Proving Equivalence of Imperative Programs via Constrained - - PowerPoint PPT Presentation

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction

Carsten Fuhs

Birkbeck, University of London joint work with Cynthia Kop (U Copenhagen) and Naoki Nishida (U Nagoya)

Workshop on Program Equivalence, London, UK 11 April 2016

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions

Overview

1 Motivation 2 Constrained Term Rewriting 3 Transforming C Programs 4 Rewriting Induction 5 Lemma Generation 6 Conclusions

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 2 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions

Overview

1 Motivation 2 Constrained Term Rewriting 3 Transforming C Programs 4 Rewriting Induction 5 Lemma Generation 6 Conclusions

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 3 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Marking Student Programs

C Programming Course in Nagoya

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 4 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Marking Student Programs

C Programming Course in Nagoya

• ±70 students every year (of whom 60 active)
• 3 programming exercises every week
• =

⇒ 180+ exercises to grade every week for a full semester

• student programs can be horrible

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 4 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Example Assignment

Exercise: write a function that calculates Σn

k=1k.

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 5 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Example Homework Solutions

int sum(int x) { int i = 0, z = 0; for (i = 0; i <= x; i++) z += i; return z; }

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 6 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Example Homework Solutions

int sum( int n ){ if(n < 0){ return 0; } int cnt; int data = 0; for(cnt = 0;cnt <= n;cnt++){ data = data + cnt; } return data; }

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 7 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Example Homework Solutions

int sum(int n) { if ( n<=0 ) { return 0; } else { return (n*(n+1)/2); } }

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 8 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Example Homework Solutions

int sum(int x) { int i, j, z; z = 0; for (i = 0; i <= x; i++) for (j = 0; j < i; j++) z++; return z; }

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 9 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Solving the Problem

Solutions

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 10 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Solving the Problem

Solutions

• hire some teaching assistants!

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 10 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Solving the Problem

Solutions

• hire some teaching assistants!
• automate the marking

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 10 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Solving the Problem

Solutions

• hire some teaching assistants!
• automate the marking

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 10 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Solving the Problem

Automated Program Testing

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 11 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Solving the Problem

Automated Program Testing

• run automatic tests

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 11 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Solving the Problem

Automated Program Testing

• run automatic tests
• prove that programs are correct!

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 11 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Solving the Problem

Automated Program Testing

• run automatic tests
• prove that programs are correct!

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 11 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Solving the Problem

Automated Program Testing

• run automatic tests
• prove that programs are correct!
• we love to play with term rewriting

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 11 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Solving the Problem

Automated Program Testing

• run automatic tests
• prove that programs are correct!
• we love to play with term rewriting
• ⇒ convert C programs to term rewriting systems!

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 11 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Solving the Problem

Automated Program Testing

• run automatic tests
• prove that programs are correct!
• we love to play with term rewriting
• ⇒ convert C programs to term rewriting systems!
• ⇒ reason about those TRSs instead!

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 11 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions

Overview

1 Motivation 2 Constrained Term Rewriting 3 Transforming C Programs 4 Rewriting Induction 5 Lemma Generation 6 Conclusions

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 12 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions

What’s Term Rewriting?

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 13 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions

What’s Term Rewriting?

Syntactic approach for reasoning in equational first-order logic

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 13 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions

What’s Term Rewriting?

Syntactic approach for reasoning in equational first-order logic Core functional programming language without many restrictions (and features) of “real” FP:

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 13 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions

What’s Term Rewriting?

Syntactic approach for reasoning in equational first-order logic Core functional programming language without many restrictions (and features) of “real” FP:

• first-order (usually)
• no fixed evaluation strategy
• no fixed order of rules to apply (Haskell: top to bottom)
• untyped
• no pre-defined data structures (integers, arrays, . . .)

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 13 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions

Summing up Natural Numbers

Numbers: 0, s(0), s(s(0)), . . .

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 14 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions

Summing up Natural Numbers

Numbers: 0, s(0), s(s(0)), . . . Rules: sum(0) → sum(s(x)) → plus(s(x), sum(x)) plus(0, y) → y plus(s(x), y) → s(plus(x, y))

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 14 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions

Summing up Natural Numbers

Numbers: 0, s(0), s(s(0)), . . . Rules: sum(0) → sum(s(x)) → plus(s(x), sum(x)) plus(0, y) → y plus(s(x), y) → s(plus(x, y)) Then e.g. we can compute 1 + 1 = 2 as plus(s(0), s(0)) →R s(plus(0, s(0))) →R s(s(0))

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 14 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions

Summing up Natural Numbers

Numbers: 0, s(0), s(s(0)), . . . Rules: sum(0) → sum(s(x)) → plus(s(x), sum(x)) plus(0, y) → y plus(s(x), y) → s(plus(x, y)) Then e.g. we can compute 1 + 1 = 2 as plus(s(0), s(0)) →R s(plus(0, s(0))) →R s(s(0)) Integer arithmetic possible with more complex recursive rules.

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 14 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions

Summing up Natural Numbers

Numbers: 0, s(0), s(s(0)), . . . Rules: sum(0) → sum(s(x)) → plus(s(x), sum(x)) plus(0, y) → y plus(s(x), y) → s(plus(x, y)) Then e.g. we can compute 1 + 1 = 2 as plus(s(0), s(0)) →R s(plus(0, s(0))) →R s(s(0)) Integer arithmetic possible with more complex recursive rules. But: Want to do program analysis. Really throw away domain knowledge about built-in data structures?!

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 14 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions

What’s Constrained Term Rewriting?

Term rewriting “with batteries included”

• first-order
• no fixed evaluation strategy
• no fixed order of rules to apply

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 15 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions

What’s Constrained Term Rewriting?

Term rewriting “with batteries included”

• first-order
• no fixed evaluation strategy
• no fixed order of rules to apply
• typed

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 15 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions

What’s Constrained Term Rewriting?

Term rewriting “with batteries included”

• first-order
• no fixed evaluation strategy
• no fixed order of rules to apply
• typed
• with pre-defined data structures (integers, arrays, bitvectors, ...),

usually from SMT-LIB theories (SMT: SAT Modulo Theories)

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 15 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions

What’s Constrained Term Rewriting?

Term rewriting “with batteries included”

• first-order
• no fixed evaluation strategy
• no fixed order of rules to apply
• typed
• with pre-defined data structures (integers, arrays, bitvectors, ...),

usually from SMT-LIB theories (SMT: SAT Modulo Theories)

• rewrite rules with SMT constraints

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 15 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions

What’s Constrained Term Rewriting?

Term rewriting “with batteries included”

• first-order
• no fixed evaluation strategy
• no fixed order of rules to apply
• typed
• with pre-defined data structures (integers, arrays, bitvectors, ...),

usually from SMT-LIB theories (SMT: SAT Modulo Theories)

• rewrite rules with SMT constraints

⇒ Term rewriting + SMT solving for automated reasoning

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 15 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Examples

Integer Summation

sum(x) → [x ≤ 0] sum(x) → x + sum(x − 1) [x > 0]

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 16 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Examples

Integer Summation

sum(x) → [x ≤ 0] sum(x) → x + sum(x − 1) [x > 0] sum(2)

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 16 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Examples

Integer Summation

sum(x) → [x ≤ 0] sum(x) → x + sum(x − 1) [x > 0] sum(2) → 2 + sum(2 − 1)

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 16 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Examples

Integer Summation

sum(x) → [x ≤ 0] sum(x) → x + sum(x − 1) [x > 0] sum(2) → 2 + sum(2 − 1) → 2 + sum(1)

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 16 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Examples

Integer Summation

sum(x) → [x ≤ 0] sum(x) → x + sum(x − 1) [x > 0] sum(2) → 2 + sum(2 − 1) → 2 + sum(1) → 2 + (1 + sum(1 − 1))

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 16 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Examples

Integer Summation

sum(x) → [x ≤ 0] sum(x) → x + sum(x − 1) [x > 0] sum(2) → 2 + sum(2 − 1) → 2 + sum(1) → 2 + (1 + sum(1 − 1)) → 2 + (1 + sum(0))

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 16 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Examples

Integer Summation

sum(x) → [x ≤ 0] sum(x) → x + sum(x − 1) [x > 0] sum(2) → 2 + sum(2 − 1) → 2 + sum(1) → 2 + (1 + sum(1 − 1)) → 2 + (1 + sum(0)) → 2 + (1 + 0)

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 16 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Examples

Integer Summation

sum(x) → [x ≤ 0] sum(x) → x + sum(x − 1) [x > 0] sum(2) → 2 + sum(2 − 1) → 2 + sum(1) → 2 + (1 + sum(1 − 1)) → 2 + (1 + sum(0)) → 2 + (1 + 0) → 2 + 1

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 16 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Examples

Integer Summation

sum(x) → [x ≤ 0] sum(x) → x + sum(x − 1) [x > 0] sum(2) → 2 + sum(2 − 1) → 2 + sum(1) → 2 + (1 + sum(1 − 1)) → 2 + (1 + sum(0)) → 2 + (1 + 0) → 2 + 1 → 3

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 16 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Examples

Integer Summation

sum(x) → [x ≤ 0] sum(x) → x + sum(x − 1) [x > 0]

• Fterms = {sum} ∪ {n | n ∈ Z}
• Ftheory =

{+, −, ≥, >, ∧, true, false} ∪ {n | n ∈ Z}

• Values: true, false, 0, 1, 2, 3, . . . , −1, −2, . . .
• Interpretation: addition, minus, etc.

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 17 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Examples

Bitvector Summation

sum(x) → [x ≤ 0] sum(x) → x + sum(x − 1) [x > 0]

• Fterms = {sum} ∪ {n | n ∈ Z ∧ 0 ≤ n < 256}
• Ftheory =

{+, −, ≥, >, ∧, true, false} ∪ {n | n ∈ Z ∧ 0 ≤ n < 256}

• Values: true, false, 0, 1, 2, 3, . . . , 255
• Interpretation: addition, minus, etc. modulo 256

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 18 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Examples

Array Summation

sum(a, x) → [x < 0] sum(a, x) → select(a, x) + sum(a, x − 1) [x ≥ 0]

• Fterms = {sum} ∪ {n : int | n ∈ Z} ∪ {a : iarr | n ∈ Z∗}
• Ftheory =

{+, −, ≥, >, ∧, select, true, false} ∪ {n | n ∈ Z} ∪ {a : iarr | a ∈ Z∗}

• Values:

true, false, 0, 1, −1, 2, −2, . . . , (), (0), (1), . . . , (0, 0), . . .

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 19 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Summary

Logically Constrained Term Rewriting Systems [Kop and Nishida, 2013]

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 20 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Summary

Logically Constrained Term Rewriting Systems [Kop and Nishida, 2013]

• work much like normal term rewrite systems

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 20 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Summary

Logically Constrained Term Rewriting Systems [Kop and Nishida, 2013]

• work much like normal term rewrite systems
• can handle integers, arrays, bitvectors, ...

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 20 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Summary

Logically Constrained Term Rewriting Systems [Kop and Nishida, 2013]

• work much like normal term rewrite systems
• can handle integers, arrays, bitvectors, ...
• are flexible enough to faithfully model (many) real-world

programs

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 20 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions

Overview

1 Motivation 2 Constrained Term Rewriting 3 Transforming C Programs 4 Rewriting Induction 5 Lemma Generation 6 Conclusions

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 21 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Simple Integer Functions

Factorial

int fact(int x) { int z = 1; for (int i = 1; i <= x; i++) z *= i; return z; }

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 22 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Simple Integer Functions

Factorial

int fact(int x) { int z = 1; for (int i = 1; i <= x; i++) z *= i; return z; } fact(x) → u1(x) u1(x) → u2(x, 1, 1) u2(x, z, i) → u3(x, z, i) [i ≤ x] u2(x, z, i) → u4(x, z, i) [¬(i ≤ x)] u3(x, z, i) → u2(x, z ∗ i, i + 1) u4(x, z, i) → z

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 22 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Simple Integer Functions

Factorial

int fact(int x) { int z = 1; for (int i = 1; i <= x; i++) z *= i; return z; } fact(x) → u2(x, 1, 1) u2(x, z, i) → u2(x, z ∗ i, i + 1) [i ≤ x] u2(x, z, i) → z [¬(i ≤ x)]

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 22 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Simple Integer Functions

Factorial

int fact(int x) { int z = 1; for (int i = 1; i <= x; i++) z *= i; return z; } fact(x) → u2(x, 1, 1) u2(x, z, i) → u2(x, z ∗ i, i + 1) [i ≤ x] u2(x, z, i) → return(z) [¬(i ≤ x)]

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 22 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Error Checking

Division by Zero

boolean divides(int x, int y) { return x % y == 0; }

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 23 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Error Checking

Division by Zero

boolean divides(int x, int y) { return x % y == 0; } divides(x, y) → return(x mod y = 0)

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 23 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Error Checking

Division by Zero

boolean divides(int x, int y) { return x % y == 0; } divides(x, y) → return(x mod y = 0) [y = 0] divides(x, y) → error [y = 0]

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 23 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Error Checking

Division by Zero

boolean divides(int x, int y) { return x % y == 0; } divides(x, y) → return(x mod y = 0) [y = 0] divides(x, y) → error [y = 0] (defining x mod 0 = 0)

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 23 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Error Checking

Integer Overflow

int fact(int x) { int z = 1; for (int i = 1; i <= x; i++) z *= i; return z; } fact(x) → u2(x, 1, 1) u2(x, z, i) → u2(x, z ∗ i, i + 1)[i ≤ x] u2(x, z, i) → return(z) [¬(i ≤ x)]

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 24 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Error Checking

Integer Overflow

int fact(int x) { int z = 1; for (int i = 1; i <= x; i++) z *= i; return z; } fact(x) → u2(x, 1, 1) u2(x, z, i) → u2(x, z ∗ i, i + 1)[i ≤ x ∧ z ∗ i < 256 ∧ i + 1 < 256] u2(x, z, i) → error [i ≤ x ∧ (z ∗ i ≥ 256 ∨ i + 1 ≥ 256)] u2(x, z, i) → return(z) [¬(i ≤ x)]

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 24 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Further Extensions

Further Extensions

Can also handle

• Recursion
• Global variables
• Mutable arrays (with built-in size function)

→ can represent memory safety violation

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 25 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions

Overview

1 Motivation 2 Constrained Term Rewriting 3 Transforming C Programs 4 Rewriting Induction 5 Lemma Generation 6 Conclusions

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 26 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Goal

What is Equivalence for LCTRSs?

Teacher’s code: sum1(x) → [x ≤ 0] sum1(x) → x + sum1(x − 1) [x > 0]

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 27 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Goal

What is Equivalence for LCTRSs?

Teacher’s code: sum1(x) → [x ≤ 0] sum1(x) → x + sum1(x − 1) [x > 0] Student’s code: sum2(x) → u(x, 0, 0) u(x, i, z) → u(x, i + 1, z + i) [i ≤ x] u(x, i, z) → z [¬(i ≤ x)]

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 27 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Goal

What is Equivalence for LCTRSs?

Teacher’s code: sum1(x) → [x ≤ 0] sum1(x) → x + sum1(x − 1) [x > 0] Student’s code: sum2(x) → u(x, 0, 0) u(x, i, z) → u(x, i + 1, z + i) [i ≤ x] u(x, i, z) → z [¬(i ≤ x)] Query: sum1(x) ↔∗ sum2(x) for all x?

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 27 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Goal

Rewriting Induction

Given:

• set E of equations s1 ≈ t1 [ϕ1], . . . , sn ≈ tn [ϕn]

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 28 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Goal

Rewriting Induction

Given:

• set E of equations s1 ≈ t1 [ϕ1], . . . , sn ≈ tn [ϕn]
• set of rewrite rules R

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 28 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Goal

Rewriting Induction

Given:

• set E of equations s1 ≈ t1 [ϕ1], . . . , sn ≈ tn [ϕn]
• set of rewrite rules R

Want to prove: for all constructor ground substitutions γ1, . . . , γn compatible with ϕ1, . . . , ϕn: each siγi ↔∗

R tiγi.

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 28 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Goal

Rewriting Induction

Given:

• set E of equations s1 ≈ t1 [ϕ1], . . . , sn ≈ tn [ϕn]
• set of rewrite rules R

Want to prove: for all constructor ground substitutions γ1, . . . , γn compatible with ϕ1, . . . , ϕn: each siγi ↔∗

R tiγi.

Requirements:

• termination of →R (to perform induction)

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 28 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Goal

Rewriting Induction

Given:

• set E of equations s1 ≈ t1 [ϕ1], . . . , sn ≈ tn [ϕn]
• set of rewrite rules R

Want to prove: for all constructor ground substitutions γ1, . . . , γn compatible with ϕ1, . . . , ϕn: each siγi ↔∗

R tiγi.

Requirements:

• termination of →R (to perform induction)
• sufficient completeness of →R: evaluation “cannot get stuck”

(for case analysis over variables by constructor terms)

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 28 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Goal

Rewriting Induction

Given:

• set E of equations s1 ≈ t1 [ϕ1], . . . , sn ≈ tn [ϕn]
• set of rewrite rules R

Want to prove: for all constructor ground substitutions γ1, . . . , γn compatible with ϕ1, . . . , ϕn: each siγi ↔∗

R tiγi.

Requirements:

• termination of →R (to perform induction)
• sufficient completeness of →R: evaluation “cannot get stuck”

(for case analysis over variables by constructor terms)

• if we want siγi ↔∗ tiγi for all results: confluence of →R

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 28 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Approach

Rewriting Induction

Three sets:

• E (equations, “the queries”)
• R (rules, “the program”)
• H (rules, “induction hypotheses”)

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 29 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Approach

Rewriting Induction

Three sets:

• E (equations, “the queries”)
• R (rules, “the program”)
• H (rules, “induction hypotheses”)

Initially: E given, R given, H empty

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 29 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Approach

Rewriting Induction

Three sets:

• E (equations, “the queries”)
• R (rules, “the program”)
• H (rules, “induction hypotheses”)

Initially: E given, R given, H empty Proof steps: pairs (E, H) ⊢ (E′, H′) by several inference rules for ⊢

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 29 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Approach

Rewriting Induction

Three sets:

• E (equations, “the queries”)
• R (rules, “the program”)
• H (rules, “induction hypotheses”)

Initially: E given, R given, H empty Proof steps: pairs (E, H) ⊢ (E′, H′) by several inference rules for ⊢ Invariant: →R∪H terminating

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 29 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Approach

Rewriting Induction

Three sets:

• E (equations, “the queries”)
• R (rules, “the program”)
• H (rules, “induction hypotheses”)

Initially: E given, R given, H empty Proof steps: pairs (E, H) ⊢ (E′, H′) by several inference rules for ⊢ Invariant: →R∪H terminating Goal: find derivation (E, ∅) ⊢∗ (∅, H) Then also ↔∗

E ⊆ ↔∗ R∪H ⊆ ↔∗ R on ground terms:

Equations E are inductive theorems for R

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 29 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Induction Rules

Simplification: definition

(E ⊎ {s ≃ t [ϕ]}, H) (E ∪ {s′ ≈ t [ψ]}, H)

if s ≃ t [ϕ] →R∪H s′ ≈ t [ψ] Idea: Use the program or an induction hypothesis to simplify the query.

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 30 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Induction Rules

Simplification: example

R =            sum1(x) → [x ≤ 0] sum1(x) → x + sum1(x − 1) [x > 0] sum2(x) → u(x, 0, 0) u(x, i, z) → u(x, i + 1, z + i) [i ≤ x] u(x, i, z) → z [¬(i ≤ x)]            (E ⊎ {u(x, y, z) ≈ x + u(x′, y, z) [x ≥ y ∧ x = x′ + 1] }, H)

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 31 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Induction Rules

Simplification: example

R =            sum1(x) → [x ≤ 0] sum1(x) → x + sum1(x − 1) [x > 0] sum2(x) → u(x, 0, 0) u(x, i, z) → u(x, i + 1, z + i) [i ≤ x] u(x, i, z) → z [¬(i ≤ x)]            (E ⊎ {u(x, y, z) ≈ x + u(x′, y, z) [x ≥ y ∧ x = x′ + 1] }, H)

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 31 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Induction Rules

Simplification: example

R =            sum1(x) → [x ≤ 0] sum1(x) → x + sum1(x − 1) [x > 0] sum2(x) → u(x, 0, 0) u(x, i, z) → u(x, i + 1, z + i) [i ≤ x] u(x, i, z) → z [¬(i ≤ x)]            (E ⊎ {u(x, y + 1, z + y) ≈ x + u(x′, y, z) [x ≥ y ∧ x = x′ + 1] }, H)

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 31 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Induction Rules

Simplification: example

R =            sum1(x) → [x ≤ 0] sum1(x) → x + sum1(x − 1) [x > 0] sum2(x) → u(x, 0, 0) u(x, i, z) → u(x, i + 1, z + i) [i ≤ x] u(x, i, z) → z [¬(i ≤ x)]            (E ⊎ {u(x, y + 1, z + y) ≈ x + u(x′, y, z) [x ≥ y ∧ x = x′ + 1] }, H)

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 31 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Induction Rules

Simplification: example

R =            sum1(x) → [x ≤ 0] sum1(x) → x + sum1(x − 1) [x > 0] sum2(x) → u(x, 0, 0) u(x, i, z) → u(x, i + 1, z + i) [i ≤ x] u(x, i, z) → z [¬(i ≤ x)]            (E ⊎ {u(x, y′, z + y) ≈ x + u(x′, y, z) [x ≥ y ∧ x = x′ + 1 ∧ y′ = y + 1]}, H)

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 31 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Induction Rules

Simplification: example

R =            sum1(x) → [x ≤ 0] sum1(x) → x + sum1(x − 1) [x > 0] sum2(x) → u(x, 0, 0) u(x, i, z) → u(x, i + 1, z + i) [i ≤ x] u(x, i, z) → z [¬(i ≤ x)]            (E ⊎ {u(x, y′, z + y) ≈ x + u(x′, y, z) [x ≥ y ∧ x = x′ + 1 ∧ y′ = y + 1]}, H)

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 31 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Induction Rules

Simplification: example

R =            sum1(x) → [x ≤ 0] sum1(x) → x + sum1(x − 1) [x > 0] sum2(x) → u(x, 0, 0) u(x, i, z) → u(x, i + 1, z + i) [i ≤ x] u(x, i, z) → z [¬(i ≤ x)]            (E ⊎ {u(x, y′, z′) ≈ x + u(x′, y, z) [x ≥ y ∧ x = x′ + 1 ∧ y′ = y + 1 ∧ z′ = z + y]}, H)

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 31 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Induction Rules

Expansion: definition

(E ⊎ {s ≃ t [ϕ]}, H) (E ∪ Expd(s, t, ϕ, p), H ∪ {s → t [ϕ]})

if for every γ compatible with ϕ, s|p reduces and R ∪ H ∪ {s → t [ϕ]} is terminating

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 32 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Induction Rules

Expansion: definition

(E ⊎ {s ≃ t [ϕ]}, H) (E ∪ Expd(s, t, ϕ, p), H ∪ {s → t [ϕ]})

if for every γ compatible with ϕ, s|p reduces and R ∪ H ∪ {s → t [ϕ]} is terminating Expd(C[l′]p, t, ϕ, p) contains equations C[rγ]p ≃ tγ [ϕγ ∧ ψγ] for all l → r [ψ] in R where l and l′ unify with most general unifier γ

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 32 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Induction Rules

Expansion: definition

(E ⊎ {s ≃ t [ϕ]}, H) (E ∪ Expd(s, t, ϕ, p), H ∪ {s → t [ϕ]})

if for every γ compatible with ϕ, s|p reduces and R ∪ H ∪ {s → t [ϕ]} is terminating Expd(C[l′]p, t, ϕ, p) contains equations C[rγ]p ≃ tγ [ϕγ ∧ ψγ] for all l → r [ψ] in R where l and l′ unify with most general unifier γ Idea: Exhaustive case analysis, generate induction hypothesis. (Closely related: narrowing.)

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 32 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Induction Rules

Expansion: example

R =            sum1(x) → [x ≤ 0] sum1(x) → x + sum1(x − 1) [x > 0] sum2(x) → u(x, 0, 0) u(x, i, z) → u(x, i + 1, z + i) [i ≤ x] u(x, i, z) → z [¬(i ≤ x)]            (E ⊎ {u(x, y′, z′) ≈ x + u(x′, y, z) [x ≥ y ∧ x = x′ + 1 ∧ y′ = y + 1 ∧ z′ = z + y]}, H)

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 33 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Induction Rules

Expansion: example

R =            sum1(x) → [x ≤ 0] sum1(x) → x + sum1(x − 1) [x > 0] sum2(x) → u(x, 0, 0) u(x, i, z) → u(x, i + 1, z + i) [i ≤ x] u(x, i, z) → z [¬(i ≤ x)]            (E ⊎ {u(x, y′, z′) ≈ x + u(x′, y, z) [x ≥ y ∧ x = x′ + 1 ∧ y′ = y + 1 ∧ z′ = z + y]}, H)

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 33 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Induction Rules

Expansion: example

R =            sum1(x) → [x ≤ 0] sum1(x) → x + sum1(x − 1) [x > 0] sum2(x) → u(x, 0, 0) u(x, i, z) → u(x, i + 1, z + i) [i ≤ x] u(x, i, z) → z [¬(i ≤ x)]            (E ∪ {u(x, y′ + 1, z′ + y′) ≈ x + u(x′, y, z) [x ≥ y ∧ x = x′ + 1 ∧ y′ = y + 1 ∧ z′ = z + y ∧ y′ ≤ x]} ∪ {z′ ≈ x + u(x′, y, z) [x ≥ y ∧ x = x′ + 1 ∧ y′ = y + 1 ∧ z′ = z + y ∧ ¬(y′ ≤ x)]} , H ∪ {u(x, y′, z′) → x + u(x′, y, z) [x ≥ y ∧ x = x′ + 1 ∧ y′ = y + 1 ∧ z′ = z + y]})

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 33 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Induction Rules

Expansion: example

R =            sum1(x) → [x ≤ 0] sum1(x) → x + sum1(x − 1) [x > 0] sum2(x) → u(x, 0, 0) u(x, i, z) → u(x, i + 1, z + i) [i ≤ x] u(x, i, z) → z [¬(i ≤ x)]            (E ∪ {u(x, y′ + 1, z′ + y′) ≈ x + u(x′, y, z) [x ≥ y ∧ x = x′ + 1 ∧ y′ = y + 1 ∧ z′ = z + y ∧ y′ ≤ x]} ∪ {z′ ≈ x + u(x′, y, z) [x ≥ y ∧ x = x′ + 1 ∧ y′ = y + 1 ∧ z′ = z + y ∧ ¬(y′ ≤ x)]} , H ∪ {u(x, y′, z′) → x + u(x′, y, z) [x ≥ y ∧ x = x′ + 1 ∧ y′ = y + 1 ∧ z′ = z + y]})

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 33 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Induction Rules

Expansion: example

R =            sum1(x) → [x ≤ 0] sum1(x) → x + sum1(x − 1) [x > 0] sum2(x) → u(x, 0, 0) u(x, i, z) → u(x, i + 1, z + i) [i ≤ x] u(x, i, z) → z [¬(i ≤ x)]            (E ∪ {u(x, y′ + 1, z′ + y′) ≈ x + u(x′, y, z) [x ≥ y ∧ x = x′ + 1 ∧ y′ = y + 1 ∧ z′ = z + y ∧ y′ ≤ x]} ∪ {z′ ≈ x + u(x′, y, z) [x ≥ y ∧ x = x′ + 1 ∧ y′ = y + 1 ∧ z′ = z + y ∧ ¬(y′ ≤ x)]} , H ∪ {u(x, y′, z′) → x + u(x′, y, z) [x ≥ y ∧ x = x′ + 1 ∧ y′ = y + 1 ∧ z′ = z + y]})

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 33 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Induction Rules

Expansion: example

R =            sum1(x) → [x ≤ 0] sum1(x) → x + sum1(x − 1) [x > 0] sum2(x) → u(x, 0, 0) u(x, i, z) → u(x, i + 1, z + i) [i ≤ x] u(x, i, z) → z [¬(i ≤ x)]            (E ∪ {u(x, y′ + 1, z′ + y′) ≈ x + u(x′, y, z) [x ≥ y ∧ x = x′ + 1 ∧ y′ = y + 1 ∧ z′ = z + y ∧ y′ ≤ x]} ∪ {z′ ≈ x + u(x′, y, z) [x ≥ y ∧ x = x′ + 1 ∧ y′ = y + 1 ∧ z′ = z + y ∧ ¬(y′ ≤ x)]} , H ∪ {u(x, y′, z′) → x + u(x′, y, z) [x ≥ y ∧ x = x′ + 1 ∧ y′ = y + 1 ∧ z′ = z + y]})

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 33 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Induction Rules

Expansion: example

R =            sum1(x) → [x ≤ 0] sum1(x) → x + sum1(x − 1) [x > 0] sum2(x) → u(x, 0, 0) u(x, i, z) → u(x, i + 1, z + i) [i ≤ x] u(x, i, z) → z [¬(i ≤ x)]            (E ∪ {u(x, y′ + 1, z′ + y′) ≈ x + u(x′, y, z) [x ≥ y ∧ x = x′ + 1 ∧ y′ = y + 1 ∧ z′ = z + y ∧ y′ ≤ x]} ∪ {z′ ≈ x + z [x ≥ y ∧ x = x′ + 1 ∧ y′ = y + 1 ∧ z′ = z + y ∧ ¬(y′ ≤ x)]} , H ∪ {u(x, y′, z′) → x + u(x′, y, z) [x ≥ y ∧ x = x′ + 1 ∧ y′ = y + 1 ∧ z′ = z + y]})

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 33 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Induction Rules

Expansion: example

R =            sum1(x) → [x ≤ 0] sum1(x) → x + sum1(x − 1) [x > 0] sum2(x) → u(x, 0, 0) u(x, i, z) → u(x, i + 1, z + i) [i ≤ x] u(x, i, z) → z [¬(i ≤ x)]            (E ∪ {u(x, y′ + 1, z′ + y′) ≈ x + u(x′, y, z) [x ≥ y ∧ x = x′ + 1 ∧ y′ = y + 1 ∧ z′ = z + y ∧ y′ ≤ x]} ∪ {z′ ≈ x + z [x ≥ y ∧ x = x′ + 1 ∧ y′ = y + 1 ∧ z′ = z + y ∧ ¬(y′ ≤ x)]} , H ∪ {u(x, y′, z′) → x + u(x′, y, z) [x ≥ y ∧ x = x′ + 1 ∧ y′ = y + 1 ∧ z′ = z + y]})

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 33 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Induction Rules

Expansion: example

R =            sum1(x) → [x ≤ 0] sum1(x) → x + sum1(x − 1) [x > 0] sum2(x) → u(x, 0, 0) u(x, i, z) → u(x, i + 1, z + i) [i ≤ x] u(x, i, z) → z [¬(i ≤ x)]            (E ∪ {u(x, y′′, z′′) ≈ x + u(x′, y, z) [x ≥ y ∧ x = x′ + 1 ∧ y′ = y + 1 ∧ z′ = z + y ∧ y′ ≤ x ∧ y′′ = y′ + 1 ∧ z′′ = z′ + y′]} ∪ {z′ ≈ x + z [x ≥ y ∧ x = x′ + 1 ∧ y′ = y + 1 ∧ z′ = z + y ∧ ¬(y′ ≤ x)]} , H ∪ {u(x, y′, z′) → x + u(x′, y, z) [x ≥ y ∧ x = x′ + 1 ∧ y′ = y + 1 ∧ z′ = z + y]})

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 33 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Induction Rules

Expansion: example

R =            sum1(x) → [x ≤ 0] sum1(x) → x + sum1(x − 1) [x > 0] sum2(x) → u(x, 0, 0) u(x, i, z) → u(x, i + 1, z + i) [i ≤ x] u(x, i, z) → z [¬(i ≤ x)]            (E ∪ {u(x, y′′, z′′) ≈ x + u(x′, y, z) [x ≥ y ∧ x = x′ + 1 ∧ y′ = y + 1 ∧ z′ = z + y ∧ y′ ≤ x ∧ y′′ = y′ + 1 ∧ z′′ = z′ + y′]} ∪ {z′ ≈ x + z [x ≥ y ∧ x = x′ + 1 ∧ y′ = y + 1 ∧ z′ = z + y ∧ ¬(y′ ≤ x)]} , H ∪ {u(x, y′, z′) → x + u(x′, y, z) [x ≥ y ∧ x = x′ + 1 ∧ y′ = y + 1 ∧ z′ = z + y]})

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 33 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Induction Rules

Expansion: example

R =            sum1(x) → [x ≤ 0] sum1(x) → x + sum1(x − 1) [x > 0] sum2(x) → u(x, 0, 0) u(x, i, z) → u(x, i + 1, z + i) [i ≤ x] u(x, i, z) → z [¬(i ≤ x)]            (E ∪ {u(x, y′′, z′′) ≈ x + u(x′, y, z) [x ≥ y ∧ x = x′ + 1 ∧ y′ = y + 1 ∧ z′ = z + y ∧ y′ ≤ x ∧ y′′ = y′ + 1 ∧ z′′ = z′ + y′]} ∪ {z′ ≈ x + z [x ≥ y ∧ x = x′ + 1 ∧ y′ = y + 1 ∧ z′ = z + y ∧ ¬(y′ ≤ x)]} , H ∪ {u(x, y′, z′) → x + u(x′, y, z) [x ≥ y ∧ x = x′ + 1 ∧ y′ = y + 1 ∧ z′ = z + y]})

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 33 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Induction Rules

Expansion: example

R =            sum1(x) → [x ≤ 0] sum1(x) → x + sum1(x − 1) [x > 0] sum2(x) → u(x, 0, 0) u(x, i, z) → u(x, i + 1, z + i) [i ≤ x] u(x, i, z) → z [¬(i ≤ x)]            (E ∪ {u(x, y′′, z′′) ≈ x + u(x′, y′, z′) [x ≥ y ∧ x = x′ + 1 ∧ y′ = y + 1 ∧ z′ = z + y ∧ y′ ≤ x ∧ y′′ = y′ + 1 ∧ z′′ = z′ + y′]} ∪ {z′ ≈ x + z [x ≥ y ∧ x = x′ + 1 ∧ y′ = y + 1 ∧ z′ = z + y ∧ ¬(y′ ≤ x)]} , H ∪ {u(x, y′, z′) → x + u(x′, y, z) [x ≥ y ∧ x = x′ + 1 ∧ y′ = y + 1 ∧ z′ = z + y]})

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 33 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Induction Rules

Expansion: example

R =            sum1(x) → [x ≤ 0] sum1(x) → x + sum1(x − 1) [x > 0] sum2(x) → u(x, 0, 0) u(x, i, z) → u(x, i + 1, z + i) [i ≤ x] u(x, i, z) → z [¬(i ≤ x)]            (E ∪ {u(x, y′′, z′′) ≈ x + u(x′, y′, z′) [x ≥ y ∧ x = x′ + 1 ∧ y′ = y + 1 ∧ z′ = z + y ∧ y′ ≤ x ∧ y′′ = y′ + 1 ∧ z′′ = z′ + y′]} ∪ {z′ ≈ x + z [x ≥ y ∧ x = x′ + 1 ∧ y′ = y + 1 ∧ z′ = z + y ∧ ¬(y′ ≤ x)]} , H ∪ {u(x, y′, z′) → x + u(x′, y, z) [x ≥ y ∧ x = x′ + 1 ∧ y′ = y + 1 ∧ z′ = z + y]})

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 33 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Induction Rules

Expansion: example

R =            sum1(x) → [x ≤ 0] sum1(x) → x + sum1(x − 1) [x > 0] sum2(x) → u(x, 0, 0) u(x, i, z) → u(x, i + 1, z + i) [i ≤ x] u(x, i, z) → z [¬(i ≤ x)]            (E ∪ {u(x, y′′, z′′) ≈ x + u(x′, y′, z′) [x ≥ y ∧ x = x′ + 1 ∧ y′ = y + 1 ∧ z′ = z + y ∧ y′ ≤ x ∧ y′′ = y′ + 1 ∧ z′′ = z′ + y′]} ∪ {z′ ≈ x + z [x ≥ y ∧ x = x′ + 1 ∧ y′ = y + 1 ∧ z′ = z + y ∧ ¬(y′ ≤ x)]} , H ∪ {u(x, y′, z′) → x + u(x′, y, z) [x ≥ y ∧ x = x′ + 1 ∧ y′ = y + 1 ∧ z′ = z + y]})

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 33 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Induction Rules

Expansion: example

R =            sum1(x) → [x ≤ 0] sum1(x) → x + sum1(x − 1) [x > 0] sum2(x) → u(x, 0, 0) u(x, i, z) → u(x, i + 1, z + i) [i ≤ x] u(x, i, z) → z [¬(i ≤ x)]            (E ∪ {u(x, y′′, z′′) ≈ x + u(x′, y′, z′) [x ≥ y ∧ x = x′ + 1 ∧ y′ = y + 1 ∧ z′ = z + y ∧ y′ ≤ x ∧ y′′ = y′ + 1 ∧ z′′ = z′ + y′]} ∪ {z′ ≈ x + z [x ≥ y ∧ x = x′ + 1 ∧ y′ = y + 1 ∧ z′ = z + y ∧ ¬(y′ ≤ x)]} , H ∪ {u(x, y′, z′) → x + u(x′, y, z) [x ≥ y ∧ x = x′ + 1 ∧ y′ = y + 1 ∧ z′ = z + y]}) [y := y′, y′ := y′′, z := z′, z′ := z′′]

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 33 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Induction Rules

Expansion: example

R =            sum1(x) → [x ≤ 0] sum1(x) → x + sum1(x − 1) [x > 0] sum2(x) → u(x, 0, 0) u(x, i, z) → u(x, i + 1, z + i) [i ≤ x] u(x, i, z) → z [¬(i ≤ x)]            (E ∪ {u(x, y′′, z′′) ≈ x + u(x′, y′, z′) [x ≥ y ∧ x = x′ + 1 ∧ y′ = y + 1 ∧ z′ = z + y ∧ y′ ≤ x ∧ y′′ = y′ + 1 ∧ z′′ = z′ + y′]} ∪ {z′ ≈ x + z [x ≥ y ∧ x = x′ + 1 ∧ y′ = y + 1 ∧ z′ = z + y ∧ ¬(y′ ≤ x)]} , H ∪ {u(x, y′, z′) → x + u(x′, y, z) [x ≥ y ∧ x = x′ + 1 ∧ y′ = y + 1 ∧ z′ = z + y]}) [y := y′, y′ := y′′, z := z′, z′ := z′′]

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 33 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Induction Rules

Expansion: example

R =            sum1(x) → [x ≤ 0] sum1(x) → x + sum1(x − 1) [x > 0] sum2(x) → u(x, 0, 0) u(x, i, z) → u(x, i + 1, z + i) [i ≤ x] u(x, i, z) → z [¬(i ≤ x)]            (E ∪ {u(x, y′′, z′′) ≈ x + u(x′, y′, z′) [x ≥ y ∧ x = x′ + 1 ∧ y′ = y + 1 ∧ z′ = z + y ∧ y′ ≤ x ∧ y′′ = y′ + 1 ∧ z′′ = z′ + y′]} ∪ {z′ ≈ x + z [x ≥ y ∧ x = x′ + 1 ∧ y′ = y + 1 ∧ z′ = z + y ∧ ¬(y′ ≤ x)]} , H ∪ {u(x, y′, z′) → x + u(x′, y, z) [x ≥ y ∧ x = x′ + 1 ∧ y′ = y + 1 ∧ z′ = z + y]}) [y := y′, y′ := y′′, z := z′, z′ := z′′]

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 33 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Induction Rules

Expansion: example

R =            sum1(x) → [x ≤ 0] sum1(x) → x + sum1(x − 1) [x > 0] sum2(x) → u(x, 0, 0) u(x, i, z) → u(x, i + 1, z + i) [i ≤ x] u(x, i, z) → z [¬(i ≤ x)]            (E ∪ {u(x, y′′, z′′) ≈ x + u(x′, y′, z′) [x ≥ y ∧ x = x′ + 1 ∧ y′ = y + 1 ∧ z′ = z + y ∧ y′ ≤ x ∧ y′′ = y′ + 1 ∧ z′′ = z′ + y′]} ∪ {z′ ≈ x + z [x ≥ y ∧ x = x′ + 1 ∧ y′ = y + 1 ∧ z′ = z + y ∧ ¬(y′ ≤ x)]} , H ∪ {u(x, y′, z′) → x + u(x′, y, z) [x ≥ y ∧ x = x′ + 1 ∧ y′ = y + 1 ∧ z′ = z + y]}) [y := y′, y′ := y′′, z := z′, z′ := z′′]

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 33 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Induction Rules

Expansion: example

R =            sum1(x) → [x ≤ 0] sum1(x) → x + sum1(x − 1) [x > 0] sum2(x) → u(x, 0, 0) u(x, i, z) → u(x, i + 1, z + i) [i ≤ x] u(x, i, z) → z [¬(i ≤ x)]            (E ∪ {u(x, y′′, z′′) ≈ x + u(x′, y′, z′) [x ≥ y ∧ x = x′ + 1 ∧ y′ = y + 1 ∧ z′ = z + y ∧ y′ ≤ x ∧ y′′ = y′ + 1 ∧ z′′ = z′ + y′]} ∪ {z′ ≈ x + z [x ≥ y ∧ x = x′ + 1 ∧ y′ = y + 1 ∧ z′ = z + y ∧ ¬(y′ ≤ x)]} , H ∪ {u(x, y′, z′) → x + u(x′, y, z) [x ≥ y ∧ x = x′ + 1 ∧ y′ = y + 1 ∧ z′ = z + y]}) [y := y′, y′ := y′′, z := z′, z′ := z′′]

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 33 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Induction Rules

Expansion: example

R =            sum1(x) → [x ≤ 0] sum1(x) → x + sum1(x − 1) [x > 0] sum2(x) → u(x, 0, 0) u(x, i, z) → u(x, i + 1, z + i) [i ≤ x] u(x, i, z) → z [¬(i ≤ x)]            (E ∪ {x + u(x′, y′, z′) ≈ x + u(x′, y′, z′) [x ≥ y ∧ x = x′ + 1 ∧ y′ = y + 1 ∧ z′ = z + y ∧ y′ ≤ x ∧ y′′ = y′ + 1 ∧ z′′ = z′ + y′]} ∪ {z′ ≈ x + z [x ≥ y ∧ x = x′ + 1 ∧ y′ = y + 1 ∧ z′ = z + y ∧ ¬(y′ ≤ x)]} , H ∪ {u(x, y′, z′) → x + u(x′, y, z) [x ≥ y ∧ x = x′ + 1 ∧ y′ = y + 1 ∧ z′ = z + y]})

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 33 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Induction Rules

Deletion: definition

(E ⊎ {s ≃ t [ϕ]}, H) (E, H)

if s ≡ t or ϕ is unsatisfiable Idea: Delete trivial inductive theorems.

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 34 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Induction Rules

Deletion: example

R =            sum1(x) → [x ≤ 0] sum1(x) → x + sum1(x − 1) [x > 0] sum2(x) → u(x, 0, 0) u(x, i, z) → u(x, i + 1, z + i) [i ≤ x] u(x, i, z) → z [¬(i ≤ x)]            (E ∪ {x + u(x′, y′, z′) ≈ x + u(x′, y′, z′) [x ≥ y ∧ x = x′ + 1 ∧ y′ = y + 1 ∧ z′ = z + y ∧ y′ ≤ x ∧ y′′ = y′ + 1 ∧ z′′ = z′ + y′]} ∪ {z′ ≈ x + z [x ≥ y ∧ x = x′ + 1 ∧ y′ = y + 1 ∧ z′ = z + y ∧ ¬(y′ ≤ x)]} , H ∪ {u(x, y′, z′) → x + u(x′, y, z) [x ≥ y ∧ x = x′ + 1 ∧ y′ = y + 1 ∧ z′ = z + y]})

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 35 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Induction Rules

Deletion: example

R =            sum1(x) → [x ≤ 0] sum1(x) → x + sum1(x − 1) [x > 0] sum2(x) → u(x, 0, 0) u(x, i, z) → u(x, i + 1, z + i) [i ≤ x] u(x, i, z) → z [¬(i ≤ x)]            (E ∪ {x + u(x′, y′, z′) ≈ x + u(x′, y′, z′) [x ≥ y ∧ x = x′ + 1 ∧ y′ = y + 1 ∧ z′ = z + y ∧ y′ ≤ x ∧ y′′ = y′ + 1 ∧ z′′ = z′ + y′]} ∪ {z′ ≈ x + z [x ≥ y ∧ x = x′ + 1 ∧ y′ = y + 1 ∧ z′ = z + y ∧ ¬(y′ ≤ x)]} , H ∪ {u(x, y′, z′) → x + u(x′, y, z) [x ≥ y ∧ x = x′ + 1 ∧ y′ = y + 1 ∧ z′ = z + y]})

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 35 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Induction Rules

Deletion: example

R =            sum1(x) → [x ≤ 0] sum1(x) → x + sum1(x − 1) [x > 0] sum2(x) → u(x, 0, 0) u(x, i, z) → u(x, i + 1, z + i) [i ≤ x] u(x, i, z) → z [¬(i ≤ x)]            (E ∪ {z′ ≈ x + z [x ≥ y ∧ x = x′ + 1 ∧ y′ = y + 1 ∧ z′ = z + y ∧ ¬(y′ ≤ x)]} , H ∪ {u(x, y′, z′) → x + u(x′, y, z) [x ≥ y ∧ x = x′ + 1 ∧ y′ = y + 1 ∧ z′ = z + y]})

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 35 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Induction Rules

EQ-Deletion: definition

(E ⊎ {C[s1, . . . , sn] ≈ C[t1, . . . , tn] [ϕ]}, H) (E ∪ {C[ s] ≈ C[ t] [ϕ ∧ ¬ n

i=1(si = ti)]}, H)

if s1, . . . , sn, t1, . . . , tn all logical terms Idea: If all arguments to the same context become equal, we’re done.

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 36 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Induction Rules

EQ-Deletion: example

R =            sum1(x) → [x ≤ 0] sum1(x) → x + sum1(x − 1) [x > 0] sum2(x) → u(x, 0, 0) u(x, i, z) → u(x, i + 1, z + i) [i ≤ x] u(x, i, z) → z [¬(i ≤ x)]            (E ∪ {z′ ≈ x + z [x ≥ y ∧ x = x′ + 1 ∧ y′ = y + 1 ∧ z′ = z + y ∧ ¬(y′ ≤ x)]} , H ∪ {u(x, y′, z′) → x + u(x′, y, z) [x ≥ y ∧ x = x′ + 1 ∧ y′ = y + 1 ∧ z′ = z + y]})

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 37 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Induction Rules

EQ-Deletion: example

R =            sum1(x) → [x ≤ 0] sum1(x) → x + sum1(x − 1) [x > 0] sum2(x) → u(x, 0, 0) u(x, i, z) → u(x, i + 1, z + i) [i ≤ x] u(x, i, z) → z [¬(i ≤ x)]            (E ∪ {z′ ≈ x + z [x ≥ y ∧ x = x′ + 1 ∧ y′ = y + 1 ∧ z′ = z + y ∧ ¬(y′ ≤ x) ∧ ¬(z′ = x + z)]} , H ∪ {u(x, y′, z′) → x + u(x′, y, z) [x ≥ y ∧ x = x′ + 1 ∧ y′ = y + 1 ∧ z′ = z + y]})

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 37 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Induction Rules

EQ-Deletion: example

R =            sum1(x) → [x ≤ 0] sum1(x) → x + sum1(x − 1) [x > 0] sum2(x) → u(x, 0, 0) u(x, i, z) → u(x, i + 1, z + i) [i ≤ x] u(x, i, z) → z [¬(i ≤ x)]            (E ∪ {z′ ≈ x + z [x ≥ y ∧ x = x′ + 1 ∧ y′ = y + 1 ∧ z′ = z + y ∧ ¬(y′ ≤ x) ∧ ¬(z′ = x + z)]} , H ∪ {u(x, y′, z′) → x + u(x′, y, z) [x ≥ y ∧ x = x′ + 1 ∧ y′ = y + 1 ∧ z′ = z + y]})

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 37 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Induction Rules

EQ-Deletion: example

R =            sum1(x) → [x ≤ 0] sum1(x) → x + sum1(x − 1) [x > 0] sum2(x) → u(x, 0, 0) u(x, i, z) → u(x, i + 1, z + i) [i ≤ x] u(x, i, z) → z [¬(i ≤ x)]            (E , H ∪ {u(x, y′, z′) → x + u(x′, y, z) [x ≥ y ∧ x = x′ + 1 ∧ y′ = y + 1 ∧ z′ = z + y]})

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 37 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Induction Rules

Postulate: definition

(E, H) (E ⊎ {s ≃ t [ϕ]}, H)

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 38 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Induction Rules

Postulate: example

R: sum1(x) → [x ≤ 0] sum1(x) → x + sum1(x − 1) [x > 0] sum2(x) → u(x, 0, 0) u(x, i, z) → u(x, i + 1, z + i) [i ≤ x] u(x, i, z) → z [¬(i ≤ x)] Goal: ( {sum1(x) ≈ sum2(x) [⊤]}, ∅ )

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 39 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Induction Rules

Postulate: example

R: sum1(x) → [x ≤ 0] sum1(x) → x + sum1(x − 1) [x > 0] sum2(x) → u(x, 0, 0) u(x, i, z) → u(x, i + 1, z + i) [i ≤ x] u(x, i, z) → z [¬(i ≤ x)] Goal: ( {sum1(x) ≈ sum2(x) [⊤], u(x, y, z) ≈ x + u(x′, y, z) [x ≥ y ∧ x = x′ + 1 ∧ y′ = y + 1 ∧ z′ = z + y]}, ∅ )

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 39 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Induction Rules

Postulate: example

R: sum1(x) → [x ≤ 0] sum1(x) → x + sum1(x − 1) [x > 0] sum2(x) → u(x, 0, 0) u(x, i, z) → u(x, i + 1, z + i) [i ≤ x] u(x, i, z) → z [¬(i ≤ x)] Goal: ( {sum1(x) ≈ sum2(x) [⊤]}, {u(x, y′, z′) → x + u(x′, y, z) [x ≥ y ∧ x = x′ + 1 ∧ y′ = y + 1 ∧ z′ = z + y]} )

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 39 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions

Overview

1 Motivation 2 Constrained Term Rewriting 3 Transforming C Programs 4 Rewriting Induction 5 Lemma Generation 6 Conclusions

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 40 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Divergence

What Typically Happens

1. sum1(x) → [x ≤ 0] 2. sum1(x) → x + sum1(x − 1) [x > 0] 3. sum2(x) → u(x, 0, 0) 4. u(x, i, z) → u(x, i + 1, z + i) [i ≤ x] 5. u(x, i, z) → z [¬(i ≤ x)] Goals: sum1(x) ≈ sum2(x) [⊤]

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 41 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Divergence

What Typically Happens

1. sum1(x) → [x ≤ 0] 2. sum1(x) → x + sum1(x − 1) [x > 0] 3. sum2(x) → u(x, 0, 0) 4. u(x, i, z) → u(x, i + 1, z + i) [i ≤ x] 5. u(x, i, z) → z [¬(i ≤ x)] Goals: sum1(x) ≈ u(x, 0, 0) [⊤]

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 41 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Divergence

What Typically Happens

1. sum1(x) → [x ≤ 0] 2. sum1(x) → x + sum1(x − 1) [x > 0] 3. sum2(x) → u(x, 0, 0) 4. u(x, i, z) → u(x, i + 1, z + i) [i ≤ x] 5. u(x, i, z) → z [¬(i ≤ x)] H1 sum1(x) → u(x, 0, 0) [⊤] Goals: x + sum1(x − 1) ≈ u(x, 0, 0) [x > 0] 0 ≈ u(x, 0, 0) [x ≤ 0]

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 41 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Divergence

What Typically Happens

1. sum1(x) → [x ≤ 0] 2. sum1(x) → x + sum1(x − 1) [x > 0] 3. sum2(x) → u(x, 0, 0) 4. u(x, i, z) → u(x, i + 1, z + i) [i ≤ x] 5. u(x, i, z) → z [¬(i ≤ x)] H1 sum1(x) → u(x, 0, 0) [⊤] Goals: x + sum1(x − 1) ≈ u(x, 0, 0) [x > 0]

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 41 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Divergence

What Typically Happens

1. sum1(x) → [x ≤ 0] 2. sum1(x) → x + sum1(x − 1) [x > 0] 3. sum2(x) → u(x, 0, 0) 4. u(x, i, z) → u(x, i + 1, z + i) [i ≤ x] 5. u(x, i, z) → z [¬(i ≤ x)] H1 sum1(x) → u(x, 0, 0) [⊤] Goals: x + sum1(x − 1) ≈ u(x, 0 + 1, 0 + 0) [x > 0]

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 41 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Divergence

What Typically Happens

1. sum1(x) → [x ≤ 0] 2. sum1(x) → x + sum1(x − 1) [x > 0] 3. sum2(x) → u(x, 0, 0) 4. u(x, i, z) → u(x, i + 1, z + i) [i ≤ x] 5. u(x, i, z) → z [¬(i ≤ x)] H1 sum1(x) → u(x, 0, 0) [⊤] Goals: x + sum1(x′) ≈ u(x, 1, 0) [x > 0 ∧ x′ = x − 1]

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 41 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Divergence

What Typically Happens

1. sum1(x) → [x ≤ 0] 2. sum1(x) → x + sum1(x − 1) [x > 0] 3. sum2(x) → u(x, 0, 0) 4. u(x, i, z) → u(x, i + 1, z + i) [i ≤ x] 5. u(x, i, z) → z [¬(i ≤ x)] H1 sum1(x) → u(x, 0, 0) [⊤] Goals: x + u(x′, 0, 0) ≈ u(x, 1, 0) [x > 0 ∧ x′ = x − 1]

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 41 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Divergence

What Typically Happens

1. sum1(x) → [x ≤ 0] 2. sum1(x) → x + sum1(x − 1) [x > 0] 3. sum2(x) → u(x, 0, 0) 4. u(x, i, z) → u(x, i + 1, z + i) [i ≤ x] 5. u(x, i, z) → z [¬(i ≤ x)] H1 sum1(x) → u(x, 0, 0) [⊤] H2 u(x, 1, 0) → x + u(x′, 0, 0) [x > 0 ∧ x′ = x − 1] Goals: x + u(x′, 0, 0) ≈ u(x, 1 + 1, 0 + 1) [x > 0 ∧ x′ = x − 1 ∧ x′ > 0] x + u(x′, 0, 0) ≈ 0 [x > 0 ∧ x′ = x − 1 ∧ x′ ≤ 0]

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 41 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Divergence

What Typically Happens

1. sum1(x) → [x ≤ 0] 2. sum1(x) → x + sum1(x − 1) [x > 0] 3. sum2(x) → u(x, 0, 0) 4. u(x, i, z) → u(x, i + 1, z + i) [i ≤ x] 5. u(x, i, z) → z [¬(i ≤ x)] H1 sum1(x) → u(x, 0, 0) [⊤] H2 u(x, 1, 0) → x + u(x′, 0, 0) [x > 0 ∧ x′ = x − 1] Goals: x + u(x′, 0, 0) ≈ u(x, 1 + 1, 0 + 1) [x > 0 ∧ x′ = x − 1 ∧ x′ > 0]

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 41 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Divergence

What Typically Happens

1. sum1(x) → [x ≤ 0] 2. sum1(x) → x + sum1(x − 1) [x > 0] 3. sum2(x) → u(x, 0, 0) 4. u(x, i, z) → u(x, i + 1, z + i) [i ≤ x] 5. u(x, i, z) → z [¬(i ≤ x)] H1 sum1(x) → u(x, 0, 0) [⊤] H2 u(x, 1, 0) → x + u(x′, 0, 0) [x > 0 ∧ x′ = x − 1] Goals: x+u(x′, 0+1, 0+0) ≈ u(x, 1+1, 0+1) [x > 0∧x′ = x−1∧x′ > 0]

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 41 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Divergence

What Typically Happens

1. sum1(x) → [x ≤ 0] 2. sum1(x) → x + sum1(x − 1) [x > 0] 3. sum2(x) → u(x, 0, 0) 4. u(x, i, z) → u(x, i + 1, z + i) [i ≤ x] 5. u(x, i, z) → z [¬(i ≤ x)] H1 sum1(x) → u(x, 0, 0) [⊤] H2 u(x, 1, 0) → x + u(x′, 0, 0) [x > 0 ∧ x′ = x − 1] Goals: x + u(x′, 1, 0) ≈ u(x, 2, 1) [x > 0 ∧ x′ = x − 1 ∧ x′ > 0]

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 41 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Divergence

What Typically Happens

1. sum1(x) → [x ≤ 0] 2. sum1(x) → x + sum1(x − 1) [x > 0] 3. sum2(x) → u(x, 0, 0) 4. u(x, i, z) → u(x, i + 1, z + i) [i ≤ x] 5. u(x, i, z) → z [¬(i ≤ x)] H1 sum1(x) → u(x, 0, 0) [⊤] H2 u(x, 1, 0) → x + u(x′, 0, 0) [x > 0 ∧ x′ = x − 1] H3 u(x, 2, 1) → x + u(x′, 1, 0) [x ≥ 1 ∧ x′ = x − 1]

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 42 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Divergence

What Typically Happens

1. sum1(x) → [x ≤ 0] 2. sum1(x) → x + sum1(x − 1) [x > 0] 3. sum2(x) → u(x, 0, 0) 4. u(x, i, z) → u(x, i + 1, z + i) [i ≤ x] 5. u(x, i, z) → z [¬(i ≤ x)] H1 sum1(x) → u(x, 0, 0) [⊤] H2 u(x, 1, 0) → x + u(x′, 0, 0) [x > 0 ∧ x′ = x − 1] H3 u(x, 2, 1) → x + u(x′, 1, 0) [x ≥ 1 ∧ x′ = x − 1] H4 u(x, 3, 3) → x + u(x′, 2, 1) [x ≥ 2 ∧ x′ = x − 1]

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 42 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Divergence

What Typically Happens

1. sum1(x) → [x ≤ 0] 2. sum1(x) → x + sum1(x − 1) [x > 0] 3. sum2(x) → u(x, 0, 0) 4. u(x, i, z) → u(x, i + 1, z + i) [i ≤ x] 5. u(x, i, z) → z [¬(i ≤ x)] H1 sum1(x) → u(x, 0, 0) [⊤] H2 u(x, 1, 0) → x + u(x′, 0, 0) [x > 0 ∧ x′ = x − 1] H3 u(x, 2, 1) → x + u(x′, 1, 0) [x ≥ 1 ∧ x′ = x − 1] H4 u(x, 3, 3) → x + u(x′, 2, 1) [x ≥ 2 ∧ x′ = x − 1] H5 u(x, 4, 6) → x + u(x′, 3, 3) [x ≥ 3 ∧ x′ = x − 1]

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 42 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Generalisation Method

Use Different Notation!

1. sum1(x) → [x ≤ 0] 2. sum1(x) → x + sum1(x − 1) [x > 0] 3. sum2(x) → u(x, 0, 0) 4. u(x, i, z) → u(x, i + 1, z + i) [i ≤ x] 5. u(x, i, z) → z [¬(i ≤ x)]

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 43 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Generalisation Method

Use Different Notation!

1. sum1(x) → c0 [x ≤ 0 ∧ c0 = 0] 2. sum1(x) → x + sum1(x − 1) [x > 0] 3. sum2(x) → u(x, c1, c2) [c1 = 0 ∧ c2 = 0] 4. u(x, i, z) → u(x, i + 1, z + i) [i ≤ x] 5. u(x, i, z) → z [¬(i ≤ x)]

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 43 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Generalisation Method

Use Different Notation!

1. sum1(x) → c0 [x ≤ 0 ∧ c0 = 0] 2. sum1(x) → x + sum1(x − 1) [x > 0] 3. sum2(x) → u(x, c1, c2) [c1 = 0 ∧ c2 = 0] 4. u(x, i, z) → u(x, i + 1, z + i) [i ≤ x] 5. u(x, i, z) → z [¬(i ≤ x)] Goals: sum1(x) ≈ sum2(x) [⊤]

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 43 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Generalisation Method

Use Different Notation!

1. sum1(x) → c0 [x ≤ 0 ∧ c0 = 0] 2. sum1(x) → x + sum1(x − 1) [x > 0] 3. sum2(x) → u(x, c1, c2) [c1 = 0 ∧ c2 = 0] 4. u(x, i, z) → u(x, i + 1, z + i) [i ≤ x] 5. u(x, i, z) → z [¬(i ≤ x)] Goals: sum1(x) ≈ u(x, c1, c2) [c1 = 0 ∧ c2 = 0]

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 43 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Generalisation Method

Use Different Notation!

1. sum1(x) → c0 [x ≤ 0 ∧ c0 = 0] 2. sum1(x) → x + sum1(x − 1) [x > 0] 3. sum2(x) → u(x, c1, c2) [c1 = 0 ∧ c2 = 0] 4. u(x, i, z) → u(x, i + 1, z + i) [i ≤ x] 5. u(x, i, z) → z [¬(i ≤ x)] H1 sum1(x) → u(x, c1, c2) [c1 = 0 ∧ c2 = 0] Goals: x + sum1(x − 1) ≈ u(x, c1, c2) [c1 = 0 ∧ c2 = 0 ∧ x > 0] c0 ≈ u(x, c1, c2) [c1 = 0 ∧ c2 = 0 ∧ x ≤ 0 ∧ c0 = 0]

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 43 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Generalisation Method

Use Different Notation!

1. sum1(x) → c0 [x ≤ 0 ∧ c0 = 0] 2. sum1(x) → x + sum1(x − 1) [x > 0] 3. sum2(x) → u(x, c1, c2) [c1 = 0 ∧ c2 = 0] 4. u(x, i, z) → u(x, i + 1, z + i) [i ≤ x] 5. u(x, i, z) → z [¬(i ≤ x)] H1 sum1(x) → u(x, c1, c2) [c1 = 0 ∧ c2 = 0] Goals: x + sum1(x − 1) ≈ u(x, c1, c2) [c1 = 0 ∧ c2 = 0 ∧ x > 0]

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 43 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Generalisation Method

Use Different Notation!

1. sum1(x) → c0 [x ≤ 0 ∧ c0 = 0] 2. sum1(x) → x + sum1(x − 1) [x > 0] 3. sum2(x) → u(x, c1, c2) [c1 = 0 ∧ c2 = 0] 4. u(x, i, z) → u(x, i + 1, z + i) [i ≤ x] 5. u(x, i, z) → z [¬(i ≤ x)] H1 sum1(x) → u(x, c1, c2) [c1 = 0 ∧ c2 = 0] Goals: x + sum1(x − 1) ≈ u(x, c1 + 1, c2 + c1) [c1 = 0 ∧ c2 = 0 ∧ x > 0]

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 43 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Generalisation Method

Use Different Notation!

1. sum1(x) → c0 [x ≤ 0 ∧ c0 = 0] 2. sum1(x) → x + sum1(x − 1) [x > 0] 3. sum2(x) → u(x, c1, c2) [c1 = 0 ∧ c2 = 0] 4. u(x, i, z) → u(x, i + 1, z + i) [i ≤ x] 5. u(x, i, z) → z [¬(i ≤ x)] H1 sum1(x) → u(x, c1, c2) [c1 = 0 ∧ c2 = 0] Goals: x + sum1(x′) ≈ u(x, i, z) [c1 = 0 ∧ c2 = 0 ∧ x > 0 ∧ x′ = x − 1 ∧ i = c1 + 1 ∧ z = c1 + c2]

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 43 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Generalisation Method

Use Different Notation!

1. sum1(x) → c0 [x ≤ 0 ∧ c0 = 0] 2. sum1(x) → x + sum1(x − 1) [x > 0] 3. sum2(x) → u(x, c1, c2) [c1 = 0 ∧ c2 = 0] 4. u(x, i, z) → u(x, i + 1, z + i) [i ≤ x] 5. u(x, i, z) → z [¬(i ≤ x)] H1 sum1(x) → u(x, c1, c2) [c1 = 0 ∧ c2 = 0] Goals: x + u(x′, c1, c2) ≈ u(x, i, z) [c1 = 0 ∧ c2 = 0 ∧ x > 0 ∧ x′ = x − 1 ∧ i = c1 + 1 ∧ z = c1 + c2]

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 43 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Generalisation Method

Use Different Notation!

1. sum1(x) → c0 [x ≤ 0 ∧ c0 = 0] 2. sum1(x) → x + sum1(x − 1) [x > 0] 3. sum2(x) → u(x, c1, c2) [c1 = 0 ∧ c2 = 0] 4. u(x, i, z) → u(x, i + 1, z + i) [i ≤ x] 5. u(x, i, z) → z [¬(i ≤ x)] H1 sum1(x) → u(x, c1, c2) [c1 = 0 ∧ c2 = 0] Goals: x + u(x′, c1, c2) ≈ u(x, i, z) [c1 = 0 ∧ c2 = 0 ∧ x > 0 ∧ x′ = x − 1 ∧ i = c1 + 1 ∧ z = c1 + c2] Generalisation: Drop initialisations

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 43 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Generalisation Method

Use Different Notation!

1. sum1(x) → c0 [x ≤ 0 ∧ c0 = 0] 2. sum1(x) → x + sum1(x − 1) [x > 0] 3. sum2(x) → u(x, c1, c2) [c1 = 0 ∧ c2 = 0] 4. u(x, i, z) → u(x, i + 1, z + i) [i ≤ x] 5. u(x, i, z) → z [¬(i ≤ x)] H1 sum1(x) → u(x, c1, c2) [c1 = 0 ∧ c2 = 0] Goals: x + u(x′, c1, c2) ≈ u(x, i, z) [ x > 0 ∧ x′ = x − 1 ∧ i = c1 + 1 ∧ z = c1 + c2] Generalisation: Drop initialisations

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 43 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions

Overview

1 Motivation 2 Constrained Term Rewriting 3 Transforming C Programs 4 Rewriting Induction 5 Lemma Generation 6 Conclusions

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 44 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions What was already there?

Shoulders of Giants

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 45 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions What was already there?

Shoulders of Giants

• various kinds of constrained rewriting

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 45 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions What was already there?

Shoulders of Giants

• various kinds of constrained rewriting

(But: most were fundamentally limited to the integers)

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 45 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions What was already there?

Shoulders of Giants

• various kinds of constrained rewriting

(But: most were fundamentally limited to the integers)

• long history of unconstrained rewriting induction, e.g.

[Reddy 1990]

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 45 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions What was already there?

Shoulders of Giants

• various kinds of constrained rewriting

(But: most were fundamentally limited to the integers)

• long history of unconstrained rewriting induction, e.g.

[Reddy 1990] (But: lemma generation methods do not obviously extend)

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 45 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions What was already there?

Shoulders of Giants

• various kinds of constrained rewriting

(But: most were fundamentally limited to the integers)

• long history of unconstrained rewriting induction, e.g.

[Reddy 1990] (But: lemma generation methods do not obviously extend)

• rewriting induction for a form of constrained rewriting

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 45 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions What was already there?

Shoulders of Giants

• various kinds of constrained rewriting

(But: most were fundamentally limited to the integers)

• long history of unconstrained rewriting induction, e.g.

[Reddy 1990] (But: lemma generation methods do not obviously extend)

• rewriting induction for a form of constrained rewriting

(But: only very complex and relatively weak lemma generation)

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 45 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Contributions

Implementation and Experiments

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 46 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Contributions

Implementation and Experiments

• C2LCTRS: automatic tool to translate C programs to LCTRSs

http://www.trs.cm.is.nagoya-u.ac.jp/c2lctrs/

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 46 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Contributions

Implementation and Experiments

• C2LCTRS: automatic tool to translate C programs to LCTRSs

http://www.trs.cm.is.nagoya-u.ac.jp/c2lctrs/

• Ctrl: automatic tool to prove equivalence of LCTRS functions

http://cl-informatik.uibk.ac.at/software/ctrl/

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 46 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Contributions

Implementation and Experiments

• C2LCTRS: automatic tool to translate C programs to LCTRSs

http://www.trs.cm.is.nagoya-u.ac.jp/c2lctrs/

• Ctrl: automatic tool to prove equivalence of LCTRS functions

http://cl-informatik.uibk.ac.at/software/ctrl/ function YES NO MAYBE time sum 9 4 2.4 fib 4 6 3 6.6 sumfrom 3 1 2 1.9 strlen 1 5 7.2 strcpy 3 3 11.5 arrsum 1 4.2 fact 1 2.4 total 22 7 17 5.9 Experiments with student code

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 46 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Contributions

Implementation and Experiments

• C2LCTRS: automatic tool to translate C programs to LCTRSs

http://www.trs.cm.is.nagoya-u.ac.jp/c2lctrs/

• Ctrl: automatic tool to prove equivalence of LCTRS functions

http://cl-informatik.uibk.ac.at/software/ctrl/ function YES NO MAYBE time sum 9 4 2.2 fib 10 1 2 5.9 sumfrom 3 3 2.3 strlen 2 4 6.0 strcpy 5 1 14.1 arrsum 1 4.2 fact 1 2.5 total 31 1 14 5.9 Experiments with student code and adapted teacher code

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 47 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Contributions

Conclusion

• Logically Constrained Term Rewrite Systems

for automated reasoning and program analysis

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 48 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Contributions

Conclusion

• Logically Constrained Term Rewrite Systems

for automated reasoning and program analysis

• Frontend from C fragment on integers, arrays, ... to LCTRSs

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 48 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Contributions

Conclusion

• Logically Constrained Term Rewrite Systems

for automated reasoning and program analysis

• Frontend from C fragment on integers, arrays, ... to LCTRSs
• Constrained rewriting induction to prove equivalence of

functions defined by LCTRSs

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 48 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Contributions

Conclusion

• Logically Constrained Term Rewrite Systems

for automated reasoning and program analysis

• Frontend from C fragment on integers, arrays, ... to LCTRSs
• Constrained rewriting induction to prove equivalence of

functions defined by LCTRSs

• Lemma generation technique suited to problems from

imperative programs

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 48 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Contributions

Conclusion

• Logically Constrained Term Rewrite Systems

for automated reasoning and program analysis

• Frontend from C fragment on integers, arrays, ... to LCTRSs
• Constrained rewriting induction to prove equivalence of

functions defined by LCTRSs

• Lemma generation technique suited to problems from

imperative programs

• Conference paper at APLAS 2014

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 48 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Contributions

Conclusion

• Logically Constrained Term Rewrite Systems

for automated reasoning and program analysis

• Frontend from C fragment on integers, arrays, ... to LCTRSs
• Constrained rewriting induction to prove equivalence of

functions defined by LCTRSs

• Lemma generation technique suited to problems from

imperative programs

• Conference paper at APLAS 2014
• Full version: http://arxiv.org/abs/1409.0166

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 48 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Bonus Slides

Bonus Slides

More on the step from C to constrained rewriting

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 49 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Function Calls

Recursion

int fact(int x) { if (x > 0) return x * fact(x-1); else return 1; }

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 50 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Function Calls

Recursion

int fact(int x) { if (x > 0) return x * fact(x-1); else return 1; } fact(x) → x ∗ fact(x − 1) [x > 0] fact(x) → 1 [¬(x > 0)]

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 50 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Function Calls

Recursion

int fact(int x) { if (x > 0) return x * fact(x-1); else return 1; } fact(x) → x ∗ fact(x − 1) [x > 0] fact(x) → return(1) [¬(x > 0)]

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 50 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Function Calls

Recursion

int fact(int x) { if (x > 0) return x * fact(x-1); else return 1; } fact(x) → helper(x, fact(x − 1)) [x > 0] fact(x) → return(1) [¬(x > 0)] helper(x, return(y)) → x ∗ y

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 50 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Function Calls

Recursion with Errors

int fact(int x) { if (x > 0) return x * fact(x-1); else return 1; } fact(x) → helper(x, fact(x − 1)) [x > 0] fact(x) → return(1) [¬(x > 0)] helper(x, return(y)) → x ∗ y [x ∗ y < 256] helper(x, return(y)) → error [x ∗ y ≥ 256]

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 51 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Function Calls

Recursion with Errors

int fact(int x) { if (x > 0) return x * fact(x-1); else return 1; } fact(x) → helper(x, fact(x − 1)) [x > 0] fact(x) → return(1) [¬(x > 0)] helper(x, return(y)) → x ∗ y [x ∗ y < 256] helper(x, return(y)) → error [x ∗ y ≥ 256] helper(x, error) → error

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 51 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Side Effects

Global Variables

int best; int up(int x) { if (x > best) { best = x; return 1; } return 0; }

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 52 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Side Effects

Global Variables

int best; int up(int x) { if (x > best) { best = x; return 1; } return 0; } up(b, x) → return(x, 1) [x > b] up(b, x) → return(b, 0) [¬(x > b)]

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 52 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Side Effects

Global Variables with Function Calls

int best; int up(int x) { void main() { if (x > best) { while(1) { best = x; int k = input(); return 1; up(k); } if (!k) break; return 0; } } }

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 53 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Side Effects

Global Variables with Function Calls

int best; int up(int x) { void main() { if (x > best) { while(1) { best = x; int k = input(); return 1; up(k); } if (!k) break; return 0; } } } up(b, x) → returnup(x, 1) [x > b] up(b, x) → returnup(b, 0) [¬(x > b)] main(b) → u1(b, inp) u1(b, k) → u2(k, up(b, k)) u2(k, returnup(b′, i)) → returnmain(b′) [¬(k = 0)] u2(k, returnup(b′, i)) → u1(b′, inp) [k = 0]

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 53 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Side Effects

Statically Allocated Arrays

void strcpy(char goal[], char original[]) { int i = 0; for (; original[i]; i++) goal[i] = original[i]; goal[i] = 0; }

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 54 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Side Effects

Statically Allocated Arrays

void strcpy(char goal[], char original[]) { int i = 0; for (; original[i]; i++) goal[i] = original[i]; goal[i] = 0; } strcpy(x, y) → v(x, y, 0) v(x, y, i) → w(x, y, i) [select(y, i) = 0] v(x, y, i) → v(store(x, i, select(y, i)), y, i + 1) [select(y, i) = 0] w(x, y, i) → return(store(x, i, 0))

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 54 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Side Effects

Statically Allocated Arrays

void strcpy(char goal[], char original[]) { int i = 0; for (; original[i]; i++) goal[i] = original[i]; goal[i] = 0; } strcpy(x, y) → v(x, y, 0) v(x, y, i) → w(x, y, i) [0 ≤ i < size(y) ∧ select(y, i) = 0] v(x, y, i) → v(store(x, i, select(y, i)), y, i + 1) [0 ≤ i < size(x) ∧ i < size(y) ∧ select(y, i) = 0] w(x, y, i) → return(store(x, i, 0)) [0 ≤ i < size(x)]

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 54 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Side Effects

Statically Allocated Arrays

void strcpy(char goal[], char original[]) { int i = 0; for (; original[i]; i++) goal[i] = original[i]; goal[i] = 0; } strcpy(x, y) → v(x, y, 0) v(x, y, i) → w(x, y, i) [0 ≤ i < size(y) ∧ select(y, i) = 0] v(x, y, i) → v(store(x, i, select(y, i)), y, i + 1) [0 ≤ i < size(x) ∧ i < size(y) ∧ select(y, i) = 0] w(x, y, i) → return(store(x, i, 0)) [0 ≤ i < size(x)] v(x, y, i) → error [i < 0 ∨ i ≥ size(y) ∨ (select(y, i) = 0 ∧ i ≥ size(x))] w(x, y, i) → error [i < 0 ∨ i ≥ size(x)]

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 54 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Dynamic Pointers

Dynamically Allocated Arrays

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 55 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Dynamic Pointers

Dynamically Allocated Arrays

• model memory as a sequence of integer sequences

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 55 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Dynamic Pointers

Dynamically Allocated Arrays

• model memory as a sequence of integer sequences
• a dynamic array is a pair (index, offset)

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 55 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Dynamic Pointers

Dynamically Allocated Arrays

• model memory as a sequence of integer sequences
• a dynamic array is a pair (index, offset)
• int *a = new int[10];

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 55 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Dynamic Pointers

Dynamically Allocated Arrays

• model memory as a sequence of integer sequences
• a dynamic array is a pair (index, offset)
• int *a = new int[10];

⇒ u1(mem) → u2(add(mem, x), pair(size(mem), 0)) [size(x) = 10]

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 55 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Dynamic Pointers

Dynamically Allocated Arrays

• model memory as a sequence of integer sequences
• a dynamic array is a pair (index, offset)
• int *a = new int[10];

⇒ u1(mem) → u2(add(mem, x), pair(size(mem), 0)) [size(x) = 10]

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 55 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Dynamic Pointers

Dynamically Allocated Arrays

• model memory as a sequence of integer sequences
• a dynamic array is a pair (index, offset)
• int *a = new int[10];

⇒ u1(mem) → u2(add(mem, x), pair(size(mem), 0)) [size(x) = 10]

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 55 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Dynamic Pointers

Dynamically Allocated Arrays

• model memory as a sequence of integer sequences
• a dynamic array is a pair (index, offset)
• int *a = new int[10];

⇒ u1(mem) → u2(add(mem, x), pair(size(mem), 0)) [size(x) = 10]

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 55 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Dynamic Pointers

Dynamically Allocated Arrays

• model memory as a sequence of integer sequences
• a dynamic array is a pair (index, offset)
• int *a = new int[10];

⇒ u1(mem) → u2(add(mem, x), pair(size(mem), 0)) [size(x) = 10]

• int k = a[3];

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 55 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Dynamic Pointers

Dynamically Allocated Arrays

• model memory as a sequence of integer sequences
• a dynamic array is a pair (index, offset)
• int *a = new int[10];

⇒ u1(mem) → u2(add(mem, x), pair(size(mem), 0)) [size(x) = 10]

• int k = a[3];

⇒ u2(mem, pair(x, y)) → u3(mem, pair(x, y), select(select(mem, x), y + 3))

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 55 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Dynamic Pointers

Dynamically Allocated Arrays

• model memory as a sequence of integer sequences
• a dynamic array is a pair (index, offset)
• int *a = new int[10];

⇒ u1(mem) → u2(add(mem, x), pair(size(mem), 0)) [size(x) = 10]

• int k = a[3];

⇒ u2(mem, pair(x, y)) → u3(mem, pair(x, y), select(select(mem, x), y + 3)) [0 ≤ y + 3 < size(select(mem, x))]

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 55 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Dynamic Pointers

Dynamically Allocated Arrays

• model memory as a sequence of integer sequences
• a dynamic array is a pair (index, offset)
• int *a = new int[10];

⇒ u1(mem) → u2(add(mem, x), pair(size(mem), 0)) [size(x) = 10]

• int k = a[3];

⇒ u2(mem, pair(x, y)) → u3(mem, pair(x, y), select(select(mem, x), y + 3)) [0 ≤ y + 3 < size(select(mem, x))] (Note: select(mem, a) returns () if a is out of bound.)

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 55 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Dynamic Pointers

Dynamically Allocated Arrays

• model memory as a sequence of integer sequences
• a dynamic array is a pair (index, offset)
• int *a = new int[10];

⇒ u1(mem) → u2(add(mem, x), pair(size(mem), 0)) [size(x) = 10]

• int k = a[3];

⇒ u2(mem, pair(x, y)) → u3(mem, pair(x, y), select(select(mem, x), y + 3)) [0 ≤ y + 3 < size(select(mem, x))] (Note: select(mem, a) returns () if a is out of bound.)

• int *b = a + 1;

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 55 / 48

Motivation Constrained Term Rewriting Transforming C Programs Rewriting Induction Lemma Generation Conclusions Dynamic Pointers

Dynamically Allocated Arrays

• model memory as a sequence of integer sequences
• a dynamic array is a pair (index, offset)
• int *a = new int[10];

⇒ u1(mem) → u2(add(mem, x), pair(size(mem), 0)) [size(x) = 10]

• int k = a[3];

⇒ u2(mem, pair(x, y)) → u3(mem, pair(x, y), select(select(mem, x), y + 3)) [0 ≤ y + 3 < size(select(mem, x))] (Note: select(mem, a) returns () if a is out of bound.)

• int *b = a + 1;

⇒ u3(mem, pair(x, y), k) → u4(mem, pair(x, y), k, pair(x, y + 1))

Proving Equivalence of Imperative Programs via Constrained Rewriting Induction Carsten Fuhs 55 / 48