RegressionVerification Benny Godlin Ofer Strichman Technion 1 The
Regression-Verification Benny Godlin Ofer Strichman Technion 1
The goal of Regression Verification n The goal: formally verify the equivalence of two similar programs. n Pros: q q Does not require formal specification. Computationally easier than functional verification n n Ideally, the complexity should depend on the semantic difference between the programs, and not on their size. Cons: q Defines a weaker notion of correctness. 2
Previous work n In theorem-proving world (mostly @ ACL 2 community): q q n Not dealing with realistic programs / realistic programming languages Not utilizing the equivalence of most of the code for simplifying the computational challenge Industrial / realistic programs: q Code free of: loops, recursion, dynamic-memory allocation n microcode @ Intel, n embedded code @ Feng & Hu, n symbolic simulation @ Matsumoto et al. 3
Our notion of equivalence Partial equivalence q n Executions of P 1 and P 2 on equal inputs n …which terminate, n result in equal outputs. Undecidable 4
Partial equivalence n Consider the call graphs: q B Side 1 Side 2 … where A, B have: n n n A same prototype no loops Prove partial equivalence of A, B q How shall we handle the recursion ? 5
Hoare’s Rule for Recursion Let A be a recursive function. “… The solution. . . is simple and dramatic: to permit the use of the desired conclusion as a hypothesis in the proof of the body itself. ” [H’ 71] 6
Hoare’s Rule for Recursion // {p} A(. . . ) {. . . // {p} call A(. . . ); // {q}. . . } // {q} 7
Rule 1: Proving partial equivalence //in[A] A(. . . ) {. . . //in[call A] call A(. . . ); //out[call A]. . . } //out[A] A //in[B] B(. . . ) {. . . // in[call B] call B(. . . ); //out[call B]. . . } //out[B] B 8
Rule 1: Proving partial equivalence n n n Q: How can a verification condition for the premise look like? A: Replace the recursive calls with calls to functions that q over-approximate A, B, and q are partially equivalent by construction Natural candidates: Uninterpreted Functions 9
Proving partial equivalence n n n Let A, B be recursive functions as defined earlier Let AUF , BUF be A, B, after replacing the recursive call with a call to (the same) uninterpreted function. We can now rewrite the rule: The premise is Decidable 10
Using (PART-EQ-1): example unsigned gcd 1 UF (unsigned a, b) a, unsigned b) { unsigned g; if (b == 0) g = a; else { a = a % b; g = gcd 1(b, a); U } return g; g; } unsigned gcd 2 UF (unsigned x, x, unsigned y) { unsigned z; z = x; if (y > 0) z = gcd 2(y, z % y); U } return z; z; } ? = Transitions: Tgcd 1 Tgcd 2 Inputs: a, b x, y outputs: g z 11
Rule 1: example side 1 side 2 Transition functions Tgcd 1 Tgcd 2 Inputs a, b x, y Outputs g z Equal inputs Equal outputs 12
Partial equivalence: Generalization n Assume: q q no loops; 1 -1 mapping map between the recursive functions of both sides n n Mapped functions have the same prototype Define: q For a function f, UF(f) is an uninterpreted function such that n f and UF(f) have the same prototype n (f, g) 2 map , UF(f) = UF(g). 13
Partial equivalence: Generalization n Definition: is called in A] 14
Partial equivalence: Example {(g, g’), (f, f’)} 2 map g g’ f f’ Side 2 Side 1 Need to prove: UF f = UF f’ Notation: Call to UF g UF = g’ UF 15
Partial equivalence: Example {(g, g’), (f, f’)} 2 map g g’ f f’ Side 2 Side 1 Need to prove: g f = g’ f’ Notation: Call to UF g f = g’ f’ 16
Partial equivalence: extensions h’ g f Side 1 n f’ X X n g’ S = {(g, g’)} Side 2 Find a subset S of the mapped pairs that intersect all cycles in both sides q Replace calls to S functions with calls to uninterpreted functions. q Inline the rest Prove equivalence of S pairs. 17
Partial equivalence: extensions h’ g f g’ f’ X X Side 2 Side 1 g S = {(g, g’)} S = {(g, g’), (f, f’)} f g’ f’ h’ g f g’ f’ 18
Partial equivalence: extensions n Recall: S is a set of pairs of function n Let m. S denote the set of functions that appear in an S pair. n Let is called in A] 19
Partial equivalence: bottom-up g h f g’ f’ h’ Connected SCCs are proved bottom-up n Abstract partially-equivalent functions with uninterpreted functions n Inline 20
PART-EQ: Soundness n Proved soundness for a simple programming language (LPL) q q Covers most features of modern imperative languages …but does not allow n call by reference, and n address manipulation. 21
What (PART-EQ) cannot prove. . . returns n + nondet() returns n + n -1 + nondet() 22
What (PART-EQ) cannot prove. . . when n == 1 : returns 1 n returns 1 + nondet() Many of these problems can be solved with unrolling + function summaries 23
Decomposition algorithm (with SCCs) Legend: Equivalent pair Equivalence undecided yet Could not prove equivalent Syntactically equivalent pair A: f 1() f 2() U U f 3() CBMC B: f 1’() f 2’() U U f 5() U f 4() Equivalent if MSCC f 6() U U f 3’() U f 5’() U f 4’() f 6’() 24
25
- Slides: 25