Regression Verification: Proving Partial Equivalence Talk by Dennis - - PowerPoint PPT Presentation

Regression Verification: Proving Partial Equivalence

Talk by Dennis Felsing Seminar within the Projektgruppe Formale Methoden der Softwareentwicklung WS 2012/2013

1 / 24

Introduction

Formal Verification

Formally prove correctness of software ⇒ Requires formal specification

Regression Testing

Discover new bugs by testing for them ⇒ Requires test cases

2 / 24

Introduction

Formal Verification

Formally prove correctness of software ⇒ Requires formal specification

Regression Testing

Discover new bugs by testing for them ⇒ Requires test cases

Regression Verification

Formally prove there are no new bugs

2 / 24

Regression Verification

Formally prove there are no new bugs

• Goal: Proving the equivalence of two closely related programs
• No formal specification or test cases required
• Instead use old program version
• Make use of similarity between programs

3 / 24

Overview

1 Theoretical Framework 2 Practical Framework 3 Limitations

4 / 24

Theoretical Framework

Overview

Program P1 (val a,b; ret g) Program P1 without recursions Static Single Assignment SP1 Program P2 (val y,x; ret z) Program P2 without recursions Static Single Assignment SP2 (a = y ∧ b = x ∧ SP1 ∧ SP2) → g = z True / False Partially Equivalent? Apply Proc-P-Eq Theorem Prover

5 / 24

Linear Procedure Language

Overview

Program P1 (val a,b; ret g) Program P1 without recursions Static Single Assignment SP1 Program P2 (val y,x; ret z) Program P2 without recursions Static Single Assignment SP2 (a = y ∧ b = x ∧ SP1 ∧ SP2) → g = z True / False Partially Equivalent? Apply Proc-P-Eq Theorem Prover

6 / 24

Linear Procedure Language

Example

procedure gcd3 ( val x , y , z ; ret w) : c a l l gcd ( x , y ; a ) ; c a l l gcd (a , z ; w) ; return procedure gcd ( val a , b ; ret g ) : i f b = 0 then g := a else a := a%b ; c a l l gcd (b , a ; g ) f i ; return

7 / 24

Linear Procedure Language

Syntax

Program :: procedure p(val arg − rp; ret arg − wp):Spp∈Proc S :: x := e | S ; S | if B then S else S fi | if B then S fi | call p(e; x) | return ⇒ No loops

8 / 24

Partial Equivalence

Overview

Program P1 (val a,b; ret g) Program P1 without recursions Static Single Assignment SP1 Program P2 (val y,x; ret z) Program P2 without recursions Static Single Assignment SP2 (a = y ∧ b = x ∧ SP1 ∧ SP2) → g = z True / False Partially Equivalent? Apply Proc-P-Eq Theorem Prover

9 / 24

Partial Equivalence

Partial Equivalence: Given the same inputs, any two terminating executions of programs P1 and P2 return the same value. ⇒ Partial Equivalence is undecidable

In LPL:

part-equiv(P1, P2) = in[P1] = in[P2] → out[P1] = out[P2]

10 / 24

Uninterpreted Procedures

Given the same inputs an Uninterpreted Procedure always produces the same outputs.

In LPL:

procedure U( val r1 , r2 , . . . ; ret w1 , w2 , . . . ) : return

11 / 24

Mappings

Programs P1 and P2 consist of procedures Map equivalent procedures onto each other

In LPL:

map : Proc[P1] → Proc[P2] UP maps procedures to their respective uninterpreted procedures: F, G ∈ map ⇐ ⇒ UP(F) = UP(G)

12 / 24

Rule for Proving Partial Equivalence

Overview

Program P1 (val a,b; ret g) Program P1 without recursions Static Single Assignment SP1 Program P2 (val y,x; ret z) Program P2 without recursions Static Single Assignment SP2 (a = y ∧ b = x ∧ SP1 ∧ SP2) → g = z True / False Partially Equivalent? Apply Proc-P-Eq Theorem Prover

13 / 24

Example

part-equiv(gcd1, gcd2) ⊢ part-equiv(gcd1 body, gcd2 body) part-equiv(gcd1, gcd2) procedure gcd1 ( val a , b ; ret g ) : i f b = 0 then g := a else a := a%b ; call gcd1 (b , a ; g ) f i ; return procedure gcd2 ( val x , y ; ret z ) : z := x ; i f y > 0 then call gcd2 ( y , z%y ; z ) f i ; return

14 / 24

Example

part-equiv(gcd1, gcd2) ⊢ part-equiv(gcd1 body, gcd2 body) part-equiv(gcd1, gcd2) procedure gcd1 ( val a , b ; ret g ) : i f b = 0 then g := a else a := a%b ; call gcd1 (b , a ; g ) f i ; return procedure gcd2 ( val x , y ; ret z ) : z := x ; i f y > 0 then call gcd2 ( y , z%y ; z ) f i ; return

14 / 24

Example

⊢LUP part-equiv(gcd1 [gcd1 ← UP(gcd1)] , gcd2 [gcd2 ← UP(gcd2)] ) part-equiv(gcd1, gcd2) procedure gcd1 ( val a , b ; ret g ) : i f b = 0 then g := a else a := a%b ; call gcd1 (b , a ; g ) call gcd2 f i ; return procedure gcd2 ( val x , y ; ret z ) : z := x ; i f y > 0 then call gcd2 ( y , z%y ; z ) call gc f i ; return

15 / 24

Example

⊢LUP part-equiv(gcd1 [gcd1 ← UP(gcd1)] , gcd2 [gcd2 ← UP(gcd2)] ) part-equiv(gcd1, gcd2) procedure gcd1 ( val a , b ; ret g ) : i f b = 0 then g := a else a := a%b ; call U (b , a ; g ) call gcd2 f i ; return procedure gcd2 ( val x , y ; ret z ) : z := x ; i f y > 0 then call U ( y , z%y ; z ) call gcd2 f i ; return

15 / 24

Rule Proc-P-Eq

∀F, G ∈ map. {⊢LUP part-equiv(F UP, G UP)} ∀F, G ∈ map. part-equiv(F, G)

• LUP is a sound proof system for a non-recursive LPL
• F UP = F[f ← UP(f ) | f ∈ Proc[P]] is an isolated procedure

16 / 24

Rule Proc-P-Eq

∀F, G ∈ map. {⊢LUP part-equiv(F UP, G UP)} ∀F, G ∈ map. part-equiv(F, G)

• LUP is a sound proof system for a non-recursive LPL
• F UP = F[f ← UP(f ) | f ∈ Proc[P]] is an isolated procedure

F Y X G B A

16 / 24

Rule Proc-P-Eq

∀F, G ∈ map. {⊢LUP part-equiv(F UP, G UP)} ∀F, G ∈ map. part-equiv(F, G)

• LUP is a sound proof system for a non-recursive LPL
• F UP = F[f ← UP(f ) | f ∈ Proc[P]] is an isolated procedure

F Y X G B A F UP UPY UPX UPF G UP

16 / 24

Rule Proc-P-Eq

∀F, G ∈ map. {⊢LUP part-equiv(F UP, G UP)} ∀F, G ∈ map. part-equiv(F, G)

• LUP is a sound proof system for a non-recursive LPL
• F UP = F[f ← UP(f ) | f ∈ Proc[P]] is an isolated procedure

F Y X G B A F UP UPY UPX UPF G UP ⇒ Proc-P-Eq is sound, not complete

16 / 24

Static Single Assignment

Overview

Program P1 (val a,b; ret g) Program P1 without recursions Static Single Assignment SP1 Program P2 (val y,x; ret z) Program P2 without recursions Static Single Assignment SP2 (a = y ∧ b = x ∧ SP1 ∧ SP2) → g = z True / False Partially Equivalent? Apply Proc-P-Eq Theorem Prover

17 / 24

Static Single Assignment

• Translate procedures to formulas
• No loops or recursions
• In assignments x := exp replace x with a new variable x1
• Represents the states of the program

18 / 24

Static Single Assignment

• Translate procedures to formulas
• No loops or recursions
• In assignments x := exp replace x with a new variable x1
• Represents the states of the program

Example

procedure gcd2 ( val x , y ; ret z ) : z := x ; i f y > 0 then c a l l U( y , z%y ; z ) f i ; return Sgcd2 =         x0 = x ∧ y0 = y

18 / 24

Static Single Assignment

• Translate procedures to formulas
• No loops or recursions
• In assignments x := exp replace x with a new variable x1
• Represents the states of the program

Example

procedure gcd2 ( val x , y ; ret z ) : z := x ; i f y > 0 then c a l l U( y , z%y ; z ) f i ; return Sgcd2 =         x0 = x ∧ y0 = y ∧ z0 = x0

18 / 24

Static Single Assignment

• Translate procedures to formulas
• No loops or recursions
• In assignments x := exp replace x with a new variable x1
• Represents the states of the program

Example

procedure gcd2 ( val x , y ; ret z ) : z := x ; i f y > 0 then c a l l U( y , z%y ; z ) f i ; return Sgcd2 =         x0 = x ∧ y0 = y ∧ z0 = x0 ∧ y0 > 0 → z1 = U(y0, (z0%y0))

18 / 24

Static Single Assignment

• Translate procedures to formulas
• No loops or recursions
• In assignments x := exp replace x with a new variable x1
• Represents the states of the program

Example

procedure gcd2 ( val x , y ; ret z ) : z := x ; i f y > 0 then c a l l U( y , z%y ; z ) f i ; return Sgcd2 =         x0 = x ∧ y0 = y ∧ z0 = x0 ∧ y0 > 0 → z1 = U(y0, (z0%y0)) ∧ y0 ≤ 0 → z1 = z0

18 / 24

Static Single Assignment

• Translate procedures to formulas
• No loops or recursions
• In assignments x := exp replace x with a new variable x1
• Represents the states of the program

Example

procedure gcd2 ( val x , y ; ret z ) : z := x ; i f y > 0 then c a l l U( y , z%y ; z ) f i ; return Sgcd2 =         x0 = x ∧ y0 = y ∧ z0 = x0 ∧ y0 > 0 → z1 = U(y0, (z0%y0)) ∧ y0 ≤ 0 → z1 = z0 ∧ z = z1        

18 / 24

Formula

Overview

Program P1 (val a,b; ret g) Program P1 without recursions Static Single Assignment SP1 Program P2 (val y,x; ret z) Program P2 without recursions Static Single Assignment SP2 (a = y ∧ b = x

• Equal inputs

∧SP1 ∧ SP2) → g = z

Equal outputs

Partially Equivalent? Apply Proc-P-Eq

19 / 24

Static Single Assignment

Overview

Program P1 (val a,b; ret g) Program P1 without recursions Static Single Assignment SP1 Program P2 (val y,x; ret z) Program P2 without recursions Static Single Assignment SP2 (a = y ∧ b = x ∧ SP1 ∧ SP2) → g = z True / False Partially Equivalent? Apply Proc-P-Eq Theorem Prover

20 / 24

Practice

C-Program P1 (val a,b; ret g) C-Program P1 without loops C-Program P1 without recursions C-Program P2 (val y,x; ret z) C-Program P2 without loops C-Program P2 without recursions New C-Program: compares values

• f P1 and P2

True / False Replace loops with recursions Apply Proc-P-Eq CBMC

21 / 24

Practice

C-Program P1 (val a,b; ret g) C-Program P1 without loops C-Program P1 without recursions C-Program P2 (val y,x; ret z) C-Program P2 without loops C-Program P2 without recursions New C-Program: compares values

• f P1 and P2

True / False Replace loops with recursions Apply Proc-P-Eq CBMC

21 / 24

Practice

C-Program P1 (val a,b; ret g) C-Program P1 without loops C-Program P1 without recursions C-Program P2 (val y,x; ret z) C-Program P2 without loops C-Program P2 without recursions New C-Program: compares values

• f P1 and P2

True / False Replace loops with recursions Apply Proc-P-Eq CBMC

21 / 24

Practice

C-Program P1 (val a,b; ret g) C-Program P1 without loops C-Program P1 without recursions C-Program P2 (val y,x; ret z) C-Program P2 without loops C-Program P2 without recursions New C-Program: compares values

• f P1 and P2

True / False Replace loops with recursions Apply Proc-P-Eq CBMC

21 / 24

Regression Verification Tool

Demo

22 / 24

Limitations

Proc-P-Eq

Proc-P-Eq cannot prove recursions where

• procedures are called with different arguments :

procedure F ( val n ; ret r ) : i f n ≤ 1 then r := n else c a l l F( n-1 ; r ) ; r := n + r f i return procedure G ( val n ; ret r ) : i f n ≤ 1 then r := n else c a l l G( n-2 ; r ) ; r := n+(n−1)+r f i return

• the procedure body is not equivalent
• the Uninterpreted Procedure is too weak

22 / 24

Limitations

Proc-P-Eq

Proc-P-Eq cannot prove recursions where

• procedures are called with different arguments
• the procedure body is not equivalent :

procedure F ( val n ; ret r ) : i f n ≤ 0 then r := n else c a l l F(n−1; r ) ; r := n + r f i return procedure G ( val n ; ret r ) : i f n ≤ 1 then r := n else c a l l G(n−1; r ) ; r := n + r f i return

• the Uninterpreted Procedure is too weak

22 / 24

Limitations

Proc-P-Eq

Proc-P-Eq cannot prove recursions where

• procedures are called with different arguments
• the procedure body is not equivalent
• the Uninterpreted Procedure is too weak :

procedure F ( val n ; ret r ) : i f n ≤ 0 then r := 0 else c a l l F(n−1; r ) ; r := n + r f i return procedure G ( val n ; ret r ) : i f n ≤ 0 then r := 0 else c a l l G(n−1; r ) ; i f r ≥ 0 then r := n+r f i f i return

22 / 24

Limitations

Regression Verification Tool

• Condition of equality cannot be specified
• Counterexample not quickly found because of function inlining
• Mapping only by function names and locations

23 / 24

Conclusion

Regression Verification

• Better chance of being adopted than Functional Verification
• More powerful than Regression Testing
• Simple rule Proc-P-Eq for many cases, but not all
• Regression Verification has recently been extended to

multi-threaded programs

24 / 24