Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Regression-Verification Benny Godlin Ofer Strichman Technion.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Regression-Verification Benny Godlin Ofer Strichman Technion."— Presentation transcript:

1 1 Regression-Verification Benny Godlin Ofer Strichman Technion

2 2 The goal of Regression Verification The goal: formally verify the equivalence of two similar programs. Pros:  Does not require formal specification.  Computationally easier than functional verification Ideally, the complexity should depend on the semantic difference between the programs, and not on their size. Cons:  Defines a weaker notion of correctness.

3 3 Previous work In the theorem-proving world (mostly @ ACL2 community):  Not dealing with realistic programs / realistic programming languages  Not utilizing the equivalence of most of the code for simplifying the computational challenge Industrial / realistic programs:  Code free of: loops, recursion, dynamic-memory allocation microcode @ Intel, embedded code @ Feng & Hu, symbolic simulation @ Matsumoto et al.

4 4 Our notion of equivalence Partial equivalence  Executions of P1 and P2 on equal inputs …which terminate, result in equal outputs. Undecidable

5 5 Partial equivalence Consider the call graphs:  … where A, B have: same prototype no loops Prove partial equivalence of A, B  How shall we handle the recursion ? A B Side 1Side 2

6 6 Hoare ’ s Rule for Recursion Let A be a recursive function. “… The solution... is simple and dramatic: to permit the use of the desired conclusion as a hypothesis in the proof of the body itself. ” [H’71]

7 7 Hoare ’ s Rule for Recursion // {p} A(... ) {... // {p} call A(...); // {q}... } // {q}

8 8 //in[A] A(... ) {... //in[call A] call A(...); //out[call A]... } //out[A] Rule 1: Proving partial equivalence A B //in[B] B(... ) {... // in[call B] call B(...); //out[call B]... } //out[B]

9 9 Rule 1: Proving partial equivalence Q: How can a verification condition for the premise look like? A: Replace the recursive calls with calls to functions that  over-approximate A, B, and  are partially equivalent by construction Natural candidates: Uninterpreted Functions

10 10 Proving partial equivalence Let A, B be recursive functions as defined earlier Let A UF, B UF be A, B, after replacing the recursive call with a call to (the same) uninterpreted function. We can now rewrite the rule: The premise is Decidable

11 11 unsigned gcd1 UF (unsigned a, unsigned b) { unsigned g; if (b == 0) g = a; else { a = a % b; g = gcd1(b, a); } return g; } unsigned gcd2 UF (unsigned x, unsigned y) { unsigned z; z = x; if (y > 0) z = gcd2(y, z % y); } return z; } Using (PART-EQ-1) : example ?=?= U U Transitions: T gcd1 T gcd2 a,a,b)b) x,x, y)y) g;g; z;z; Inputs: a,bx,y outputs: gz

12 12 Rule 1: example side 1side 2 Transition functions T gcd1 T gcd2 Inputs a,ba,bx,yx,y Outputs gz Equal inputs Equal outputs

13 13 Partial equivalence: Generalization Assume:  no loops;  1-1 mapping map between the recursive functions of both sides Mapped functions have the same prototype Define:  For a function f, UF( f ) is an uninterpreted function such that f and UF( f ) have the same prototype ( f, g ) 2 map, UF( f ) = UF( g ).

14 14 Partial equivalence: Generalization Definition: is called in A]

15 15 Partial equivalence: Example Side 1 Side 2 f’ g g’ f {(g,g’),(f,f’)} 2 map Need to prove: f’ UF f = g g’ UF = Call to UF Notation:

16 16 Partial equivalence: Example Side 1 Side 2 f’ g g’ f {(g,g’),(f,f’)} 2 map Need to prove: f’ g’ f g f’ g g’ f = = Call to UF Notation:

17 17 g’ Partial equivalence: extensions Find a subset S of the mapped pairs that intersect all cycles in both sides  Replace calls to S functions with calls to uninterpreted functions.  Inline the rest Prove equivalence of S pairs. Side 1 Side 2 f’ g f h’ S = {(g,g’)} X X

18 18 g’ Partial equivalence: extensions Side 1 Side 2 f’ g f h’ S = {(g,g’)} f’ g g’ f f’ g g’ f h’ S = {(g,g’),(f,f’)} X X X X

19 19 Partial equivalence: extensions Recall: S is a set of pairs of function Let m S denote the set of functions that appear in an S pair. Let is called in A]

20 20 Partial equivalence: bottom-up Connected SCCs are proved bottom-up Abstract partially-equivalent functions with uninterpreted functions Inline f ’ gg’ f h h’

21 21 PART-EQ: Soundness Proved soundness for a simple programming language (LPL)  Covers most features of modern imperative languages  …but does not allow call by reference, and address manipulation.

22 22 What (PART-EQ) cannot prove... returns n + nondet() returns n + n -1 + nondet()

23 23 What (PART-EQ) cannot prove... Many of these problems can be solved with unrolling + function summaries returns 1 returns 1 + nondet() when n == 1 :

24 24 Decomposition algorithm (with SCCs) A: B: f1() f2() f5() f3()f4() f6() f1’() f3’()f4’() f5’() f6’() Equivalent pair Syntactically equivalent pair Equivalence undecided yet Could not prove equivalent Legend: Equivalent if MSCC U UUU U U CBMC U U U U f2’()

25 25

Download ppt "1 Regression-Verification Benny Godlin Ofer Strichman Technion."

Similar presentations

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
Formal Models of Computation Part III Computability & Complexity

Formal Models of Computation Part III Computability & Complexity
NP-Hard Nattee Niparnan.

NP-Hard Nattee Niparnan.
Context-Sensitive Interprocedural Points-to Analysis in the Presence of Function Pointers Presentation by Patrick Kaleem Justin.

Context-Sensitive Interprocedural Points-to Analysis in the Presence of Function Pointers Presentation by Patrick Kaleem Justin.
1 Lecture 32 Closure Properties for CFL’s –Kleene Closure construction examples proof of correctness –Others covered less thoroughly in lecture union,

1 Lecture 32 Closure Properties for CFL’s –Kleene Closure construction examples proof of correctness –Others covered less thoroughly in lecture union,
1 Regression-Verification Benny Godlin Ofer Strichman Technion.

1 Regression-Verification Benny Godlin Ofer Strichman Technion.
1 1 Regression Verification for Multi-Threaded Programs Sagar Chaki, SEI-Pittsburgh Arie Gurfinkel, SEI-Pittsburgh Ofer Strichman, Technion-Haifa Originally.

1 1 Regression Verification for Multi-Threaded Programs Sagar Chaki, SEI-Pittsburgh Arie Gurfinkel, SEI-Pittsburgh Ofer Strichman, Technion-Haifa Originally.
Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers

Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 11.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
1 Translation Validation: From Simulink to C Michael RyabtsevOfer Strichman Technion, Haifa, Israel Acknowledgement: sponsored by a grant from General.

1 Translation Validation: From Simulink to C Michael RyabtsevOfer Strichman Technion, Haifa, Israel Acknowledgement: sponsored by a grant from General.
Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.

Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.
ISBN 0-321-33025-0 Chapter 3 Describing Syntax and Semantics.

ISBN Chapter 3 Describing Syntax and Semantics.
CS 355 – Programming Languages

CS 355 – Programming Languages
January 5, 2015CS21 Lecture 11 CS21 Decidability and Tractability Lecture 1 January 5, 2015.

January 5, 2015CS21 Lecture 11 CS21 Decidability and Tractability Lecture 1 January 5, 2015.
1 Undecidability Andreas Klappenecker [based on slides by Prof. Welch]

1 Undecidability Andreas Klappenecker [based on slides by Prof. Welch]
Comp 205: Comparative Programming Languages Semantics of Imperative Programming Languages denotational semantics operational semantics logical semantics.

Comp 205: Comparative Programming Languages Semantics of Imperative Programming Languages denotational semantics operational semantics logical semantics.
1 Introduction to Computability Theory Lecture12: Decidable Languages Prof. Amos Israeli.

1 Introduction to Computability Theory Lecture12: Decidable Languages Prof. Amos Israeli.
1 Introduction to Computability Theory Lecture12: Reductions Prof. Amos Israeli.

1 Introduction to Computability Theory Lecture12: Reductions Prof. Amos Israeli.
CPSC 411, Fall 2008: Set 12 1 CPSC 411 Design and Analysis of Algorithms Set 12: Undecidability Prof. Jennifer Welch Fall 2008.

CPSC 411, Fall 2008: Set 12 1 CPSC 411 Design and Analysis of Algorithms Set 12: Undecidability Prof. Jennifer Welch Fall 2008.
1 Operational Semantics Mooly Sagiv Tel Aviv University 640-6706 Textbook: Semantics with Applications.

1 Operational Semantics Mooly Sagiv Tel Aviv University Textbook: Semantics with Applications.

Similar presentations

Ads by Google