Hierarchical Decompositions and Termination Analysis for Generalized Planning

This paper presents new methods for analyzing and evaluating generalized plans that can solve broad classes of related planning problems. Although synthesis and learning of generalized plans has been a longstanding goal in AI, it remains challenging due to fundamental gaps in methods for analyzing the scope and utility of a given generalized plan. This paper addresses these gaps by developing a new conceptual framework along with proof techniques and algorithmic processes for assessing termination and goal-reachability related properties of generalized plans. We build upon classic results from graph theory to decompose generalized plans into smaller components that are then used to derive hierarchical termination arguments. These methods can be used to determine the utility of a given generalized plan, as well as to guide the synthesis and learning processes for generalized plans. We present theoretical as well as empirical results illustrating the scope of this new approach. Our analysis shows that this approach significantly extends the class of generalized plans that can be assessed automatically, thereby reducing barriers in the synthesis and learning of reliable generalized plans.


Introduction
Enabling autonomous agents to learn and represent generalized knowledge that can be used to solve multiple related planning problems is a longstanding goal in AI.The ability to create transferrable, generalized plans that can solve large classes of sequential decision making problems has long been recognized as essential in achieving this goal.However, research on the problem has been limited due to technical challenges in analyzing generalized plans.The problem of determining whether an arbitrary generalized plan is useful -i.e., whether it can be "transferred" to solve a desired class of problem instances is equivalent to determining whether a generalized plan terminates, which is undecidable in general.This significantly limits approaches for computing generalized plans: the absence of an effective evaluation function precludes computationally popular approaches for learning from past data as well as methods for synthesizing and improving candidate generalized plans.This reduces not only the robustness of algorithms for computing generalized plans but also the reliability of the computed generalized plans.
This paper presents a new, hierarchical approach for assessing the utility of a generalized plan.Since reachability of a desired goal state while executing a generalized plan can be reduced to determining termination, we focus on methods for determining termination.Our main contribution is a new conceptual framework and proof technique that can be used to design and validate algorithms for analyzing the reachability and termination properties of generalized plans.We draw upon insights from classic results in graph theory to create a hierarchical decomposition of a given generalized plan.This decomposition facilitates more general termination analysis than is possible using prior work.Although the problem of termination for generalized plans is undecidable in general, we show that in practice, the methods developed this paper can determine termination for broad classes of generalized plans that are beyond the scope of existing methods.This approach can also be used in popular generate-and-test driven paradigms for generalized planning where candidate generalized plans can be synthesized or learned from examples and pruned or refined on the basis of reachability analysis facilitated using the presented methods.
Advances in determining termination for limited classes of generalized plans (Srivastava et al., 2010(Srivastava et al., , 2011b(Srivastava et al., , 2012) ) have led to immense progress in the field (e.g., Segovia Aguas et al. (2018); Bonet and Geffner (2018); Illanes and McIlraith (2019); a more complete survey is presented in the next section).We expect that methods for more general methods for analyzing generalized plans will further enable continued breakthroughs in the field.
Prior work on theoretical aspects of generalized planning relies upon strong assumptions that restrict the structure of generalized plans, or limit the permitted actions to "qualitative" actions that cannot capture general forms of behavior.The framework developed in this paper goes beyond these limitations.It offers a sound but non-complete test of termination for generalized plans with arbitrary structures and actions that can increment or decrement variables by specific amounts in non-deterministic or deterministic control structures.Sound and complete methods for termination assessment of generalized plans are not possible, due to equivalence with the halting problem for Turing machines.Our framework supports counter-based actions that can express the full range of structured behaviors including arbitrary Turing machines.They can express changes in Boolean state variables as well as changes in higher-order state properties or features (e.g., the number of packages that still need to be delivered in logistics planning problems).Prior work on generalized planning has established that such counter-based representations capture the essence of generalized plans as needed for analysis of their utility (Srivastava et al., 2010(Srivastava et al., , 2012) ) as well as for synthesis of generalized plans and policies (Srivastava et al., 2008;Bonet & Geffner, 2021).
The main new insight in this paper is that classic results in graph theory can be used to decompose an arbitrary generalized plan, expressed as a finite-state machine, into a finite hierarchy of generalized plans with a desirable property: the structure of generalized plans necessarily decreases in complexity as one descends in the hierarchy.This allows us to inductively build a new form of termination argument for a parent generalized plan in the hierarchy by composing termination arguments for its children generalized plans.Theoretical analysis and empirical results show that this method effectively addresses a broad class of generalized plans that were not amenable to existing approaches.
The rest of this paper is organized as follows.Sec. 2 presents a survey of related work on the topic followed by our formal framework and the problem setting (Sec.3).Sec. 4 presents our new algorithmic framework for the analysis of generalized plans.This is followed by theoretical analysis illustrating the new proof techniques that this approach enables along with our key theoretical results on the soundness of the presented algorithm (Sec.5.1) as well as our empirical analysis (Sec.5.2).Sec.6 presents our conclusions and directions for future work.

Related Work
Early work by Levesque (2005) articulated the value of planning with iterative constructs and the challenges of proving that such constructs would terminate (or equivalently, achieve the desired goals) upon execution.This work focused on settings where problem classes are defined by varying a single numeric planning parameter.Levesque showed that this parameter could be used to build iterative constructs.He argued that rather than attempting to assess or prove the termination of such plans, asserting weaker guarantees could lead to computationally pragmatic approaches.Levesque proposed validation of computed iterative plans up to a certain upper bound on the single numeric planning parameter.To the best of our knowledge, this work constitutes the first clear articulation of the value and challenges of computing plans with loops using AI planning methods.
2.1 Counter-Based Models for Generalized Planning Srivastava et al. (2008) showed that counters based on logic-based properties could be used to create numeric features, e.g., the number of cells that need to be visited in a grid exploration task.Such features can help identify useful iterative structures and compute "generalized plans".Furthermore, the team showed that counter-based models for generalized planning could be used to determine whether a computed generalized would terminate and reach the goal.These methods were used to compute generalized plans with simple loops.The plan synthesis process ensured provable correctness and for a broad class of problems, the computed plans were guaranteed to solve infinitely many problem instances involving arbitrary numbers of counters.Hu and Levesque (2010) showed that determining termination for plans featuring iteration over a single numeric planning parameter is decidable.In subsequent work, Srivastava et al. (2010) showed that the problem of identifying useful cyclic control structures in generalized plans could be studied using foundational models of computation such as abacus programs by transforming the planning-domain actions into equivalent operations that changed counters corresponding to logic-based state properties.The team developed algorithms for determining termination and graph-theoretic characterizations of generalized plans that could be assessed for termination despite the general incomputability of the problem (Srivastava et al., 2012).These methods were also used to develop directed search and learning techniques for generalized planning (Srivastava et al., 2011a).
In practice, the main technical problems in determining whether a generalized plan is "useful" is that it is difficult to construct termination arguments for complex terminating generalized plans: the set of generalized plans that can be proved to be terminating is a small subset of the set of terminating generalized plans.Although the strict subset relationship must hold due to equivalence of this problem with the halting problem, it is essential to develop new approaches that identify and push the boundary of decidability further.
The framework of qualitative numeric planning (QNP, Srivastava et al. (2011b)) extended the counter-based model for generalized planning further to address these limitations.This framework introduces action semantics under which the set of terminating generalized plans reduces to generalized plans for which the "Sieve" algorithm can assert termination.The QNP framework is broadly applicable in practice and yet insufficient to express Turing machines.A more formal comparison of termination under qualitative and deterministic semantics is presented in Sec.4.1.QNPs were later extended to more general settings along with analysis of their expressiveness and a more general version of the Sieve algorithm (Srivastava et al., 2015).Bonet and Geffner (2020) showed that the analysis conducted by the Sieve algorithm for QNP problems can also be viewed as a fully observable non-determinstic (FOND) planning process.These foundational formulations of generalized planning have been extended in several directions.Bonet et al. (2019) develop connections between generalized planning and LTL synthesis; Belle (2022) analyzes the relationships between various correctness criteria in stochastic and non-deterministic settings.

Meta-Level Planning for Computing Generalized Plans
The theoretical advances discussed above have been accompanied with numerous advances in approaches for computing generalized plans.Bonet et al. (2009) showed that the computation of finite-state controllers for some classes of planning problems could be reduced to planning by creating meta-level planning domains whose actions involved the addition or deletion of edges in a controller.These finite-state controllers were observed to have good generalization capabilities.Several threads of research have developed this approach of creating meta-level planning problems that synthesize generalized plans in the form of controllers (Bonet et al., 2009;Hu & Giacomo, 2011;Hu & De Giacomo, 2013).Segovia Aguas et al. (2018) present algorithms for computing hierarchical generalized plans that include subroutines and are guaranteed to solve an input set of finitely many planning problems.The planning domains used in this reduction include actions that construct components of hierarchical finite-state controllers as well as validate the resulting controllers on the input problem set.This paradigm of evaluation using a finite validation set has been developed along multiple directions to utilize finite sets of positive examples as well as negative examples indicating undesired outcomes of plan execution (Segovia Aguas et al., 2020) and with finite validation sets for use in a general heuristic search process for computing generalized plans (Segovia Aguas et al., 2021, 2022).

Broader Applications
Foundations of generalized planning discussed above have also enabled broader advances in sequential decision making.As noted above, state representations based on counters capturing the numbers of objects that satisfy various properties were developed originally for identifying and analyzing iterative structures for generalized plans.They have since been found to be useful also for computing generalized, domain-wide planning knowledge.Such methods have been utilized for learning and synthesis of generalized knowledge for sequential decision making in the form of general sketches and policies for planning (Bonet & Geffner, 2018;Frances et al., 2021;Bonet & Geffner, 2021;Drexler et al., 2022), for learning neuro-symbolic generalized heuristics for planning (Karia & Srivastava, 2021) and neurosymbolic generalized Q-functions for reinforcement learning in stochastic settings (Karia & Srivastava, 2022), as well as for few-shot learning of generalized policy automata for stochastic shortest path problems (Karia et al., 2022).In the terminology of metrics for generalized planning presented by Srivastava et al. (2011), these methods compute gen-eralized plans that have a relatively higher cost of instantiation 1 that is still much lesser lower than that of planning from scratch.On the other hand, these methods provide a significantly higher domain coverage than that of an optimized generalized plan.These directions of research bridge the gap between generalized planning and lifted sequential decision making (Boutilier et al., 2001;Sanner & Boutilier, 2009;Cui et al., 2019).Other approaches for learning generalized knowledge include approaches for learning general policies in a relational language (Khardon, 1999;Winner & Veloso, 2003;Yoon et al., 2008), learning heuristics for solving multiple planning problems (Shen et al., 2020;Toyer et al., 2020;Rivlin et al., 2020;Ferber et al., 2022;Ståhlberg et al., 2022) as well as generalized neural policies for relational MDPs (Garg et al., 2020).

Problem Formulation
We use a foundational but powerful representation where all variables are numeric variables with N as their domains.Let V be the set of such variables.A concrete state is an assignment that maps each variable in V to a value in that variable's domain.We denote the set of all possible concrete states as S V .The value of a variable x in a state s ∈ S V is denoted as s(x).In this paper we use the unqualified term "state" to refer to concrete states.Definition 1.An action consists of a precondition, which maps each variable in V to a union of intervals for that variable, and a set of action effects, effects(a).Each member of effects(a) is of the form ⊕x or x, where x ∈ vars; effects(a) must include at most one occurrence of each variable in V.
Prior work in generalized planning considers three types of interpretations of ⊕, that correspond to popular frameworks in the literature (Srivastava et al., 2015).We focus on deterministic and qualitative semantics in this work: Deterministic semantics Under deterministic semantics, each occurrence of ⊕ ( ) in an action effect is interpreted as an increment (decrement) by a fixed discrete quantity.E.g., an action's effects may include x 1 + 1, x 2 − 5, x 3 + 1 for variables x 1 , x 2 , and x 3 .a(s 1 ) is defined as the unique state s 2 such that for every x ∈ V if x + i is an effect of a, s 2 (x) = s 1 (x) + i and if x − j is an effect of a then s 2 (x) = s 1 (x) − j. s 2 (x) = s 1 (x) for all x that don't occur in effects of a.The special case of deterministic semantics where for every variable x, ⊕x = x + 1 and x = x − 1 yields formulations close to abacus programs (Lambek, 1961).
Although we will focus on deterministic semantics in this paper, we introduce qualitative semantics below in order to compare and contrast our approach with prior work.
Qualitative semantics Under qualitative semantics, each occurrence of ⊕ ( ) is interpreted as an increase (decrease) by a non-deterministic amount.The amount of change caused due to each is such that in any execution, a finite sequence of consecutive x effects is sufficient to reduce x to zero for any finite value of x.This is defined formally as follows (Srivastava et al., 2011b).Let > 0 be an unknown constant that is fixed for an entire execution.Formally, the effect of ⊕x is to non-deterministically increase x by δ ⊕ , where δ ⊕ ∈ [ , ∞).The effect of x is to non-deterministically decrease x by δ such that for every execution, δ ∈ [min{ , x}, x].
To accommodate a unified discussion of these semantics, we will use the notation a(s) to refer to the set of states that can result upon execution of a in s and clarify the semantics being used as required.
Definition 2. A planning domain V, A consists of a finite set of variables V, and a finite set of actions A over V. Definition 3. A planning problem D, s o , g consists of a planning domain D = V, A , a concrete state s 0 and a goal mapping g from V ⊆ V to intervals in N.

Solutions to Planning Problems
At every step, the action to be performed for solving a given planning problem may depend on finite representations of the history of executed actions and received observations.Such solutions can be represented as graph-based generalized plans (Srivastava et al., 2011), or as finite-state controllers (Bonet et al., 2009;Srivastava et al., 2010).Formally, we use the following notion of a finite-state controller based policy.
Definition 4. Let D = V, A be a planning domain and let Ψ be the set of formulas over propositions of the form x i l i where x i ∈ V and l i ∈ N. A finite-memory policy (FMP) for D is defined as Q, q 0 ∈ Q, δ, κ where Q is a finite set of control states, q 0 is the starting state, δ ⊆ Q × Q is the transition relation and κ : δ → Ψ × P(A) is a labeling function that labels each directed edge between control states with an execution condition and a set of actions.
Throughout this paper we will assume that execution conditions on FMP edges include as defaults the non-negativity condition x i ≥ 0, for all x i ∈ V.In practice each variable can have a different lower bound as the methods presented in this paper depend only on the existence of default bounds on variables.The technical results presented in this paper can be easily extended to settings where x i 's also have upper bounds.They can also be extended to settings where x i 's are bounded only above by replacing arguments about actions' effects on decreasing variables with their effects on increasing variables and including the upper bounds as default execution conditions.This representation generalizes the existing forms of policies used with qualitative as well as deterministic semantics.When needed for clarity, we will use the term "control states" or "qstates" to refer to the states of an FMP policy and "problem states" to refer to the states defined by a planning domain.
Execution of an FMP starts with q 0 .At any stage during the execution where the problem state is s 1 ∈ S V and the FMP is in control state q 1 ∈ Q, the agent can execute any action a s.t.there exists a control state q 2 ∈ Q for which κ(q 1 , q 2 ) = (ψ, A), a ∈ A, and s 1 |= ϕ.Following such an action, the FMP's control state becomes q 2 .Execution stops at a state s if the FMP is in a control state q that has no outgoing edges whose execution condition is consistent with s.Thus, an FMP terminates if its execution reaches a terminal control state, or if it reaches a control state such that none of its outgoing edge conditions is satisfied in the current problem state.
An FMP is said to be deterministic iff for every q ∈ Q, the set of outgoing edges are labeled with mutually inconsistent execution conditions and singleton action sets so that at most one action is possible at every step during execution.
Existing notions of qualitative policies are closely related with FMPs.For instance, an abstract policy π (Srivastava et al., 2011b(Srivastava et al., , 2015) ) that maps abstract states to actions can be expressed as FMPs with one control state q 0 and the labeling function κ(q 0 , q 0 ) = {(s, {a}) : π(s) = a}."Sketch" based generalized policies (Bonet & Geffner, 2021) can be expressed as FMPs where the edge label consists of a condition ψ but P(A) is replaced by a set of integers denoting changes in the values of a subset of the variables in V.An edge in such a sketch can be taken if the agent executes a sequence of actions that causes the corresponding change.Since the framework for analysis developed in this paper considers the changes induced by FMP edges rather than the action names, it offers a promising direction for analyzing properties of sketch based policies as well.
We say that an FMP has a well-defined set of terminal states H ⊆ Q if the states in H have no outgoing edges and when started with any state in s ∈ S, execution continues until H is reached.Execution of policies that do not have well-defined halt states can end in arbitrary control states when the policy does not have any outgoing edges corresponding to the current state of the problem.This represents situations that are in some sense unforeseen according to the FMP and is especially common with FMPs that are generated through learning over a limited training dataset.

Solution Properties
Given an initial state s 0 ∈ S V , an execution of an FMP policy Q, q 0 ∈ Q, δ, κ is defined as a sequence (q 0 , s 0 ), a 0 , (q 1 , s 1 ), a 1 , . . .such that κ(q i , q i+1 ) = (ϕ i , A i ), a i ∈ A i , s i+1 ∈ a i (s i ) and s i |= ϕ i .Two criteria over the set of executions possible under an FMP policy can be used to define the quality of the policy.If a policy Φ is such that every execution of Φ stops after a finite number of steps when started with an initial state s 0 , we say that Φ terminates for s 0 .If Φ terminates for all s ∈ S V , we say that it is a terminating policy.A terminating policy whose execution ends only at states satisfying the goal condition g of the given domain is said to be goal achieving.

Determining Termination of Finite Memory Policies
Recall that we adopt the fail-stop mode of execution semantics for FMPs, where execution stops if the current control state has no outgoing edges consistent with the current problem state.As discussed under related work, several algorithms for generalized planning learn or iterate over multiple solution structures that can be expressed in the form of FMPs.To evaluate the utility of a candidate FMP as a solution, we need to consider two key properties: reachability and termination.Ideally, we would want to establish that every execution of an FMP reaches the goal in a finite number of steps for all the initial problem states of interest.
It is well known that decision problems of termination and reachability can be reduced to each other.Prior work (Srivastava et al., 2010(Srivastava et al., , 2012) ) shows that this is undecidable in general, because showing that every execution terminates in a finite number of steps is Algorithm 1: (Progress-Sieve) abstract policy termination test (Srivastava et al., 2015) Input: g = ts(π, sI ) 1 Remove all edges e of g that have a progress variable w.r.t.their SCCs 2 if no edge was removed then 3 Return "Non-terminating" 4 for g ∈ SCCs-of(g) do 5 if Progress-Sieve(g )= "Non-terminating" then 6 Return "Non-terminating" 7 Return "Terminating" equivalent to the halting problem for Turing machines.In this section we present our new approach for hierarchically decomposing and analyzing FMPs to determine termination.
We begin with a formal analysis of the relationship between qualitative semantics and deterministic semantics with respect to termination analysis.

Termination Under Qualitative and Deterministic Semantics
Background on the Sieve family of algorithms The Sieve family of algorithms (Srivastava et al., 2011b(Srivastava et al., , 2015) ) are sound and complete tests of termination under qualitative semantics, but only sound for deterministic semantics.Although the correctness of these algorithms was proved for abstract policies and transition graphs, the results carry over in a straightforward manner to FMPs.The Sieve algorithm (Srivastava et al., 2011b) conducted this analysis for variables bounded below.The Progress-Sieve algorithm (Srivastava et al., 2015) generalized this intuition to settings with variables with discrete observable levels and upper or lower bounds, and is listed here as Alg. 1 for ease of reference.
Intuitively, this class of algorithms operate as follows: for each strongly connected component (SCC), the algorithm identifies "progress" variables that are changed in only one direction (positively or negatively): the direction in which they are bounded (above or below, respectively).Progress-Sieve removes edges modifying such a variable if the edge moves it towards the bound on the variable.If any edge was removed, the entire process is repeated.This continues until either the graph is left with no strongly connected components and the policy is reported as terminating, or strongly connected components remain, but no progress variables are found and the policy is reported as non-terminating.
The following natural result relating termination in deterministic and qualitative settings is useful to list out for completeness: Proposition 1.Let Φ = Q, q 0 , δ, κ be an FMP.If Φ terminates for s 0 ∈ S V under qualitative semantics, then it must terminate for s 0 under deterministic semantics.
The proof is straightforward because increments and decrements by a constant are a special case of qualitative effects.If Φ does not terminate under such effects, then it clearly cannot terminate under the qualitative semantics with the same action instantiations.
However, the other direction is not true: termination under deterministic semantics does not imply termination under qualitative semantics, as shown in the following counterexample.Example 1.Let Φ be an FMP with three qstates q 0 , q 1 and q 2 as shown in Fig. 1.Φ is a terminating policy under deterministic semantics where x = x − 1, ⊕x = x + 1 (due to the default edge conditions on non-negativity).However, it is not a terminating policy under qualitative semantics because the 'es may be small enough to be overwhelmed by the ⊕ in every iteration of the cycle.
This example also shows why we are able to develop sound and complete tests for termination for qualitative numeric planning: under qualitative semantics, actions are sufficiently imprecise that the effective class of terminating policies reduces to match the analysis conducted by the Sieve family of algorithms.This also limits the types of behaviors that can be expressed using qualitative semantics.Srivastava et al. (2015) study this boundary of expressiveness further and identify conditions under which policies with qualitative semantics are insufficient for expressing solutions to planning problems.

A Hierarchical Framework for Termination Analysis
While the Sieve algorithms discussed above constitute an efficient and sound method for identifying a restricted class of terminating FMPs, they have somewhat obvious limitations when considering deterministic semantics, as illustrated in Example 1.Under deterministic semantics with default edge conditions enforcing non-negativity, the execution of this SCC is guaranteed to stop in a finite number of steps regardless of the initial value of the variable being changed by its actions.However, Sieve algorithms cannot determine that this SCC terminates because it does not have a progress variable.This is consistent with completeness under qualitative semantics, which would allow the ⊕ operation to increase the variable arbitrarily, although it misses rather obvious patterns of termination under deterministic semantics.
Example 1 lends some intuition about the type of reasoning that is required to develop a more general algorithm for determining termination under deterministic semantics.Instead of requiring a non-monotonic decrease over all edges in an SCC, we need a way to assess the net changes on a variable over execution segments that can be repeated indefinitely in an infinite execution that might occur when the FMP is interpreted as a finite automaton without edge conditions.However, reasoning about possible execution trajectories in an SCC becomes difficult when nested cycles are present: any number of iterations of one cycle may be interleaved with an arbitrary number of iterations of subsequences another cycle within the same SCC.A test for termination would have to assess all the infinitely many possible permutations of this form.
We formalize this intuition by first defining a richer notion of progress variables as follows.If variables are bounded above, a similar notion of increasing progress variables can be defined and the subsequent analysis can be extended to those cases.As with the default edge conditions, in this paper we focus on the setting where variables are bounded only from below.We focus on deterministic semantics in the rest of this paper.
Definition 5. Let Π be a set of paths in an FMP and let π ∈ Π.A variable v is a netdecrease variable for a path π w.r.t.Π iff v undergoes a net decrease in π and v does not undergo a net increase in any path in Π.We use ⇓ π Π to denote the set of all net-decrease variables for π w.r.t Π and extend this notation to define ⇓ Π as the set of sets of net-decrease variables for all paths in Π: Notice that each element of ⇓ Π is a set.Thus if the number of non-empty sets in ⇓ Π is the same as the cardinality of Π, then every path in Π creates a net decrease in some variable that does not undergo a net increase by any path in Π. Intuitively, if Π denotes the set of all possible paths in (including repetitions) in an SCC, and ⇓ Π has no empty sets then execution cannot continue indefinitely within Π: every path creates a net decrease that cannot be undone in Π and execution conditions include non-negativity.Unfortunately however, this intuition is computationally ineffectual because the set of possible execution paths (which can include multiple executions of SCCs) in a graph with SCCs is infinite.

Structures for Hierarchical Decomposition of FMPs
To push the envelope on determining whether an FMP will terminate, we need to be able to structure the possible executions of an SCC in an FMP.Intuitively, we wish to develop a bottom-up process that analyzes "inner" loops before moving on to "outer" loops that span the inner ones.Although this intuition is helpful, it is not sufficient because an infinite execution of an FMP can include infinitely many non-consecutive occurrences of non-cycles in the form of "bridge" paths and shortcuts through SCCs.We develop this intuition by building on McNaughton's notion of analysis of a graph (McNaughton, 1969), which facilitates the construction of a directed tree over the components of an SCC.For clarity we will use Gruber's version of this concept, formalized as Directed Elimination Trees (Gruber, 2012).Let G X denote the subgraph of G = (V, E) formed using the vertices X ⊆ V .Definition 6.A directed elimination tree (DET) for a non-trivially strongly connected • There is no pair of distinct vertices of the form H, x and H, y If G, v is a node in a DET, we refer to v as the elimination point for that node.We will use the concept of directed elimination trees with FMPs by interpreting an FMP as a graph in the usual manner of representing controllers as graphs.We will use FMPs and their graphs interchangeably and clarify the distinction when required for clarity.In general, an FMP will yield a directed elimination forest (DEF) consisting of one directed elimination tree for each strongly connected component in the FMP.
Example 2. Fig. 2 (left) shows an example of an FMP with edge labels representing actions in deterministic semantics.This example was created by adding additional edges and edge labels to McNaughton's classic example of a strongly connected digraph (McNaughton, 1969).In this example, edge conditions are the default non-negativity conditions.The right subfigure shows a DEF for the same FMP.
Directed elimination trees are closely related to cycle ranks (Eggan, 1963).In fact, the minimal height of directed elimination trees for a graph is the cycle rank of that graph (Mc-Naughton, 1969).Cycle ranks are closely related to multiple notions of the complexity of recurring patterns of behavior, e.g., the star-height of regular expressions.
Although the problem of computing a minimal directed elimination tree is equivalent to the problem of computing the cycle rank of a graph and is NP-complete, our algorithm does not require minimality.This is helpful because polynomial-time divide-and-conquer algorithm can be used to compute a directed elimination tree within a factor O((log n) 3/2 ) of the minimal height.This result and a greater discussion of DETs for structural categorizations of computational complexity can be found at (Gruber, 2012).
Termination Analysis Using DEFs We now develop the formal concepts required to develop a stronger test for termination under deterministic concepts.
We wish to define an inductive, bottom-up process on the directed elimination tree to derive a set of net-progress variables for the entire SCC.To do this, we need to define the notion of a graph that considers sub-components as black boxes that are guaranteed to have net-progress variables.Let G, v be a node in a directed elimination tree for an FMP policy, with children nodes Recall that by definition this implies that G is an SCC such that upon removing v, G is left with SCCs G 1 , . . ., G k .We define the quotient graph of G w.r.t.ch(G, v) (denoted as G| ch(G,v) ) as the graph obtained by replacing each G i in ch(G, v) with a new component vertex c i while inheriting all the edges that led into, or out of G i .Intuitively, c i encapsulates G i and G| ch(G,v) can be thought of as an SCC of rank 1 over G i 's.
Example 3. Fig. 3 shows the quotient graph G| {q4 q5 q6 q7},{q0 q1} for the root node of the non-trivial tree in the DEF from Fig. 2b.Here G is the subgraph of Fig. 2a induced by the qstates {q0, q1, q2, q3, q4, q5, q6, q7}.Since the root node G, q2 has two children nodes, these subgraphs are replaced by component vertices in the quotient graph.Quotient graphs help simplify reasoning about possible executions of a FMP policy.For instance, this quotient graph indicates that any infinite execution of Φ 1 that does not have an infinite suffix in {q4, q5, q6, q7} and in {q0, q1} (i.e., that does not have an infinite execution contained entirely within one of the two child components) must visit q2 infinitely often.
The hierarchical sieve algorithm developed in this paper formalizes the intuition that if each path segment that can be executed infinitely often (while ignoring edge conditions) has a net-progress variable that is not increased by other inner loops, and the outer loop also has such a net-progress variable, then the SCC cannot be executed indefinitely when edge conditions are considered.More precisely, if G| ch(G,v) and each G i ∈ ch(G, v) has net-progress variables that are not increased by the other children of G or by G| ch(G,v) then G itself has a net-progress variable, which implies that executions within G must terminate or exit G.We develop this intuition by first computing a superset of paths (not necessarily complete cycles) that can be executed infinitely often when edge conditions are not considered.
Let G 0 Φ be the graph of an FMP Φ and let G, v be a node in the DEF of G 0 Φ = (V Φ , E Φ ).Let Π c (G, v) denote the set of all cycle-paths in G| ch(G,v) : paths that start and end at v and visit v exactly twice.Π c (G, v) denotes cycles in G| ch(G,v) that start and end at v.
No such path can visit any node (qstate or component vertex) of G| ch(G,v) other than v twice because by definition of the elimination tree and G| ch(G,v) , removing v from G renders G| ch(G,v) acyclic.
We also need to consider paths that go through G without encountering any cycles.Let I G be the set of boundary vertices for edges that enter G, i.e., {v ∈ G : there is a w ∈ V Φ \ G such that w, v ∈ E Φ }.Similarly, let O G be the set of boundary vertices for outgoing edges from G. We define the set of through-paths for G, Π io (G, G 0 Φ ), as the set of all cycle-free paths in G that go from a vertex in I G to a vertex in O G .Notice that this definition of through paths considers all of the vertices in G while the Π c considers paths in G| ch (G,v) .Considering all through-paths in this manner allows for a more accurate algorithmic test for termination but this would be difficult to do while considering all possible combinations of cycles in G, with different possible numbers of iterations of each cycle.Thus we use quotient graphs to hierarchically structure the cycles into a more manageable framework.
Using the notion of net-decrease variables for a set of paths (Def.5), we define the netdecreased set for a node G, v in the elimination tree as the set of sets of net-decrease variables, with one set for each path in Π(G, v).We denote this collection as ⇓ Π(G,v) (abbreviated as ⇓ G,v ).If any path in Π(G, v) has no net-decrease variables, then the set of net decreased variables for that path is included in ⇓ G,v as the empty set, ∅.In the same vein, we define possibly increased variables for G, v , ⇑ G,v , as the set of variables that undergo a net increase in at least one path in Π(G, v).

The GenSieve Algorithm
We now have all of the concepts required to present the main algorithm of this paper.Let A B denote the element-wise set-minus operation where A is a set of sets and B is a set: Let G be the strongly connected graph of an FMP Φ and let G, v be the root node of its DET.If the input FMP has multiple strongly-connected components, we consider each component independently and prove termination by proving that each component terminates.GenSieve (Alg.2) inductively derives an estimate ⇓G,v ( ⇑G,v ) for the set of variables that could undergo a net negative (positive) change in a path in Π(G, v) under default edge labels in G as follows.
Since every directed elimination tree of a finite graph is finite and the base case is defined in closed form, this process must terminate after h recursions where h is the height of the directed elimination tree.
Intuitively, GenSieve generalizes the intuition behind Sieve and Progress-Sieve algorithms.It attempts to identify every minimal path that can occur infinitely often in an execution in the form of Π(G, v).The computation of every such path is difficult because of the variable nature of executions possible in FMPs with cycles, and the DET helps impose a hierarchical structure for extracting them.
GenSieve (Alg.2) uses functions BuildIncVars and BuildDecVars to compute ⇑G,v and ⇓G,v using equations ( 1) and ( 2) respectively.In cases where ⇓G,v includes an empty set, it means that there is a path in Π(G, v) whose infinite execution cannot be ruled out yet.However, the computation of ⇓G,v is conservative and can overestimate the impact of paths that increase variables.Some of these paths can become unreachable after finitely many steps of execution.To accommodate such situations, GenSieve computes the set of variables that are only decreased by elements of Π(G, v) (lines 5-6).It then removes decreasingEdges, or edges that decrease such variables (line 7), and reinvokes the computation of ⇑G,v and ⇓G,v (the while loop starting in line 2).If in any iteration of this loop, each set in ⇓G,v is found to be non-empty, this means that every path that can be executed infinitely often includes at least one variable that undergoes a net negative change that is not increased in any path that can be executed infinitely often.This implies that the FMP must terminate.Theorem 3 asserts this result formally in Sec.5.1.On the other hand, if the algorithm reaches a stage where ⇓G,v contains an empty set and no edges were removed in line 7, GenSieve terminates without asserting termination (lines 8 -10).In practice, we check ⇓G,v for the absence of an empty set before removing decreasingEdges to allow the algorithm to assert termination early if possible.
The Sieve family of algorithms constitute a special case of this general principle: they consider each edge as possibly occurring infinitely often in an execution.Example 1 illustrates how this approach is unnecessarily conservative under deterministic semantics -even though each ⊕ can be executed only in conjunction with two operations, which leads to a minimal recurring path with a net change of −1 in deterministic semantics, Progress-Sieve and Sieve consider the ⊕ edge as an independently executable edge that can undo the negative change.The hierarchical structure developed in our approach makes it possible to extract minimal paths that may occur infinitely often in the execution of FMPs with higher cycle ranks.
Example 5. We continue with the running example Φ 1 from Examples 2 through 4. Gen-Sieve asserts that Φ 1 terminates, after two iterations of the while loop shown in Alg. 2. Edges reducing the variable x2 are removed after the first iteration.Fig. 4 shows the FMP obtained after this operation along with the DEF for this FMP.As seen in Fig. 4(a), every path involving x1 that could be executed infinitely often is a decreasing execution over x1 because the only positive change in x1 is accompanied with a larger negative change.The total time taken was less than 1.2s.The sieve algorithm fails to assert termination of Φ 1 due to the absence of a net decrease variable.
The following sections formalize the key notions required to concretize these intuitions and present our main formal and empirical results.Figure 4: Steps in GenSieve's execution on Φ 1 .

Results
This section presents the key formal and empirical results obtained using the hierarchical analysis framework and the GenSieve algorithm developed in Sec.4.2.We begin with formal results (Sec.5.1) followed by empirical results (Sec.5.2) including results from an implementation of of GenSieve, illustrations of intermediate steps of its execution, and several examples of complex, terminating FMPs that are beyond the scope of prior methods for determining termination but were found to be terminating using the methods developed in this paper.

Theoretical Analysis and Results
In this section we develop new concepts and methods for formalizing the intuitive reasoning behind GenSieve and its soundness.We also illustrate the proof techniques made possible with this framework.These concepts refine the intuitive notions presented with the specification of GenSieve in Sec.4.2.2.We consider the general case of FMPs with default edge conditions.Additional edge conditions can limit the set of possible executions.Therefore, any FMP that is a terminating policy without considering additional edge conditions remains a terminating policy when they are considered.We focus on the case where the default edge conditions lower bound all variables at zero.The same arguments can be transposed to apply to situations where the lower bound is different, as well as to situations where all variables have an upper bound.
The main result of this section, Thm. 3, establishes the soundness of GenSieve.To obtain this result we need to develop additional terminology that allows us to build inductive arguments about the desired properties of ⇑G and ⇓G sets.
Definition 7. Let π be an execution of an FMP policy.If π is finite, we say that π is an increasing (decreasing) sequence for x iff the sum of the effects of actions on x in π is positive (negative).If π is infinite, we say that π is an increasing (decreasing) sequence for x iff there is an index i such that for every j > i, there exists k > j such that the net change on x due to π j,...,k is positive (negative).
Intuitively an infinite increasing sequence for x will increase it indefinitely while an infinite decreasing sequence for x will decrease it indefinitely.
For any path π in a component G of a FMP with a DEF T , we define π| ch(G,v) as a version of π where every maximal contiguous segment of nodes in π that belong to a single child component G j is replaced by the component vertex c j of G| ch(G,v) defined using T .We use the notation v w to denote the set of paths of the form v, v 1 , v 2 , . . ., v n , w in an underlying graph made clear from the context, such that each v i = v j , v i = v and v i = w for distinct i, j ∈ {1, 2, . . ., n}.
To simplify notation, we use ⇑G to denote ⇑G,v 0 where G, v 0 is the root node of the DET for G.The following result establishes that ⇑G is a superset of variables that may be increased indefinitely by Φ.
Lemma 1.Let H be a FMP Φ for a domain D = V, , A , let T H be the directed elimination forest for H and let G, v be a node in T H . Let I G and O G be the set of incoming and outgoing boundary vertices in G.
Suppose that π is an execution of Φ starting from I G such that every qstate in π is in G and either π ends in O G or π is an infinite execution sequence.If π causes a net increase on a variable in x ∈ V under default edge conditions, then x ∈ ⇑G,v .
Proof.We prove the result by induction on the height of G, v .In the proof we will consider execution paths over control states (qstates) in Φ regardless of the problem states because we wish to prove the result under default edge conditions.
Base case Suppose G, v is a leaf node and assume for a proof by contradiction that x is a variable such that π causes a net increase in x but x ∈ ⇑G,v .We first consider the case that π is a finite path that reaches O G .In such a situation, π may or may not include repetition of control states.If there are no repetitions, π ∈ Π io (G, v) and every variable that undergoes a net increase is included in ⇑ G,v by definition.If π includes repetition, then π is of the form q i (v v) * q o where q i ∈ I G and q o ∈ O G , and represents paths without repetitions as noted above.This is because G is a leaf node, which implies that removing v eliminates all cycles in G.In other words, every cycle in G must pass through v.If any of the paths going from v to v in G created a net increase in x, x would have been included in ⇑ G,v by definition.Thus, no segment of π of the form v v can create a net increase in x.This implies π must be a finite path of the form q i v q o that has a net positive change on x.However, such paths are included in Π(G, v), which implies that x should be in ⇑ G,v , leading to a contradiction.
Suppose on the other hand that π is an infinite path that is an increasing sequence for x.Then π must be of the form: q i (v v) * .Since variables that undergo a net positive change in v v are included in ⇑ G,v and x ∈⇑ G,v , the only component that can increase x is the finite prefix q i v.But this implies that after the index i denoting the length of this prefix, x stops increasing in π and π is not an increasing sequence for x.
Inductive case Suppose the hypothesis holds for DEF nodes at height at most k, i.e., if π is an execution that continues indefinitely within G or reaches O G and π is an increasing sequence in a variable x ∈ V, then x ∈ ⇑G,v for all tuples of the form G, v with height at most k.
Let G, v be at height k + 1.We need to prove that if a variable x undergoes a net increase as a result of a path π with the properties noted in the premise, then x ∈ ⇑G,v .Suppose this is not true and there exists a path π in G that starts from q i ∈ I G , and is an increasing sequence for x but x ∈ ⇑G .Since all paths of the form q i q o in G where π cannot be such a path and π must include a cycle.
In general, π may include qstates from its child SCCs.However, since each child is of height at most k and x ∈ ⇑G,v , the inductive hypothesis and the fact that ⇑G,v includes ⇑G i ,v i for its children SCCs (by Eq. 1) implies that no path lying entirely within a child component can be increasing for x.Thus, if π is an increasing sequence for x, π| ch(G,v) must be an infinite sequence of the form q ,v) .In the former case, π's suffix of the form (v v) * must be an increasing sequence for x.The induction hypothesis allows us to conclude that each component of π that is within c i must create a net zero or a net negative change on x because x ∈ ⇑G,v .Thus we can think of each c i as a pseudo-qstate such that paths within c i cannot possibly create a net increase in x.But this implies that x must undergo a net positive change in at least one path of the form v v in G| ch(G,v) , which implies x ∈⇑ G,v by definition of ⇑ G,v , and we reach a contradication.
On the other hand, if π is a finite sequence of the form q i (v v) * q o where q o ∈ O G in G| ch(G,v) , the reasoning is similar.Neither the segments of π within G's child components nor any segment of the form v v can be increasing for x because of the inductive hypothesis and the consideration of Π io (G, v) in ⇑ G,v .This implies that a sequence of the form q i v q o must create a net positive change in x, but that implies that x ∈⇑ G,v by definition.Again, this contradicts x ∈ ⇑G,v .Thus, x must be in ⇑G,v .
The result above shows that the estimated set ⇑G,v is a superset of variables that may be increased in a possible execution of the FMP.For decreases, we require a tighter result: that every possible execution creates a net decrease on some variable.If a subset of the variables that undergo a net decrease in every possible execution does not include the superset of variables that may be increased ( ⇑G,v ) in any possible execution, then we know that every execution must terminate in a finite number of steps due to the default edge conditions.The following theorem establishes what we need with net-decreased variables.
Lemma 2. Let H be the graph of a FMP Φ for a domain D = V, , A , let T H be the directed elimination forest for H and let G, v be a node in T H . Let I G and O G be the set of incoming and outgoing boundary vertices in G.
If ∅ ∈ ⇓G,v and π is an execution of Φ starting from I G such that every qstate in π is in G and either π ends in O G or π is an infinite execution sequence, then π is a net-decreasing execution for at least one variable in V.
Proof.By induction on height of the tuple G, v in T H .
Base Case Let G, v be a leaf tuple such that the empty set, ∅, is not in ⇓G,v and let π be an execution sequence of the form described in the premise.By Eq. ( 1), the premise of the theorem and the fact that Eq. ( 2) cannot remove empty-sets from ⇓G,v , we know that ∅ ∈ ⇓G,v and consequently, that ∅ ∈⇓ G,v .Suppose π is of the form q i q o with q i ∈ I G and q o ∈ O G .By definition of ⇓ G,v , this means that all paths of the form q i q o create a net negative change in at least one variable and we have the desired result.Suppose on the other hand that π is a finite sequence of the form q i (v v) * q o .Because ∅ ∈⇓ G,v , ⇓ G,v includes, for each through path from I G to O G as well as for each v v path in G| ch(G,v) a non-empty set of variables that undergo a net decrease under that path.In this case G| ch(G,v) = G.Thus each of the three types of segments in π (q i v, v v, and q o ) must create a net negative change in at least one variable that is not in ⇑G (recall that we use the abbreviated form ⇑G to refer to ⇑G,v 0 where v 0 is the root of the DET) by Eq. ( 2) and the premise that ∅ ∈ ⇓G,v .This implies that each of these segments creates a net negative change in at least one variable for which π is not an increasing sequence, and thus π must create a net negative change on at least one variable.Finally, suppose π is an infinite sequence of the form q i (v v) * .Through arguments identical to those for the previous form of π, all segments of the form v v must create net negative changes in at least one variable.This implies that π must be a decreasing sequence for at least one variable.
Inductive Case Suppose the result holds for tuples at height at most k.Let G, v be at height k + 1 and ∅ ∈ ⇓G,v .We need to prove that π is a net decreasing sequence for at least one variable.
We consider the finite case first.If π is finite, it may be of form q i q o in G or of the form q i (v v) * q o in G| ch(G,v) with q i ∈ I G and q o ∈ O G .Let π be of the form q i (v v) * q o .The argument for π of the form q i q o is similar.Since ∅ ∈ ⇓G,v , and the empty set cannot be removed as a result of the operation, Eq. ( 2) implies ∅ ∈⇓ G,v and ∅ ∈ ⇓G i ,v i for each child G i , v i .This implies that the components of π within child SCCs must be decreasing sequences because of the inductive hypothesis.Furthermore, all paths of the form q i v q o and all paths of the form v v in G| ch(G,v) must decrease at least one variable because the set of variables that undergo a net negative change due to each such path is added as a set into ⇓ G,v and ∅ ∈⇓ G,v .Furthermore, ∅ ∈ ⇓G,v implies that removing ⇑G from each of these sets leaves them non-empty.By Lemma 1, π cannot result in a net increasing change on any variable not in ⇑G .Thus π is composed of segments, each of which causes a net decrease in at least one variable and each such variable is such that it does not undergo a net increase in the entire finite sequence represented by π.This implies that π is a net decreasing sequence for each of the variables in τG .
If π is infinite, it may be such that it has an infinite suffix in one of the child components of G or such that π| ch(G,v) is of the form q i (v v) * in G| ch(G,v) , because these are the only possible infinite execution sequences in G| ch(G,v) that do not have an infinite suffix within a single child component.Suppose π has an infinite suffix in a child component G i , v i of G. Since ⇓G i ,v i ⊆ ⇓G,v by Eq. ( 2) and ⇑G can never contain ∅ as an element, if ∅ ∈ ⇓G,v then by Eq. (2), ∅ ∈ ⇓G i ,v i .The inductive hypothesis implies that such a suffix must be a net-decreasing sequence for at least one variable.,v) .Consider the infinite segment π vv that is of the form (v v) * .By inductive hypothesis we know that every finite segment of π that lies within a child component G i decreases at least one variable because such a segment constitutes an I G i to O G i path, and Eq. 2 implies that when ∅ ∈ ⇓G,v , ∅ ∈ ⇓G i ,v i because ⇑G cannot contain the set ∅ as an element.Furthermore, each path of the form v v in G| ch(G,v) decreases a variable because such paths are included in Π(G, v) and ∅ ∈⇓ G,v ; each of these decreased variable sets remain non-empty when ⇑G is removed from ⇓G,v .This implies that when π enters the (v v) * segment, each v v segment in G| ch (G,v) and each foray into a child component of G results in a net decrease on at least one variable that is not increased by π after a finite prefix because ⇑G contains all variables that could possibly undergo net increases in π (Lemma 1).Since there are only finitely many variables, the segment of π in v v must create a decreasing sequence on at least one such variable.

Suppose π|
The following result provides the first test of termination using the methods developed in this paper.This result shows that assertions of termination obtained without removing any edges (in executions of GenSieve without using lines 6 and 7) are sound.
Theorem 1.Let Φ be a FMP for a domain D = V, , A .If ∅ ∈ ⇓G,v then Φ is a terminating policy.
Proof.We prove the result assuming that Φ has only default edge conditions because if Φ has additional edge conditions, they will further limit the set of executions possible, thereby maintaining termination.By Lemma 2, we know that every execution π of Φ is a decreasing sequence on at least one variable x ∈ V. Suppose π is an infinite sequence.When started with a finite value for x, every execution of π will eventually lead to an action that attempts to reduce x below zero, at which point the default edge condition will lead to the end of that execution and we arrive at a contradiction.
In cases where ∅ belongs to ⇓G,v , we cannot assert termination directly but the quantities computed in Equations 1 and 2 allow us to simplify the input policy by remove certain edges (lines 6 and 7 in GenSieve) and then continue the analysis.The following results establish that certain edges can be executed only finitely many times, setting up the stage for removing them and creating a simpler policy for the purpose of termination analysis.In particular, if some variables satisfy stronger conditions than membership in an element of ⇓G,v , then the following two results show that edges involving such variables can be executed only finitely many times, and thus removed from consideration when we wish to focus on infinite executions.Lemma 3. Let Φ be a FMP for a domain D = V, , A .Let H Φ be its graph and let T H be its DEF and let Π(H) = G,v ∈T H Π(G, v).Suppose x ∈ V is such that every path ρ ∈ Π(H) that includes an edge with an action that affects x is such that ρ creates a net negative change in x.
Let G, v be a node in T H . Let I G and O G be the set of incoming and outgoing boundary vertices in G.If π is a finite path that starts in I G and ends in O G , then π cannot increase x.
Proof.By induction on the height of G, v in T H .
Base case Let G, v be a leaf node.Since π is a finite path, it must be of the form q i (v v) * q o in G where q i ∈ I G and q o ∈ O G .Since all segments of the form v v are considered in Π (G, v).This leaves a segment of the form q i q o , which is also considered in Π(G, v) as a part of Π io (G, v).Since Π(G, v) is included in Π(H), and no such segments increase x, π cannot increase x.
Inductive case Suppose the result holds for all nodes at height at most k in T H and G, v is at height k + 1. π must be of the form q i (v v) * q o in G| ch(G,v) with q i ∈ I G and q o ∈ O G .All segments of π| ch(G,v) of the form q i q o and v v in G| ch(G,v) are included in π(G, v) and thus these segments cannot create an increase in x.Furthermore, the segments of π within each child component are finite and satisfy the premises of the theorem because Π(H) includes Π(G i , v i ) for all nodes G i , v i ∈ T H . Since these child components are at height at most k, no such segment of π can increase x and we have the result.
Theorem 2. Let Φ be a FMP for a domain D = V, , A .Let H Φ be its graph and let T H be its DEF.Let Π(H) = G,v ∈T H Π(G, v).If x ∈ V is such that every path ρ ∈ Π(H) that includes an edge with an action that affects x is such that ρ creates a net negative change in x, then edges in Φ that decrease x can be executed only finitely many times in every execution of Φ.
Proof.By Eq. 1 and the definitions of ⇑ and ⇑, x cannot be in ⇑H .By Lemma 1, no infinite execution of Φ can be an increasing sequence for x.Suppose an edge that decreases x is executed infinitely often (perhaps because a subsequent edge increases x).Let π be such an infinite execution sequence in a subgraph G corresponding to the tuple G, v in T H .
Base case π must be of the form q i (v v) * .x cannot possibly have a net positive or net zero change in segments of the form v v because such segments are considered in Π(G, v) and such segments create a net negative change on x by the premise of the theorem.Thus π can have only finitely many occurrences of edges that reduce x in all of its segments of the form v v due to the default edge conditions.x may undergo a net positive change in the segment q i v but this segment can have only finitely many decreases.Thus we have a contradiction.
Inductive case Suppose the premise holds for G i , v i at height at most k and G, v is at height k + 1. π| ch(G,v) must be of the form q i c i in G| ch(G,v) with an infinite segment within a child SCC G i , or of the form q i (v v) * .In the former case, the induction hypothesis implies that the segment of π within G i will have only finitely many occurrences of edges that decrease x.
Suppose π| ch(G,v) is of the form q i (v v) * in G| ch(G,v) .No segment within child components will increase x because x is reduced by every path in Π(H) that affects it, by the premise of this theorem and Lemma 3. Segments of π that lie within child components will include only finitely many executions of edges that reduce x because these segments will be finite (execution returns to v infinitely often in this case).Furthermore, paths of the form v v are considered in Π(G, v) and all such paths create a net reduction in x, as noted in the premise.Thus π can decrease x only finitely many times before further decreases are prevented due to the default edge conditions.
Corollary 1.When the premise of Theorem 4 holds for a FMP Φ and a variable x, every execution π of Φ has a last step i after which π does not use edges that decrease x.
Theorem 2 and Corollary 1 above allow us to design the complete GenSieve, which proceeds by iteratively computing ⇓G,v , and if ∅ ∈ ⇓G,v , removing edges that reduce variables that satisfy the premise of Theorem 2 (lines 6 and 7 in GenSieve), and repeating the process with the reduced graph.This process generalizes the intuition behind Sieve and Progress-Sieve, which are special cases obtained by replacing Π(G, v) with the set of all edges of G.
Theorem 3. If GenSieve returns "terminating" when called with a FMP Φ then all executions of Φ are finite.
Proof.GenSieve computes the set ⇓G,v for the graph of Φ. Theorem 2 establishes the desired result if line 11 is reached without executing lines 6 and 7 (pruning of decreasing edges).Execution of lines 6 and 7 results in a smaller policy Φ .Suppose GenSieve returns "terminating" for Φ and yet Φ has an infinite execution.By Corollary 1, after a finite prefix, this infinite execution never decreases variables that are removed in lines 6 and 7.The infinite suffix after this prefix does not use any edges that were removed from Φ to create Φ , so this must be an infinite execution for Φ as well, but this contradicts the consequence of Theorem 1 for Φ .Therefore if GenSieve returns "terminating" after finitely many iterations of the main loop (line 2), Φ and all of the intermediate pruned policies are terminating policies.
The analysis presented above can also be generalized to apply to FMPs under qualitative semantics where the absolute value of all decreases ( ) is bounded below to be at least δ and all increases (⊕) are bounded above to be at most δ ⊕ , so that we can obtain conservative estimates of the net change due to a sequence with x decreases and y increases as ≤ xδ ⊕ − yδ .In such a case we would replace all net changes with xδ ⊕ − yδ .The analysis conducted above uses the same value xδ ⊕ − yδ but for deterministic semantics with ⊕ = δ ⊕ = +1 and = −δ = −1.
The time complexity of GenSieve depends on the number of nodes in the DET and the number of vertices in the quotient graphs.The process of computing all paths between two vertices in a graph is O(2 V ) and this is done O(k) times in BuildDecVars and BuildIncVars where k is the number of nodes in the DET.Let q be the maximum number of vertices in quotient graphs and let l be the number of segments included in the Π(G, v) sets, which are subsets of non-repeating paths in graphs of at most q vertices.Thus the runtime complexity is O(k2 q +kl) ≡ O(k2 q ).In practice we found q to be significantly less than the total number of qstates in FMPs with multiple strongly connected components.
The approach presented in this section is complementary to methods based on the synthesis of ranking functions for linear arithmetic simple-while loop programs (Cook et al., 2006) and the two approaches can be used in conjunction by using our approach to produce a finite set of possible paths that need to be validated.

Empirical Analysis and Results
We developed a preliminary implementation of GenSieve in Python.All experiments were carried out on a laptop with a 3.1GhZ Quad-Core Intel Core i7 processor and 16GB of RAM.
We tested the implementation using custom generated FMPs as well as randomized, autogenerated FMPs.This implementation caches quotient graphs with DEF nodes but several other optimizations are possible, e.g., by computing the sets constructed in BuildIncVars and BuildDecVars simultaneously for each DEF node.DEFs are computed in a straightforward manner by identifying all SCCs, removing a randomly selected vertex from each of the SCCs and repeating this process on each of the resulting graphs.All reported times include the time taken for generating DEFs in this manner.
We present several randomly generated FMP policies with increasing numbers of nodes where the sieve algorithm is unable to assert termination due to the absence of net decrease variables but GenSieve asserts termination.We limited the randomly generated policies to use a small number of variables to make the analysis of termination harder as with larger numbers of variables there tend to be fewer instances of the same variable being increased and decreased in the same strongly connected component.Further analysis of the ratio of variables to control states and its relationship with difficulty of asserting termination is a promising direction in the study of termination assessment of FMPs.
The runtime for this Python implementation was less than 2-3s in all of our experiments.However it can be difficult to randomly generate interesting policies that can be manually verified as terminating policies, especially with more than 5-6 control states.Currently, generating such policies (with and without consideration of termination properties) is one of the major thrusts in research on generalized planning.GenSieve can be used for analysis of candidate FMPs in algorithms for the synthesis or learning of generalized plans.
Figures 5 to 10 show randomly generated policies and the DEFs generated for them initially as well after every round of edge removal.All of these policies were found to be terminating by GenSieve.The Sieve algorithm could not assert termination for any of these policies.Some of the policies required multiple rounds of edge removals.An additional policy that required four iterations of the main while loop in GenSieve is presented in Appendix A.

Dependence on Directed Elimination Forests
The analysis conducted by GenSieve is dependent on the DEF because DEF nodes guide the construction of quotient graphs and the path sets Π(G, v).We observed that in rare cases GenSieve can return "unknown" with one DEF and "terminating" with another DEF for the same FMP.Fig. 11 shows an example of an FMP (Φ 9 ) that exhibits this feature.
When run with DET Φ 9 , GenSieve returns "terminating" but it returns "unknown" when run with DET Φ 9 .
The formal analysis presented in Sec.5.1 ensures that the input policy terminates if GenSieve returns "terminating" for any DEF for the policy.The set of possible DEFs is finite, albeit exponential in the number of qstates in the FMP and running GenSieve with all possible DEFs for an FMP could be viewed as a reasonable cost of determining termination.An alternative approach could develop a probabilistic by allocating a fixed computational budget towards assessing termination, and iteratively sampling a DEF and running GenSieve with the sampled DEF until the computational budget is exhausted.When used with D Φ9 , GenSieve returns "unknown" in 2s.

Conclusions
We presented a new approach that uses graph theoretic decompositions of finite-memory policies to efficiently determine whether they permit non-terminating executions.In contrast to prior approaches, this framework neither requires qualitative semantics nor does it place a priori restrictions on the structure of FMPs that it can analyze.Empirical evaluation shows that these methods go beyond the scope of existing approaches for this problem.Several optimizations and extensions are possible with this new framework for analyzing generalized plans.Parallelized implementations for per-DET analyses, better bookkeeping and compiled language implementations could be used to speed up the presented algorithm.
The current methods could be refined to incorporate more precise estimates of graph connectivity to refine the set of paths that could be composed together in an execution.Edge conditions can be also be included in this analysis.Heuristic search techniques could be developed to create DETs that are more likely to identify termination and mitigate the impact of the order of node elimination in the creation of DETs and in the analysis carried out by GenSieve.Finally, the hierarchical approach developed in this paper could be used in heuristics and early pruning strategies for learning and synthesizing generalized finite memory policies.
Figure 2: A finite-memory policy and its directed elimination forest.Nodes in D Φ1 are labeled (V G , v) where V G is the set of vertices for the component G.

Figure 3 :
Figure 3: Quotient graph corresponding to the first node of the non-trivial tree in Fig. 2b.Component vertices are labeled using the prefix c:.