1 Regression-Verification Benny Godlin Ofer Strichman Technion

2 The goal of Regression Verification The goal: formally verify the equivalence of two similar programs. Pros:  Does not require formal specification.  Computationally easier than functional verification Ideally, the complexity should depend on the semantic difference between the programs, and not on their size. Cons:  Defines a weaker notion of correctness.

3 Previous work In the theorem-proving world ACL2 community):  Not dealing with realistic programs / realistic programming languages  Not utilizing the equivalence of most of the code for simplifying the computational challenge Industrial / realistic programs:  Code free of: loops, recursion, dynamic-memory allocation Intel, embedded Feng & Hu, symbolic Matsumoto et al.

4 Our notion of equivalence Partial equivalence  Executions of P1 and P2 on equal inputs …which terminate, result in equal outputs. Undecidable

5 Partial equivalence Consider the call graphs:  … where A, B have: same prototype no loops Prove partial equivalence of A, B  How shall we handle the recursion ? A B Side 1Side 2

6 Hoare ’ s Rule for Recursion Let A be a recursive function. “… The solution... is simple and dramatic: to permit the use of the desired conclusion as a hypothesis in the proof of the body itself. ” [H’71]

7 Hoare ’ s Rule for Recursion // {p} A(... ) {... // {p} call A(...); // {q}... } // {q}

8 //in[A] A(... ) {... //in[call A] call A(...); //out[call A]... } //out[A] Rule 1: Proving partial equivalence A B //in[B] B(... ) {... // in[call B] call B(...); //out[call B]... } //out[B]

9 Rule 1: Proving partial equivalence Q: How can a verification condition for the premise look like? A: Replace the recursive calls with calls to functions that  over-approximate A, B, and  are partially equivalent by construction Natural candidates: Uninterpreted Functions

10 Proving partial equivalence Let A, B be recursive functions as defined earlier Let A UF, B UF be A, B, after replacing the recursive call with a call to (the same) uninterpreted function. We can now rewrite the rule: The premise is Decidable

11 unsigned gcd1 UF (unsigned a, unsigned b) { unsigned g; if (b == 0) g = a; else { a = a % b; g = gcd1(b, a); } return g; } unsigned gcd2 UF (unsigned x, unsigned y) { unsigned z; z = x; if (y > 0) z = gcd2(y, z % y); } return z; } Using (PART-EQ-1) : example ?=?= U U Transitions: T gcd1 T gcd2 a,a,b)b) x,x, y)y) g;g; z;z; Inputs: a,bx,y outputs: gz

12 Rule 1: example side 1side 2 Transition functions T gcd1 T gcd2 Inputs a,ba,bx,yx,y Outputs gz Equal inputs Equal outputs

13 Partial equivalence: Generalization Assume:  no loops;  1-1 mapping map between the recursive functions of both sides Mapped functions have the same prototype Define:  For a function f, UF( f ) is an uninterpreted function such that f and UF( f ) have the same prototype ( f, g ) 2 map, UF( f ) = UF( g ).

14 Partial equivalence: Generalization Definition: is called in A]

15 Partial equivalence: Example Side 1 Side 2 f’ g g’ f {(g,g’),(f,f’)} 2 map Need to prove: f’ UF f = g g’ UF = Call to UF Notation:

16 Partial equivalence: Example Side 1 Side 2 f’ g g’ f {(g,g’),(f,f’)} 2 map Need to prove: f’ g’ f g f’ g g’ f = = Call to UF Notation:

17 g’ Partial equivalence: extensions Find a subset S of the mapped pairs that intersect all cycles in both sides  Replace calls to S functions with calls to uninterpreted functions.  Inline the rest Prove equivalence of S pairs. Side 1 Side 2 f’ g f h’ S = {(g,g’)} X X

18 g’ Partial equivalence: extensions Side 1 Side 2 f’ g f h’ S = {(g,g’)} f’ g g’ f f’ g g’ f h’ S = {(g,g’),(f,f’)} X X X X

19 Partial equivalence: extensions Recall: S is a set of pairs of function Let m S denote the set of functions that appear in an S pair. Let is called in A]

20 Partial equivalence: bottom-up Connected SCCs are proved bottom-up Abstract partially-equivalent functions with uninterpreted functions Inline f ’ gg’ f h h’

21 PART-EQ: Soundness Proved soundness for a simple programming language (LPL)  Covers most features of modern imperative languages  …but does not allow call by reference, and address manipulation.

22 What (PART-EQ) cannot prove... returns n + nondet() returns n + n -1 + nondet()

23 What (PART-EQ) cannot prove... Many of these problems can be solved with unrolling + function summaries returns 1 returns 1 + nondet() when n == 1 :

24 Decomposition algorithm (with SCCs) A: B: f1() f2() f5() f3()f4() f6() f1’() f3’()f4’() f5’() f6’() Equivalent pair Syntactically equivalent pair Equivalence undecided yet Could not prove equivalent Legend: Equivalent if MSCC U UUU U U CBMC U U U U f2’()

25