vr mapping each integer z to the greatest power of r that divides z. Boigelot also
considers the case that the linear map is equipped with a polyhedral guard (which can restrict
the number of times the linear map is iterated), in which case his conditions are necessary but
not sufficient. Finkel and Leroux [2002] extends [Boigelot 2003] to guards defined in Presburger
arithmetic, and also considers how to analyze multi-path loops by iterating compositions of affine
maps. ğ5 extends this line of work by giving a polytime procedure for the Presburger case, as well
as generalizing to logics beyond Presburger arithmetic.
Jeannet et al. [2014] developed a technique for approximating the behavior of iterated linear
maps with arbitrary eigenvalues. The technique is based on approximating the iteration of the
real Jordan form of the transition matrix by an abstract domain of template polyhedron matrices.
The abstraction technique discussed in ğ6.1 is of a different nature: we aim to capture the exact
dynamics of a subsystem.
The transitive closure of difference-bound relations [Bozga et al. 2006; Comon and Jurski 1998]
and octagon relations [Bozga et al. 2009] has been shown to be definable in Presburger arithmetic,
and computable in polytime [Konečný 2016]. The theory of ultimately periodic relations unifies work
on linear systems and difference-bound/octagon relations [Bozga et al. 2010]. Periodic behavior also
features in our work, but the class of matrices we consider (those with periodic rational eigenvalues)
does not satisfy the conditions of [Bozga et al. 2010].
Decision problems for linear loops. This paper addresses the problem of computing a closed-form
representation of the reachability relation of a linear loop in a decidable logic, which can be used
to address a variety of decision problems (e.g., Cors. 7.2 and 7.3) that meet our condition of having
all periodic rational eigenvalues. Ouaknine and Worrell [2012, 2015] surveys work on decision
problems related to linear loops. One such problem is the orbit problem, which can be stated as
follows: given a matrix A, an initial vector s and a target vector t, determine if there is some k such
that Ak s = t. Kannan and Lipton [1986] showed that the orbit problem is decidable in polytime. A
generalization of orbit is the polytope-collision problem in which we ask whether one polytope is
reachable from another. Almagor et al. [2017] shows that this problem is decidable in PSPACE for
matrices of dimension at most 3. The result in Cor. 7.2 solves both these problems as a special case,
but for a restricted class of matrices.
The uniform-termination problem for linear loops was proved to be decidable over the reals by
Tiwari [2004], over the rationals by Braverman [2006], and over the integers (for diagonalizable
matrices) by Ouaknine et al. [2015]. Uniform termination asks whether any exection of the loop may
fail to terminate starting from any initial state. The case considered in Cor. 7.3 allows a pre-state to
be specified (i.e., we go beyond uniform termination), but again our decidability result holds only
for matrices with all periodic rational eigenvalues.
Analysis of polynomial maps. ğ8 extends our work to the class of solvable polynomial maps that
was studied by de Oliveira et al. [2016]; Rodríguez-Carbonell and Kapur [2004]. Solvable maps are
also related to P-solvable loops [Kovács 2008; Kovács and Jebelean 2006; Kovács et al. 2006] in that
solvable polynomial maps are exactly the class of maps that are both polynomial and P-solvable.
(The notion of P-solvability is more general in that it admits loops that have non-polynomial (but
Gosper-summable) assignments.) The class of extended P-solvable loops [Humenberger et al. 2017]
captures a strictly larger set of polynomial maps. Humenberger et al. [2018] extends (extended)
P-solvable loops to the case of multi-path loops (but not arbitrarily nested loops). The focus of all
of the aforementioned work is to compute invariant polynomial equalities of a loop; our work aims
to give exact characterizations of a loop’s behavior in various arithmetics.

Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 55. Publication date: January 2019.
55:28 Zachary Kincaid, Jason Breck, John Cyphert, and Thomas Reps

REFERENCES
S. Almagor, J. Ouaknine, and J. Worrell. 2017. The Polytope-Collision Problem. In ICALP. 24:1ś24:14.
B. Boigelot. 2003. On iterating linear transformations over recognizable sets of integers. Theor. Comp. Sci. 309, 1 (2003),
413ś468.
M. Bozga, C. Gîrlea, and R. Iosif. 2009. Iterating Octagons. In TACAS. 337ś351.
M. Bozga, R. Iosif, and F. Konečný. 2010. Fast Acceleration of Ultimately Periodic Relations. In Computer Aided Verification.
227ś242.
M. Bozga, R. Iosif, and Y. Lakhnech. 2006. Flat Parametric Counter Automata. In Automata, Languages and Programming.
577ś588.
M. Braverman. 2006. Termination of Integer Linear Programs. In CAV.
Q. Carbonneaux, J. Hoffmann, and Z. Shao. 2015. Compositional Certified Resource Bounds. In PLDI.
H. Comon and Y. Jurski. 1998. Multiple counters automata, safety analysis and presburger arithmetic. In CAV. 268ś279.
L. de Moura and N. Bjùrner. 2008. Z3: An Efficient SMT Solver. In TACAS.
S. de Oliveira, S. Bensalem, and V. Prevosto. 2016. Polynomial Invariants by Linear Algebra. In ATVA. 479ś494.
I. Dillig, T. Dillig, B. Li, and K. McMillan. 2013. Inductive Invariant Generation via Abductive Inference. In OOPSLA.
A. Farzan and Z. Kincaid. 2015. Compositional Recurrence Analysis. In FMCAD.
A. Finkel and J. Leroux. 2002. How to Compose Presburger-Accelerations: Applications to Broadcast Protocols. In FST TCS.
145ś156.
A. Gurfinkel, T. Kahsai, A. Komuravelli, and J.A. Navas. 2015. The SeaHorn Verification Framework. In CAV.
V. Halava, T. Harju, M. Hirvensalo, and J. Karhumädäki. 2005. Skolem’s Problem ś On the Border between Decidability and
Undecidability. Technical Report. Turku Center for Computer Science.
M. Heizmann, Y.-F. Chen, D. Dietsch, M. Greitschus, J. Hoenicke, Y. Li, A. Nutz, B. Musa, C. Schilling, T. Schindler, and A.
Podelski. 2018. Ultimate Automizer and the Search for Perfect Interpolants. In TACAS. 447ś451.
A. Humenberger, M. Jaroschek, and L. Kovacs. 2017. Automated Generation of Non-Linear Loop Invariants Utilizing
Hypergeometric Sequences. In ISSAC.
A. Humenberger, M. Jaroschek, and L. Kovács. 2018. Invariant Generation for Multi-Path Loops with Polynomial Assignments.
In VMCAI. 226ś246.
B. Jeannet and A. Miné. 2009. Apron: A Library of Numerical Abstract Domains for Static Analysis. In CAV.
B. Jeannet, P. Schrammel, and S. Sankaranarayanan. 2014. Abstract Acceleration of General Linear Loops. In POPL. 529ś540.
R. Kannan and R. J. Lipton. 1986. Polynomial-time Algorithm for the Orbit Problem. J. ACM 33, 4 (Aug. 1986), 808ś821.
W. Keller-Gehrig. 1985. Fast Algorithms for the Characteristic Polynomial. Theor. Comput. Sci. 36, 2-3 (June 1985), 309ś317.
Z. Kincaid. 2018. Numerical Invariants via Abstract Machines. In SAS.
Z. Kincaid, J. Breck, A. Forouhi Boroujeni, and T. Reps. 2017. Compositional Recurrence Analysis Revisited. In PLDI.
Z. Kincaid, J. Cyphert, J. Breck, and T.W. Reps. 2018. Non-Linear Reasoning for Invariant Synthesis. PACMPL 2(POPL) (2018),
54:1ś54:33.
F. Konečný. 2016. PTIME Computation of Transitive Closures of Octagonal Relations. In Tools and Algorithms for the
Construction and Analysis of Systems. 645ś661.
L. Kovács. 2008. Reasoning Algebraically About P-Solvable Loops. In TACAS.
L. Kovács and T. Jebelean. 2006. Finding polynomial invariants for imperative loops in the theorema system. Proc. of Verify
6 (2006), 52ś67.
L. Kovács, N. Popov, and T. Jebelean. 2006. Combining Logic and Algebraic Techniques for Program Verification in Theorema.
In ISoLA. IEEE, 67ś74.
A. K. Lenstra, H. W. Lenstra, and L. Lovász. 1982. Factoring polynomials with rational coefficients. Math. Ann. 261, 4 (1982),
515ś534.
R. Loos and V. Weispfenning. 1993. Applying linear quantifier elimination. The computer journal 36, 5 (1993), 450ś462.
A. Miné, J. Breck, and T. W. Reps. 2016. An Algorithm Inspired by Constraint Solvers to Infer Inductive Invariants in
Numeric Programs. In European Symp. on Programming. 560ś588.
J. Ouaknine, J. Sousa Pinto, and J. Worrell. 2015. On Termination of Integer Linear Loops. In SODA. 957ś969.
J. Ouaknine and J. Worrell. 2012. Decision Problems for Linear Recurrence Sequences. In RP.
J. Ouaknine and J. Worrell. 2015. On Linear Recurrence Sequences and Loop Termination. ACM SIGLOG News 2, 2 (April
2015), 4ś13.
T. Reps, E. Turetsky, and P. Prabhu. 2016. Newtonian Program Analysis via Tensor Product. In POPL.
E. Rodríguez-Carbonell and D. Kapur. 2004. Automatic Generation of Polynomial Loop Invariants: Algebraic Foundations.
In ISSAC. 266ś273.
V. Shoup. 2018. NTL: A library for doing number theory. (2018). http://www.shoup.net/ntl/
R. E. Tarjan. 1981a. Fast Algorithms for Solving Path Problems. J. ACM 28, 3 (July 1981), 594ś614.
R. E. Tarjan. 1981b. A Unified Approach to Path Problems. J. ACM 28, 3 (July 1981), 577ś593.

Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 55. Publication date: January 2019.
Closed Forms for Numerical Loops 55:29

A. Tarski. 1951. A Decision Method for Elementary Algebra and Geometry. University of California Press, Berkeley, CA.
(1951).
T. Terauchi and A. Aiken. 2005. Secure Information Flow as a Safety Problem. In SAS. 352ś367.
A. Tiwari. 2004. Termination of Linear Programs. In CAV.

Proc. ACM Program. Lang., Vol. 3, No. POPL, Article 55. Publication date: January 2019.