1

Regression-Verification

Benny Godlin Ofer Strichman

Technion

2

The goal of Regression Verification

The goal: formally verify the equivalence of two similar programs.

Pros: Does not require formal specification. Computationally easier than functional verification

Ideally, the complexity should depend on the semantic difference between the programs, and not on their size.

Cons: Defines a weaker notion of correctness.

3

Previous work

In the theorem-proving world (mostly @ ACL2 community): Not dealing with realistic programs / realistic programming

languages Not utilizing the equivalence of most of the code for simplifying

the computational challenge

Industrial / realistic programs: Code free of: loops, recursion, dynamic-memory allocation

microcode @ Intel, embedded code @ Feng & Hu, symbolic simulation @ Matsumoto et al.

4

Our notion of equivalence

Partial equivalence

Executions of P1 and P2 on equal inputs …which terminate, result in equal outputs.

Undecidable

5

Partial equivalence

Consider the call graphs:

… where A,B have: same prototype no loops

Prove partial equivalence of A, B How shall we handle the recursion ?

A B

Side 1 Side 2

6

Hoare’s Rule for Recursion

Let A be a recursive function.

“… The solution... is simple and dramatic: to permit the use of the desired conclusion as a hypothesis in the proof of the body itself.” [H’71]

7

Hoare’s Rule for Recursion

// {p}

A( . . . )

{

. . .

// {p}

call A(. . .);

// {q}

. . .

}

// {q}

8

//in[A]

A( . . . )

{

. . .

//in[call A]

call A(. . .);

//out[call A]

. . .

}

//out[A]

Rule 1: Proving partial equivalence

A B//in[B]

B( . . . )

{

. . .

// in[call B]

call B(. . .);

//out[call B]

. . .

}

//out[B]

9

Rule 1: Proving partial equivalence

Q: How can a verification condition for the premise look like? A: Replace the recursive calls with calls to functions that

over-approximate A, B, and are partially equivalent by construction

Natural candidates: Uninterpreted Functions

10

Proving partial equivalence

Let A,B be recursive functions as defined earlier Let AUF , BUF be A,B, after replacing the recursive call with a

call to (the same) uninterpreted function. We can now rewrite the rule:

The premise is Decidable

11

unsigned gcd1UF

(unsigned a, unsigned b)

{ unsigned g;

if (b == 0)

g = a;

else {

a = a % b;

g = gcd1(b, a);

}

return g;

}

unsigned gcd2UF

(unsigned x, unsigned y)

{ unsigned z;

z = x;

if (y > 0)

z = gcd2(y, z % y);

}

return z;

}

Using (PART-EQ-1): example

?=

U

U

Transitions: Tgcd1 Tgcd2

a, b) x, y)

g;

z;

Inputs: a,b x,y

outputs: g z

12

Rule 1: example

side 1 side 2

Transition functions Tgcd1 Tgcd2

Inputs a,b x,y

Outputs g z

Equalinputs

Equaloutputs

13

Partial equivalence: Generalization

Assume: no loops; 1-1 mapping map between the recursive functions of both sides

Mapped functions have the same prototype

Define: For a function f, UF(f) is an uninterpreted function such that

f and UF(f) have the same prototype

(f,g) 2 map , UF(f) = UF(g).

14

Partial equivalence: Generalization

Definition: is called in A]

15

Partial equivalence: Example

Side 1 Side 2

f’g g’f

{(g,g’),(f,f’)} 2 map

Need to prove:

f’UFf UF =

UFg g’UF =

Call to UF

Notation:

16

Partial equivalence: Example

Side 1 Side 2

f’g g’f

{(g,g’),(f,f’)} 2 map

Need to prove:

f’g’f g

f’g g’f

=

=

Call to UF

Notation:

17

g’

Partial equivalence: extensions

Find a subset S of the mapped pairs that intersect all cycles in both sides Replace calls to S functions with calls to uninterpreted functions. Inline the rest

Prove equivalence of S pairs.

Side 1 Side 2

f’g f

h’ S = {(g,g’)}

X X

18

g’

Partial equivalence: extensions

Side 1 Side 2

f’g f

h’ S = {(g,g’)}

f’g g’f

f’g g’f

h’

S = {(g,g’),(f,f’)}

X XX X

19

Partial equivalence: extensions

Recall: S is a set of pairs of function

Let mS denote the set of functions that appear in an S pair.

Let is called in A]

20

Partial equivalence: bottom-up

Connected SCCs are proved bottom-up

Abstract partially-equivalent functions with uninterpreted functions

Inline

f ’g g’f

h h’

21

PART-EQ: Soundness

Proved soundness for a simple programming language (LPL) Covers most features of modern imperative languages …but does not allow

call by reference, and address manipulation.

22

What (PART-EQ) cannot prove...

returns n + nondet() returns n + n -1 + nondet()

23

What (PART-EQ) cannot prove...

Many of these problems can be solved with unrolling + function summaries

returns 1 returns 1 + nondet()

when n == 1 :

24

Decomposition algorithm (with SCCs)

A: B:

f1()

f2() f5()

f3() f4() f6()

f1’()

f3’() f4’()

f5’()

f6’()

Equivalent pair

Syntactically equivalent pair

Equivalence undecided yetCould not prove equivalent

Legend:

Equivalent if MSCC

U UU U

U U

CBMC

U UU U f2’()

25