Regression Verification: Proving Partial Equivalence Talk by Dennis - PowerPoint PPT Presentation

Regression Verification: Proving Partial Equivalence Talk by Dennis Felsing Seminar within the Projektgruppe Formale Methoden der Softwareentwicklung WS 2012/2013 1 / 24

Introduction Formal Verification Formally prove correctness of software ⇒ Requires formal specification Regression Testing Discover new bugs by testing for them ⇒ Requires test cases 2 / 24

Introduction Formal Verification Formally prove correctness of software ⇒ Requires formal specification Regression Testing Discover new bugs by testing for them ⇒ Requires test cases Regression Verification Formally prove there are no new bugs 2 / 24

Regression Verification Formally prove there are no new bugs • Goal: Proving the equivalence of two closely related programs • No formal specification or test cases required • Instead use old program version • Make use of similarity between programs 3 / 24

Overview 1 Theoretical Framework 2 Practical Framework 3 Limitations 4 / 24

Theoretical Framework Overview Partially Equivalent? Program P 1 Program P 2 (val a , b ; ret g ) (val y , x ; ret z ) Apply Proc-P-Eq Program P 1 Program P 2 without recursions without recursions Static Single Static Single Assignment S P 1 Assignment S P 2 ( a = y ∧ b = x ∧ S P 1 ∧ S P 2 ) → g = z Theorem Prover True / False 5 / 24

Linear Procedure Language Overview Partially Equivalent? Program P 1 Program P 2 (val a , b ; ret g ) (val y , x ; ret z ) Apply Proc-P-Eq Program P 1 Program P 2 without recursions without recursions Static Single Static Single Assignment S P 1 Assignment S P 2 ( a = y ∧ b = x ∧ S P 1 ∧ S P 2 ) → g = z Theorem Prover True / False 6 / 24

Linear Procedure Language Example procedure gcd3 ( val x , y , z ; ret w) : gcd ( x , y ; a ) ; c a l l c a l l gcd (a , z ; w) ; return procedure gcd ( val a , b ; ret g ) : b = 0 then i f g := a else a := a%b ; gcd (b , a ; g ) c a l l f i ; return 7 / 24

Linear Procedure Language Syntax Program :: � procedure p( val arg − r p ; ret arg − w p ): S p � p ∈ Proc :: x := e S | S ; S | if B then S else S fi | if B then S fi | call p ( e ; x ) | return ⇒ No loops 8 / 24

Partial Equivalence Overview Partially Equivalent? Program P 1 Program P 2 (val a , b ; ret g ) (val y , x ; ret z ) Apply Proc-P-Eq Program P 1 Program P 2 without recursions without recursions Static Single Static Single Assignment S P 1 Assignment S P 2 ( a = y ∧ b = x ∧ S P 1 ∧ S P 2 ) → g = z Theorem Prover True / False 9 / 24

Partial Equivalence Partial Equivalence : Given the same inputs, any two terminating executions of programs P 1 and P 2 return the same value. ⇒ Partial Equivalence is undecidable In LPL: part-equiv( P 1 , P 2 ) = in [ P 1 ] = in [ P 2 ] → out [ P 1 ] = out [ P 2 ] 10 / 24

Uninterpreted Procedures Given the same inputs an Uninterpreted Procedure always produces the same outputs. In LPL: procedure U( val r1 , r2 , . . . ; ret w1 , w2 , . . . ) : return 11 / 24

Mappings Programs P 1 and P 2 consist of procedures Map equivalent procedures onto each other In LPL: map : Proc [ P 1 ] �→ Proc [ P 2 ] UP maps procedures to their respective uninterpreted procedures: � F , G � ∈ map ⇐ ⇒ UP ( F ) = UP ( G ) 12 / 24

Rule for Proving Partial Equivalence Overview Partially Equivalent? Program P 1 Program P 2 (val a , b ; ret g ) (val y , x ; ret z ) Apply Proc-P-Eq Program P 1 Program P 2 without recursions without recursions Static Single Static Single Assignment S P 1 Assignment S P 2 ( a = y ∧ b = x ∧ S P 1 ∧ S P 2 ) → g = z Theorem Prover True / False 13 / 24

Example part-equiv(gcd1, gcd2) ⊢ part-equiv( gcd 1 body , gcd 2 body ) part-equiv( gcd 1 , gcd 2) procedure gcd1 procedure gcd2 ( val a , b ; ret g ) : ( val x , y ; z ) : ret i f b = 0 then g := a z := x ; else a := a%b ; y > 0 then i f call gcd1 (b , a ; g ) call gcd2 ( y , z%y ; z ) f i ; f i ; return return 14 / 24

Example part-equiv(gcd1, gcd2) ⊢ part-equiv( gcd 1 body , gcd 2 body ) part-equiv( gcd 1 , gcd 2) procedure gcd1 procedure gcd2 ( val a , b ; ret g ) : ( val x , y ; z ) : ret i f b = 0 then g := a z := x ; else a := a%b ; y > 0 then i f call gcd1 (b , a ; g ) call gcd2 ( y , z%y ; z ) f i ; f i ; return return 14 / 24

Example ⊢ L UP part-equiv( gcd 1 [ gcd 1 ← UP ( gcd 1)] , gcd 2 [ gcd 2 ← UP ( gcd 2)] ) part-equiv( gcd 1 , gcd 2) procedure gcd1 procedure gcd2 ( val a , b ; ret g ) : ( val x , y ; z ) : ret i f b = 0 then g := a z := x ; else a := a%b ; y > 0 then i f call gcd1 (b , a ; g ) call gcd2 call gcd2 ( y , z%y ; z ) call gc f i ; f i ; return return 15 / 24

Example ⊢ L UP part-equiv( gcd 1 [ gcd 1 ← UP ( gcd 1)] , gcd 2 [ gcd 2 ← UP ( gcd 2)] ) part-equiv( gcd 1 , gcd 2) procedure gcd1 procedure gcd2 ( val a , b ; ret g ) : ( val x , y ; z ) : ret i f b = 0 then g := a z := x ; else a := a%b ; y > 0 then i f call U (b , a ; g ) call gcd2 call U ( y , z%y ; z ) call gcd2 f i ; f i ; return return 15 / 24

Rule Proc-P-Eq ∀� F , G � ∈ map . {⊢ L UP part-equiv( F UP , G UP ) } ∀� F , G � ∈ map . part-equiv( F , G ) • L UP is a sound proof system for a non-recursive LPL • F UP = F [ f ← UP ( f ) | f ∈ Proc [ P ]] is an isolated procedure 16 / 24

Rule Proc-P-Eq ∀� F , G � ∈ map . {⊢ L UP part-equiv( F UP , G UP ) } ∀� F , G � ∈ map . part-equiv( F , G ) • L UP is a sound proof system for a non-recursive LPL • F UP = F [ f ← UP ( f ) | f ∈ Proc [ P ]] is an isolated procedure F G Y B X A 16 / 24

Rule Proc-P-Eq ∀� F , G � ∈ map . {⊢ L UP part-equiv( F UP , G UP ) } ∀� F , G � ∈ map . part-equiv( F , G ) • L UP is a sound proof system for a non-recursive LPL • F UP = F [ f ← UP ( f ) | f ∈ Proc [ P ]] is an isolated procedure F UP UP F F G UP Y Y B UP X G UP X A 16 / 24

Rule Proc-P-Eq ∀� F , G � ∈ map . {⊢ L UP part-equiv( F UP , G UP ) } ∀� F , G � ∈ map . part-equiv( F , G ) • L UP is a sound proof system for a non-recursive LPL • F UP = F [ f ← UP ( f ) | f ∈ Proc [ P ]] is an isolated procedure F UP UP F F G UP Y Y B UP X G UP X A ⇒ Proc-P-Eq is sound, not complete 16 / 24

Static Single Assignment Overview Partially Equivalent? Program P 1 Program P 2 (val a , b ; ret g ) (val y , x ; ret z ) Apply Proc-P-Eq Program P 1 Program P 2 without recursions without recursions Static Single Static Single Assignment S P 1 Assignment S P 2 ( a = y ∧ b = x ∧ S P 1 ∧ S P 2 ) → g = z Theorem Prover True / False 17 / 24

Static Single Assignment • Translate procedures to formulas • No loops or recursions • In assignments x := exp replace x with a new variable x 1 • Represents the states of the program 18 / 24

Static Single Assignment • Translate procedures to formulas • No loops or recursions • In assignments x := exp replace x with a new variable x 1 • Represents the states of the program Example procedure gcd2  x 0 = x ∧ ( val x , y ; ret z ) : z := x ; y 0 = y   i f y > 0 then  S gcd 2 =  c a l l U( y , z%y ; z )   f i ;  return 18 / 24

Static Single Assignment • Translate procedures to formulas • No loops or recursions • In assignments x := exp replace x with a new variable x 1 • Represents the states of the program Example procedure gcd2  x 0 = x ∧ ( val x , y ; ret z ) : z := x ; y 0 = y ∧   z 0 = x 0 i f y > 0 then  S gcd 2 =  c a l l U( y , z%y ; z )   f i ;  return 18 / 24

Static Single Assignment • Translate procedures to formulas • No loops or recursions • In assignments x := exp replace x with a new variable x 1 • Represents the states of the program Example procedure gcd2  x 0 = x ∧ ( val x , y ; ret z ) : z := x ; y 0 = y ∧   z 0 = x 0 ∧ i f y > 0 then  S gcd 2 =  c a l l U( y , z%y ; z ) y 0 > 0 → z 1 = U ( y 0 , ( z 0 % y 0 ))   f i ;  return 18 / 24

Static Single Assignment • Translate procedures to formulas • No loops or recursions • In assignments x := exp replace x with a new variable x 1 • Represents the states of the program Example procedure gcd2  x 0 = x ∧ ( val x , y ; ret z ) : z := x ; y 0 = y ∧   z 0 = x 0 ∧ i f y > 0 then  S gcd 2 =  c a l l U( y , z%y ; z ) y 0 > 0 → z 1 = U ( y 0 , ( z 0 % y 0 )) ∧   y 0 ≤ 0 → z 1 = z 0 f i ;  return 18 / 24

Static Single Assignment • Translate procedures to formulas • No loops or recursions • In assignments x := exp replace x with a new variable x 1 • Represents the states of the program Example procedure gcd2   x 0 = x ∧ ( val x , y ; ret z ) : z := x ; y 0 = y ∧     z 0 = x 0 ∧ i f y > 0 then   S gcd 2 =   c a l l U( y , z%y ; z ) y 0 > 0 → z 1 = U ( y 0 , ( z 0 % y 0 )) ∧     y 0 ≤ 0 → z 1 = z 0 ∧ f i ;   z = z 1 return 18 / 24

Formula Overview Partially Equivalent? Program P 1 Program P 2 (val a , b ; ret g ) (val y , x ; ret z ) Apply Proc-P-Eq Program P 1 Program P 2 without recursions without recursions Static Single Static Single Assignment S P 1 Assignment S P 2 ( a = y ∧ b = x ∧ S P 1 ∧ S P 2 ) → g = z � �� � � �� � Equal inputs Equal outputs 19 / 24