Two Approaches of Showing Program Equivalence

1
Two Approaches of Showing Program Equivalence

• Borys Bradel

2
Introduction

• Two programs are equivalent if they produce the
  same effect
• Try for all possible inputs
• Too many possibilities
• Security
• Direct proof
• Compute necessary conditions
• Use a theorem prover

3
Motivation - Verification

• Non-optimizing compilers
• Optimizing compilers
• Local optimizations
• Global optimizations are not verifiable
• Still want to verify
• Compare to non-optimized

4
Outline

• Background
• Hoare Calculus
• ACL2
• Methodology
• Program Representation
• Precondition Computation
• Related Work
• Conclusion

5
Hoare Calculus

• P vu Q P ? Qv/u
• P C1 C2 Q P C1 R, R C2 Q
• P if B then C1 else C2 Q
• P and B C1 Q, P and not B C2 Q
• wlp(uv,Q) Qv/u
• wlp(C1 C2, Q) wlp (C1, wlp(C2, Q))
• wlp(if B then C1 else C2, Q)
• (B and wlp (C1, Q)) or (not B and wlp (C2, Q))
• y23 x5y x10
• y23 105y
• 105(23)

6
ACL2

• Proofs on recursively defined functions
• Subset of Common Lisp
• Information is stored in books
• (defun our-add (x y) ( x y))
• (defthm our-add-is-commutative
• (equal (our-add a b) (our-add b a)))

7
Program Representation

• Return r1
• Instructions
• '((add r1 4 3)
• (add r3 r1 5)
• (ble r1 r3
• ((add r2 5 4)
• (add r5 6 5))
• ((add r2 6 2)
• (add r6 6 3)))
• (add r4 r1 r2)))

R143 R3R15 if R1 R3
F
T
R254 R565
R262 R663
R4R1R2 return R1
8
Program Representation
R143 R3R15 if R1 R3
func1(A) R143 R3R15 (R2 R1)func1-branch-2(
R3,R1) R4R1R2 return R1
F
T
R254 R565
R262 R663
func1-branch-2(R3,R1) if R1 R3 then
R254 R565 else R262
R663 end if return (R2 R1)
R4R1R2 return R1

• The program is executable
• (func1 0) ? 7
• Equivalence is provable
• (defthm program-equivalence
• (equal (func1 A) (func2 A)))

9
Precondition Computation
10
Precondition Computation
R143 R3R15 if R1 R3
R1143 R13R115 if R11 R13
(R1R11 ? R1R3 ? R11R13) ? (R1R11 ? R1gtR3 ?
R11gtR13)
R1R11
T,T
F,F
R254 R565
R262 R663
R1254 R1565
R1262 R1663
R1R11
R1R11
R4R1R2 return R1
R14R11R12 return R11
R1R11
11
Precondition Computation

• Precondition for branches
• (R1R11 ? R1R3 ? R11R13) ? (R1R11 ? R1gtR3 ?
  R11gtR13)
• Precondition for R3R15, R13R115
• (R1R11 ? R1(R15) ? R11(R115)) ? (R1R11 ?
  R1gt(R15) ? R11gt(R115))
• Precondition for R143, R1143
• ((34)(34) ? (34)((34)5) ? (34)((34)5))
  ? ((34)(34) ? (34)gt((34)5) ?
  (34)gt((34)5))
• (T?T?T)?(T?F?F) T

12
Related Work

• Robert van Engelen, David Whalley, and Xin Yuan.
  "Automatic Validation of Code-Improving
  Transformations"
• George C. Necula, Translation Validation for an
  Optimizing Compiler
• Many more, although less so.

13
Conclusion

• A theorem prover is useful for validation
• No need to code the entire logic engine
• Difficult to incorporate
• Validation is slow
• Algorithms must be selected carefully

14
Future Work

• Add loop, method, and memory handling
• Cannot analyze real programs
• Add simplification of constraints
• Right now constraints grow too quickly
• Automate
• Must identify why the proof did not complete
• May require new theorems, better use of books